Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware - Malwares Bytes is blocked


  • This topic is locked This topic is locked
44 replies to this topic

#1 Ranidf

Ranidf

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 10 August 2018 - 02:03 PM

Avz reports that system files might be modified. Malwares Bytes is blocked. Bitdefender is not starting.

Rkill is not successful.

 

I used to work as a computer technician specializing in removing viruses and malware, but it was 10 years ago. So I understand some things, but now I need help to remove that malware from my laptop.

 

Please see this: lansys32] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lansys32.exe [115200 2018-08-11] (Toxic Coding Team Tool)

What is this Toxic Coding Team Tool?

Googling gives this: https://www.isthisfilesafe.com/company/Toxic%20Coding%20Team%20Tool_details.aspx

Is it something new? I couldn't find any mention of Toxing Coding Team Tool on the internet at all. And the files submitted to isthisfilesafe seems from the last two months. Is this malware something new?

 

Tried to check this file in AVZ via Check file authencity by Microsoft Security Catalog:

File: C:\WINDOWS\explorer.exe. Result: Microsoft file authenticity check: failed

 

 

Avz log:

1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CopyFileA (64) intercepted, method - APICodeHijack.JmpTo[00060FF6]
Function kernel32.dll:CopyFileW (67) intercepted, method - APICodeHijack.JmpTo[00061096]
Function kernel32.dll:CreateFileA (80) intercepted, method - APICodeHijack.JmpTo[000611B6]
Function kernel32.dll:CreateFileW (83) intercepted, method - APICodeHijack.JmpTo[00061286]
Function kernel32.dll:MoveFileA (609) intercepted, method - APICodeHijack.JmpTo[00062506]
Function kernel32.dll:MoveFileW (612) intercepted, method - APICodeHijack.JmpTo[00062566]
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrLoadDll (70) intercepted, method - APICodeHijack.JmpTo[000652F6]
Function ntdll.dll:NtEnumerateValueKey (161) intercepted, method - APICodeHijack.JmpTo[00066386]
Function ntdll.dll:NtQueryDirectoryFile (234) intercepted, method - APICodeHijack.JmpTo[00066636]
Function ntdll.dll:NtResumeThread (297) intercepted, method - APICodeHijack.JmpTo[000653C6]
Function ntdll.dll:ZwEnumerateValueKey (971) intercepted, method - APICodeHijack.JmpTo[00066386]
Function ntdll.dll:ZwQueryDirectoryFile (1044) intercepted, method - APICodeHijack.JmpTo[00066636]
Function ntdll.dll:ZwResumeThread (1107) intercepted, method - APICodeHijack.JmpTo[000653C6]
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
Function ws2_32.dll:GetAddrInfoW (24) intercepted, method - APICodeHijack.JmpTo[00061D06]
Function ws2_32.dll:send (19) intercepted, method - APICodeHijack.JmpTo[00067246]
 Analysis: wininet.dll, export table found in section .text
Function wininet.dll:HttpSendRequestA (209) intercepted, method - APICodeHijack.JmpTo[00062096]
Function wininet.dll:HttpSendRequestW (212) intercepted, method - APICodeHijack.JmpTo[00062156]
Function wininet.dll:InternetWriteFile (309) intercepted, method - APICodeHijack.JmpTo[00062396]
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
Function urlmon.dll:URLDownloadToFileA (218) intercepted, method - APICodeHijack.JmpTo[00069076]
Function urlmon.dll:URLDownloadToFileW (219) intercepted, method - APICodeHijack.JmpTo[000691E6]
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=0833A0)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 8055A3A0
   KiST = 804E2620 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Checking IDT and SYSENTER - complete
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\cbdiskMntNtf3.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\cbdiskMntNtf3.dll>>> Behaviour analysis 
 Behaviour typical for keyloggers was not detected
C:\Program Files\Internet Download Manager\IDMShellExt.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Internet Download Manager\IDMShellExt.dll>>> Behaviour analysis 
 Behaviour typical for keyloggers was not detected
C:\PROGRA~1\4Sync\ShellExt.dll --> Suspicion for Keylogger or Trojan DLL
C:\PROGRA~1\4Sync\ShellExt.dll>>> Behaviour analysis 
 Behaviour typical for keyloggers was not detected
 
After updating database of AVZ and using AVZPM:
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CopyFileA (64) intercepted, method - APICodeHijack.JmpTo[00060FF6]
 >>> Rootkit code in function CopyFileA blocked
Function kernel32.dll:CopyFileW (67) intercepted, method - APICodeHijack.JmpTo[00061096]
 >>> Rootkit code in function CopyFileW blocked
Function kernel32.dll:CreateFileA (80) intercepted, method - APICodeHijack.JmpTo[000611B6]
 >>> Rootkit code in function CreateFileA blocked
Function kernel32.dll:CreateFileW (83) intercepted, method - APICodeHijack.JmpTo[00061286]
 >>> Rootkit code in function CreateFileW blocked
Function kernel32.dll:MoveFileA (609) intercepted, method - APICodeHijack.JmpTo[00062506]
 >>> Rootkit code in function MoveFileA blocked
Function kernel32.dll:MoveFileW (612) intercepted, method - APICodeHijack.JmpTo[00062566]
 >>> Rootkit code in function MoveFileW blocked
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrLoadDll (70) intercepted, method - APICodeHijack.JmpTo[000652F6]
 >>> Rootkit code in function LdrLoadDll blocked
Function ntdll.dll:NtEnumerateValueKey (161) intercepted, method - APICodeHijack.JmpTo[00066386]
 >>> Rootkit code in function NtEnumerateValueKey blocked
Function ntdll.dll:NtQueryDirectoryFile (234) intercepted, method - APICodeHijack.JmpTo[00066636]
 >>> Rootkit code in function NtQueryDirectoryFile blocked
Function ntdll.dll:NtResumeThread (297) intercepted, method - APICodeHijack.JmpTo[000653C6]
 >>> Rootkit code in function NtResumeThread blocked
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
Function ws2_32.dll:GetAddrInfoW (24) intercepted, method - APICodeHijack.JmpTo[00061D06]
 >>> Rootkit code in function GetAddrInfoW blocked
Function ws2_32.dll:send (19) intercepted, method - APICodeHijack.JmpTo[00067246]
 >>> Rootkit code in function send blocked
 Analysis: wininet.dll, export table found in section .text
Function wininet.dll:HttpSendRequestA (209) intercepted, method - APICodeHijack.JmpTo[00062096]
 >>> Rootkit code in function HttpSendRequestA blocked
Function wininet.dll:HttpSendRequestW (212) intercepted, method - APICodeHijack.JmpTo[00062156]
 >>> Rootkit code in function HttpSendRequestW blocked
Function wininet.dll:InternetWriteFile (309) intercepted, method - APICodeHijack.JmpTo[00062396]
 >>> Rootkit code in function InternetWriteFile blocked
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
Function urlmon.dll:URLDownloadToFileA (218) intercepted, method - APICodeHijack.JmpTo[00069076]
 >>> Rootkit code in function URLDownloadToFileA blocked
Function urlmon.dll:URLDownloadToFileW (219) intercepted, method - APICodeHijack.JmpTo[000691E6]
 >>> Rootkit code in function URLDownloadToFileW blocked
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=0833A0)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 8055A3A0
   KiST = 804E2620 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
CmpCallCallBacks = 0013AE3A
Disable callback OK
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Searching for masking processes and drivers - complete
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 42
 Number of modules loaded: 331
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\MSGINA.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\MSGINA.dll>>> Behaviour analysis 
 Behaviour typical for keyloggers was not detected
File quarantined succesfully (C:\WINDOWS\system32\MSGINA.dll)
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
 In the database 317 port descriptions
 Opened at this PC: 80 TCP ports and 13 UDP ports
 Checking - complete; no suspicious ports detected
7. Heuristic system check
Search settings IE using Policies HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{6B528F7B-1290-4F85-BA27-8515B393FF4B}, SuggestionsURL="http://clients5.google.com/complete/search?q={searchTerms}&client=ie8&mw={ie:maxWidth}&sh={ie:sectionHeight}&rh={ie:rowHeight}&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
Search settings IE using Policies HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{6BA4BBC5-3A34-465E-A7AD-CA216AD72022}, SuggestionsURL="http://en.wikipedia.org/w/api.php?action=opensearch&format=xml&search={searchTerms}&namespace=0"
Search settings IE using Policies HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{6BA4BBC5-3A34-465E-A7AD-CA216AD72022}, SuggestionsURL_JSON="http://en.wikipedia.org/w/api.php?action=opensearch&search={searchTerms}&namespace=0"
Search settings IE using Policies HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6B528F7B-1290-4F85-BA27-8515B393FF4B}, SuggestionsURLFallback="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
Search settings IE using Policies HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6BA4BBC5-3A34-465E-A7AD-CA216AD72022}, SuggestionsURLFallback="http://en.wikipedia.org/w/api.php?action=opensearch&format=xml&search={searchTerms}&namespace=0"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02.08.2018
Ran by Administrator (administrator) on KKD-20121019PWK (11-08-2018 01:36:15)
Running from D:\
Loaded Profiles: Administrator (Available Profiles: Administrator & Guest)
Platform: Microsoft Windows XP Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Lenovo.) C:\WINDOWS\system32\ibmpmsvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Intel Corporation ) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\locator.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(PcWinTech.com) C:\Program Files\CleanMem\Mini_Monitor.exe
(f.lux Software LLC) C:\Documents and Settings\Administrator\Local Settings\Application Data\FluxSoftware\Flux\flux.exe
(Bongiovi Acoustics) C:\Program Files\Bongiovi Acoustics\Digital Power Station\Digital Power Station.exe
(Microsoft Corporation) C:\WINDOWS\system32\calc.exe
(Microsoft Corporation) C:\WINDOWS\system32\charmap.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Лаборатория Касперского, 2007-2015) D:\avz4\avz.exe
(SRWare) D:\Program Files\IronPortable\Iron\iron.exe
(SRWare) D:\Program Files\IronPortable\Iron\iron.exe
(Trend Micro Inc.) D:\HijackThis.exe
(SRWare) D:\Program Files\IronPortable\Iron\iron.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [CleanMem Mini Monitor] => C:\Program Files\CleanMem\Mini_Monitor.exe [1417216 2012-09-21] (PcWinTech.com)
Winlogon\Notify\ACNotify: C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2013-03-12] (Lenovo )
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2010-08-26] (ATI Technologies Inc.)
HKU\S-1-5-19\...\Run: [Exetender] => C:\Program Files\Free Ride Games\GPlayer.exe [4973456 2013-03-14] (Exent Technologies Ltd.)
HKU\S-1-5-20\...\Run: [Exetender] => C:\Program Files\Free Ride Games\GPlayer.exe [4973456 2013-03-14] (Exent Technologies Ltd.)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [f.lux] => C:\Documents and Settings\Administrator\Local Settings\Application Data\FluxSoftware\Flux\flux.exe [1806344 2018-07-04] (f.lux Software LLC)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [Ivsasi] => C:\Documents and Settings\Administrator\Application Data\Identities\Ivsasi.exe [133120 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [{3A4E34BC-92A7-61BF-D43F-5F2D47E34DBB}] => c:\documents and settings\all users\application data\{A65E1C8C-BA97-FDAF-D43F-5F2D47E34DBB}\0be1cc13.exe [325632 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lansys32] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lansys32.exe [115200 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne10] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne10.exe [112640 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne2] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne2.exe [116224 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne3] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne3.exe [112128 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne6] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne6.exe [110592 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne7] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne7.exe [114688 2018-08-10] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [syseeeaz] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-6985472110112323\systeez.exe [140800 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lliseconc8] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lliseconc8.exe [203776 2018-08-11] (Taloon Energy Saving Machine)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lanconnect35] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lanconnect35.exe [167936 2018-08-11] (Ford Focus Enterprise Establishment)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lansys32] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lansys32.exe [115200 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne10] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne10.exe [112640 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne2] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne2.exe [116224 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne3] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne3.exe [112128 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne6] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne6.exe [110592 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne7] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne7.exe [114688 2018-08-10] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [syseeeaz] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-6985472110112323\systeez.exe [140800 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lliseconc8] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lliseconc8.exe [203776 2018-08-11] (Taloon Energy Saving Machine)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lanconnect35] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lanconnect35.exe [167936 2018-08-11] (Ford Focus Enterprise Establishment)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoSMHelp] 01000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoLogoff] 01000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoSMMyPictures] 01000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoDrives] 00000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoDriveAutoRun] fc010000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\MountPoints2: {59337d10-389d-11e2-8940-000d6079e84c} - F:\AutoRun.exe
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\MountPoints2: {59337d13-389d-11e2-8940-000d6079e84c} - F:\AutoRun.exe
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\MountPoints2: {5c692080-4529-11e2-8992-000d6079e84c} - F:\AutoRun.exe
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\MountPoints2: {95622190-389f-11e2-8941-000d6079e84c} - F:\AutoRun.exe
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\MountPoints2: {f9420317-d6ec-11e0-9bd7-806d6172696f} - F:\setup.exe
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [9216 2008-04-14] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Exetender] => C:\Program Files\Free Ride Games\GPlayer.exe [4973456 2013-03-14] (Exent Technologies Ltd.)
Lsa: [Notification Packages] scecli ACGina
SecurityProviders: schannel.dll, credssp.dll, digest.dll
SSODL: EldosMountNotificator-cbdisk3 - {BA569D84-B7FD-47D8-A47F-735F5AFA52DD} - C:\WINDOWS\system32\cbdiskMntNtf3.dll No File
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Power Station.lnk [2017-01-02]
ShortcutTarget: Digital Power Station.lnk -> C:\Program Files\Bongiovi Acoustics\Digital Power Station\Digital Power Station.exe (Bongiovi Acoustics)
BootExecute: autocheck autochk /p \??\F:autocheck autochk /r \??\G:autocheck autochk * Partizan
GroupPolicy: Restriction ? <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.0.1
Tcpip\..\Interfaces\{4BC90E87-0E5A-4E12-B3CA-6C67D2290DD1}: [DhcpNameServer] 172.16.0.1
 
Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
URLSearchHook: HKU\S-1-5-21-1343024091-1417001333-1801674531-500 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://search.softonic.com/INF00176/tb_v1/?SearchSource=15&cc=&mi=9cfcaf19000000000000020e35bba7cb" <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = 
SearchScopes: HKLM -> {6B528F7B-1290-4F85-BA27-8515B393FF4B} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM -> {6BA4BBC5-3A34-465E-A7AD-CA216AD72022} URL = hxxp://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKU\S-1-5-21-1343024091-1417001333-1801674531-500 -> DefaultScope {6B528F7B-1290-4F85-BA27-8515B393FF4B} URL = 
SearchScopes: HKU\S-1-5-21-1343024091-1417001333-1801674531-500 -> {6B528F7B-1290-4F85-BA27-8515B393FF4B} URL = 
SearchScopes: HKU\S-1-5-21-1343024091-1417001333-1801674531-500 -> {6BA4BBC5-3A34-465E-A7AD-CA216AD72022} URL = 
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2018-06-20] (Internet Download Manager, Tonec Inc.)
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} 
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mz5mwmuu.default-1521231873678 [2018-08-08]
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mz5mwmuu.default-1521231873678\searchplugins\yahoo-lavasoft-ff59.xml [2018-04-26]
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\CometNetwork\CometBird\Profiles\a576p66c.default [2018-08-09]
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\CometNetwork\CometBird\Profiles\a576p66c.default -> backup.ftp", ""
FF Session Restore: C:\Documents and Settings\Administrator\Application Data\CometNetwork\CometBird\Profiles\a576p66c.default -> is enabled.
FF Extension: (1-Click YouTube Video Downloader) - C:\Documents and Settings\Administrator\Application Data\CometNetwork\CometBird\Profiles\a576p66c.default\Extensions\YoutubeDownloader@PeterOlayev.com [2015-04-08] [Legacy] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-11-29] [Legacy] [not signed]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Firefox\Extensions: [dmpluginff@westbyte.com] - C:\Program Files\Download Master\distribution\bundles\dmpluginff@westbyte.com
FF Extension: (Download Master Plugin) - C:\Program Files\Download Master\distribution\bundles\dmpluginff@westbyte.com [2016-12-21] [Legacy]
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Firefox\Extensions: [dmmm@westbyte.com] - C:\Program Files\Download Master\distribution\bundles\dmmm@westbyte.com
FF Extension: (Download Master Media Monitor) - C:\Program Files\Download Master\distribution\bundles\dmmm@westbyte.com [2016-12-21] [Legacy]
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Firefox\Extensions: [dmbarff@westbyte.com] - C:\Program Files\Download Master\distribution\bundles\dmbarff@westbyte.com
FF Extension: (Download Master Toolbar) - C:\Program Files\Download Master\distribution\bundles\dmbarff@westbyte.com [2016-12-21] [Legacy]
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Firefox\Extensions: [dmremote@westbyte.com] - C:\Program Files\Download Master\distribution\bundles\dmremote@westbyte.com
FF Extension: (Download Master Remote Download) - C:\Program Files\Download Master\distribution\bundles\dmremote@westbyte.com [2016-12-21] [Legacy]
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Firefox\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files\Internet Download Manager\idmmzcc2.xpi [2017-12-20] [Legacy]
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Administrator\Application Data\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Documents and Settings\Administrator\Application Data\IDM\idmmzcc5 [2018-07-27] [Legacy] [not signed]
FF HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll [2013-07-25] ()
FF Plugin: @exent.com/npExentCtl,version=7.0.0.0 -> C:\Program Files\Free Ride Games\npExentCtl.dll [2009-12-27] (Exent Technologies Ltd.)
FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2013-10-09] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.40.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-10-09] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll [2013-07-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll [2013-07-17] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin: www.exent.com/GameTreatWidget -> C:\Program Files\Free Ride Games\NPGameTreatPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-1343024091-1417001333-1801674531-500: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-1343024091-1417001333-1801674531-500: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-1343024091-1417001333-1801674531-500: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\npGoogleUpdate3.dll [No File]
 
Chrome: 
=======
CHR HKLM\...\Chrome\Extension: [dljdacfojgikogldjffnkdcielnklkce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2018-07-11]
CHR HKLM\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetNT.crx <not found>
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 .EsetTrialReset; C:\WINDOWS\reset.exe [357182 2009-03-20] () [File not signed]
R2 6to4; C:\WINDOWS\System32\6to4svc.dll [100864 2011-08-14] (Microsoft Corporation)
S4 Alerter; C:\WINDOWS\system32\alrsvc.dll [17408 2008-04-14] (Microsoft Corporation) [File not signed]
S3 ALG; C:\WINDOWS\System32\alg.exe [44544 2008-04-14] (Microsoft Corporation) [File not signed]
S3 AppMgmt; C:\WINDOWS\System32\appmgmts.dll [167936 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [606208 2010-08-26] (ATI Technologies Inc.) [File not signed]
R2 AudioSrv; C:\WINDOWS\System32\audiosrv.dll [42496 2008-04-14] (Microsoft Corporation) [File not signed]
S3 BITS; C:\WINDOWS\system32\qmgr.dll [409088 2008-04-14] (Microsoft Corporation) [File not signed]
S3 CiSvc; C:\WINDOWS\system32\cisvc.exe [5632 2008-04-14] (Microsoft Corporation) [File not signed]
S4 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [33280 2008-04-14] (Microsoft Corporation) [File not signed]
R2 CryptSvc; C:\WINDOWS\System32\cryptsvc.dll [62464 2008-04-14] (Microsoft Corporation) [File not signed]
S3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [224768 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
S3 dmserver; C:\WINDOWS\System32\dmserver.dll [23552 2008-04-14] (Microsoft Corp.) [File not signed]
S3 EapHost; C:\WINDOWS\System32\eapsvc.dll [33792 2008-04-14] (Microsoft Corporation) [File not signed]
R2 ERSvc; C:\WINDOWS\System32\ersvc.dll [23040 2008-04-14] (Microsoft Corporation) [File not signed]
R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [86016 2006-02-06] (Intel Corporation) [File not signed]
S3 helpsvc; C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll [38400 2008-04-14] (Microsoft Corporation) [File not signed]
S4 HidServ; C:\WINDOWS\System32\hidserv.dll [21504 2008-04-14] (Microsoft Corporation) [File not signed]
S3 hkmsvc; C:\WINDOWS\System32\kmsvc.dll [61440 2008-04-14] (Microsoft Corporation) [File not signed]
S3 HTTPFilter; C:\WINDOWS\System32\w3ssl.dll [15872 2008-04-14] (Microsoft Corporation) [File not signed]
S4 ImapiService; C:\WINDOWS\system32\imapi.exe [150528 2008-04-14] (Microsoft Corporation) [File not signed]
S4 Irmon; C:\WINDOWS\System32\irmon.dll [28160 2008-04-14] (Microsoft Corporation) [File not signed]
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-10-09] (Oracle Corporation)
S3 LmHosts; C:\WINDOWS\System32\lmhsvc.dll [13824 2008-04-14] (Microsoft Corporation) [File not signed]
S4 Messenger; C:\WINDOWS\System32\msgsvc.dll [33792 2008-04-14] (Microsoft Corporation) [File not signed]
S3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [32768 2008-04-14] (Microsoft Corporation) [File not signed]
S3 MSDTC; C:\WINDOWS\system32\msdtc.exe [6144 2008-04-14] (Microsoft Corporation) [File not signed]
S3 napagent; C:\WINDOWS\System32\qagentrt.dll [291328 2008-04-14] (Microsoft Corporation) [File not signed]
S4 NetDDE; C:\WINDOWS\system32\netdde.exe [111104 2008-04-14] (Microsoft Corporation) [File not signed]
S4 NetDDEdsdm; C:\WINDOWS\system32\netdde.exe [111104 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Netlogon; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
R2 Netman; C:\WINDOWS\System32\netman.dll [198144 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NtLmSsp; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NtmsSvc; C:\WINDOWS\system32\ntmssvc.dll [435200 2008-04-14] (Microsoft Corporation) [File not signed]
R2 NwSapAgent; C:\WINDOWS\System32\ipxsap.dll [66560 2008-04-14] (Microsoft Corporation) [File not signed]
R2 PolicyAgent; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
R2 ProtectedStorage; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RasAuto; C:\WINDOWS\System32\rasauto.dll [88576 2008-04-14] (Microsoft Corporation) [File not signed]
R3 RasMan; C:\WINDOWS\System32\rasmans.dll [186368 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [141312 2008-04-14] (Microsoft Corporation) [File not signed]
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [139264 2006-02-06] (Intel Corporation) [File not signed]
S4 RemoteAccess; C:\WINDOWS\System32\mprdim.dll [53248 2008-04-14] (Microsoft Corporation) [File not signed]
S4 RemoteRegistry; C:\WINDOWS\system32\regsvc.dll [59904 2008-04-14] (Microsoft Corporation) [File not signed]
R2 RpcLocator; C:\WINDOWS\system32\locator.exe [75264 2008-04-14] (Microsoft Corporation) [File not signed]
S3 RSVP; C:\WINDOWS\system32\rsvp.exe [132608 2008-04-14] (Microsoft Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [372809 2006-02-06] (Intel Corporation ) [File not signed]
R2 SamSs; C:\WINDOWS\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation) [File not signed]
S3 SCardSvr; C:\WINDOWS\System32\SCardSvr.exe [95744 2008-04-14] (Microsoft Corporation) [File not signed]
R2 Schedule; C:\WINDOWS\system32\schedsvc.dll [192512 2008-04-14] (Microsoft Corporation) [File not signed]
S3 seclogon; C:\WINDOWS\System32\seclogon.dll [18944 2008-04-14] (Microsoft Corporation) [File not signed]
R2 SENS; C:\WINDOWS\system32\sens.dll [39424 2008-04-14] (Microsoft Corporation) [File not signed]
S3 srservice; C:\WINDOWS\system32\srsvc.dll [171008 2008-04-14] (Microsoft Corporation) [File not signed]
R3 SSDPSRV; C:\WINDOWS\System32\ssdpsrv.dll [71680 2008-04-14] (Microsoft Corporation) [File not signed]
R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-12-03] (DEVGURU Co., LTD.)
R2 stisvc; C:\WINDOWS\system32\wiaservc.dll [333824 2008-04-14] (Microsoft Corporation) [File not signed]
S3 SysmonLog; C:\WINDOWS\system32\smlogsvc.exe [89600 2008-04-14] (Microsoft Corporation) [File not signed]
S4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [73216 2008-04-14] (Microsoft Corporation) [File not signed]
R2 TrkWks; C:\WINDOWS\system32\trkwks.dll [90112 2008-04-14] (Microsoft Corporation) [File not signed]
S3 upnphost; C:\WINDOWS\System32\upnphost.dll [185856 2008-04-14] (Microsoft Corporation) [File not signed]
S3 UPS; C:\WINDOWS\System32\ups.exe [18432 2008-04-14] (Microsoft Corporation) [File not signed]
S3 VSS; C:\WINDOWS\System32\vssvc.exe [289792 2008-04-14] (Microsoft Corporation) [File not signed]
R2 winmgmt; C:\WINDOWS\system32\wbem\WMIsvc.dll [144896 2008-04-14] (Microsoft Corporation) [File not signed]
S3 WmdmPmSN; C:\WINDOWS\system32\MsPMSNSv.dll [27136 2006-10-18] (Microsoft Corporation) [File not signed]
S3 WmiApSrv; C:\WINDOWS\system32\wbem\wmiapsrv.exe [126464 2008-04-14] (Microsoft Corporation) [File not signed]
S4 WMPNetworkSvc; C:\Program Files\Windows Media Player\WMPNetwk.exe [913408 2006-10-18] (Microsoft Corporation) [File not signed]
S2 WsAppService; C:\Program Files\Wondershare\WAF\2.4.3.227\WsAppService.exe [479232 2017-06-21] (Wondershare) [File not signed]
S3 wscsvc; C:\WINDOWS\system32\wscsvc.dll [80896 2008-04-14] (Microsoft Corporation) [File not signed]
R2 WudfSvc; C:\WINDOWS\System32\WUDFSvc.dll [55808 2006-09-28] (Microsoft Corporation) [File not signed]
S3 xmlprov; C:\WINDOWS\System32\xmlprov.dll [129024 2008-04-14] (Microsoft Corporation) [File not signed]
S2 WsDrvInst; C:\Program Files\Wondershare\dr.fone toolkit for Android\Library\DriverInstaller\DriverInstall.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ac97intc; C:\WINDOWS\System32\drivers\ac97intc.sys [96256 2001-08-17] (Intel Corporation) [File not signed]
R0 ACPI; C:\WINDOWS\System32\DRIVERS\ACPI.sys [187776 2008-04-13] (Microsoft Corporation) [File not signed]
R0 ACPIEC; C:\WINDOWS\System32\drivers\acpiec.sys [11648 2001-08-17] (Microsoft Corporation) [File not signed]
S3 aec; C:\WINDOWS\System32\drivers\aec.sys [142592 2008-04-13] (Microsoft Corporation) [File not signed]
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [17801 2013-07-01] (Meetinghouse Data Communications) [File not signed]
S1 AmdPPM; C:\WINDOWS\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices) [File not signed]
R1 ANC; C:\WINDOWS\System32\drivers\ANC.SYS [11520 2013-03-07] (IBM Corp.) [File not signed]
S4 asc3350p; C:\WINDOWS\system32\Drivers\asc3350p.sys [22400 2011-04-08] (Microsoft Corporation) [File not signed]
S3 AsyncMac; C:\WINDOWS\System32\DRIVERS\asyncmac.sys [14336 2008-04-14] (Microsoft Corporation) [File not signed]
R0 atapi; C:\WINDOWS\System32\DRIVERS\atapi.sys [96512 2008-04-14] (Microsoft Corporation) [File not signed]
S3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [5386752 2010-08-26] (ATI Technologies Inc.) [File not signed]
S3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [101392 2011-03-31] (Advanced Micro Devices)
S3 Atmarpc; C:\WINDOWS\System32\DRIVERS\atmarpc.sys [59904 2008-04-14] (Microsoft Corporation) [File not signed]
R3 audstub; C:\WINDOWS\System32\DRIVERS\audstub.sys [3072 2001-08-17] (Microsoft Corporation) [File not signed]
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [3363384 2010-10-29] (Broadcom Corporation)
R1 Beep; C:\WINDOWS\system32\Drivers\Beep.sys [4224 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [71552 2008-04-14] (Microsoft Corporation) [File not signed]
S3 BridgeMP; C:\WINDOWS\System32\DRIVERS\bridge.sys [71552 2008-04-14] (Microsoft Corporation) [File not signed]
R1 cbdisk3; C:\WINDOWS\system32\drivers\cbdisk3.sys [200896 2013-10-18] (EldoS Corporation)
R1 cbfs4; C:\WINDOWS\system32\drivers\cbfs4.sys [323392 2013-10-25] (EldoS Corporation)
S4 cbidf2k; C:\WINDOWS\system32\Drivers\cbidf2k.sys [13952 2001-08-17] (Microsoft Corporation) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation) [File not signed]
R0 cd20xrnt; C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys [7680 2011-04-08] (Microsoft Corporation) [File not signed]
S1 Cdaudio; C:\WINDOWS\system32\Drivers\Cdaudio.sys [18688 2011-08-14] (Microsoft Corporation) [File not signed]
R4 Cdfs; C:\WINDOWS\system32\Drivers\Cdfs.sys [63744 2008-04-14] (Microsoft Corporation) [File not signed]
R3 CmBatt; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [13952 2008-04-13] (Microsoft Corporation) [File not signed]
R0 Compbatt; C:\WINDOWS\System32\DRIVERS\compbatt.sys [10240 2008-04-13] (Microsoft Corporation) [File not signed]
R3 digitalpower; C:\WINDOWS\System32\drivers\digitalpower.sys [25048 2013-06-12] (Bongiovi Acoustics)
S4 dmboot; C:\WINDOWS\System32\drivers\dmboot.sys [799744 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R0 dmio; C:\WINDOWS\System32\drivers\dmio.sys [153344 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R0 dmload; C:\WINDOWS\System32\drivers\dmload.sys [5888 2008-04-14] (Microsoft Corp., Veritas Software.) [File not signed]
S3 DMusic; C:\WINDOWS\System32\drivers\DMusic.sys [52864 2008-04-13] (Microsoft Corporation) [File not signed]
S3 drmkaud; C:\WINDOWS\System32\drivers\drmkaud.sys [2944 2008-04-13] (Microsoft Corporation) [File not signed]
R1 dtsoftbus01; C:\WINDOWS\System32\DRIVERS\dtsoftbus01.sys [242240 2013-07-01] (DT Soft Ltd)
S4 Fastfat; C:\WINDOWS\system32\Drivers\Fastfat.sys [143744 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Fdc; C:\WINDOWS\System32\DRIVERS\fdc.sys [27392 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Fips; C:\WINDOWS\system32\Drivers\Fips.sys [44544 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Flpydisk; C:\WINDOWS\System32\DRIVERS\flpydisk.sys [20480 2008-04-14] (Microsoft Corporation) [File not signed]
R0 FltMgr; C:\WINDOWS\System32\DRIVERS\fltMgr.sys [129792 2008-04-14] (Microsoft Corporation) [File not signed]
S3 FRIdrv; C:\WINDOWS\System32\drivers\FRIdrv.sys [3968 2015-07-09] (Beyond Logic hxxp://www.beyondlogic.org) [File not signed]
R0 Ftdisk; C:\WINDOWS\System32\DRIVERS\ftdisk.sys [125056 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Gpc; C:\WINDOWS\System32\DRIVERS\msgpc.sys [35072 2008-04-14] (Microsoft Corporation) [File not signed]
S3 HDAudBus; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows ® Server 2003 DDK provider) [File not signed]
R3 HidUsb; C:\WINDOWS\System32\drivers\HidUsb.sys [10368 2008-04-13] (Microsoft Corporation) [File not signed]
R3 HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [247808 2009-08-23] (Conexant Systems, Inc.) [File not signed]
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [985856 2009-08-23] (Conexant Systems, Inc.) [File not signed]
R1 i8042prt; C:\WINDOWS\System32\DRIVERS\i8042prt.sys [52480 2008-04-13] (Microsoft Corporation) [File not signed]
R3 ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [804317 2005-01-23] (Intel Corporation) [File not signed]
R1 IBMTPCHK; C:\WINDOWS\system32\Drivers\IBMBLDID.sys [4224 2013-03-07] () [File not signed]
R1 IDMTDI; C:\WINDOWS\System32\DRIVERS\idmtdi.sys [143040 2018-03-01] (Tonec Inc.)
S1 Imapi; C:\WINDOWS\System32\DRIVERS\imapi.sys [42112 2008-04-13] (Microsoft Corporation) [File not signed]
R0 IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [5504 2008-04-13] (Microsoft Corporation) [File not signed]
R1 intelppm; C:\WINDOWS\System32\DRIVERS\intelppm.sys [36352 2008-04-14] (Microsoft Corporation) [File not signed]
S3 Ip6Fw; C:\WINDOWS\System32\DRIVERS\Ip6Fw.sys [36608 2008-04-14] (Microsoft Corporation) [File not signed]
S3 IpFilterDriver; C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [32896 2008-04-14] (Microsoft Corporation) [File not signed]
S3 IpInIp; C:\WINDOWS\System32\DRIVERS\ipinip.sys [20864 2008-04-14] (Microsoft Corporation) [File not signed]
S3 IpNat; C:\WINDOWS\System32\DRIVERS\ipnat.sys [152832 2008-04-14] (Microsoft Corporation) [File not signed]
R1 IPSec; C:\WINDOWS\System32\DRIVERS\ipsec.sys [75264 2008-04-14] (Microsoft Corporation) [File not signed]
R2 irda; C:\WINDOWS\System32\DRIVERS\irda.sys [88192 2008-04-13] (Microsoft Corporation) [File not signed]
S3 IRENUM; C:\WINDOWS\System32\DRIVERS\irenum.sys [11264 2008-04-14] (Microsoft Corporation) [File not signed]
R0 isapnp; C:\WINDOWS\System32\DRIVERS\isapnp.sys [37248 2008-04-13] (Microsoft Corporation) [File not signed]
S3 k57w2k; C:\WINDOWS\System32\DRIVERS\k57xp32.sys [229928 2011-01-17] (Broadcom Corporation)
R1 Kbdclass; C:\WINDOWS\System32\DRIVERS\kbdclass.sys [24576 2008-04-14] (Microsoft Corporation) [File not signed]
S1 kbdhid; C:\WINDOWS\System32\drivers\KbdHid.sys [14592 2008-04-13] (Microsoft Corporation) [File not signed]
R3 kmixer; C:\WINDOWS\System32\drivers\kmixer.sys [172416 2008-04-13] (Microsoft Corporation) [File not signed]
S3 Logi_Headset_DFU; C:\WINDOWS\System32\Drivers\lhusbdfui386.sys [37864 2014-01-24] (CSR plc.)
R1 mnmdd; C:\WINDOWS\system32\Drivers\mnmdd.sys [4224 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Modem; C:\WINDOWS\system32\Drivers\Modem.sys [30080 2011-08-14] (Microsoft Corporation) [File not signed]
R1 Mouclass; C:\WINDOWS\System32\DRIVERS\mouclass.sys [23040 2008-04-13] (Microsoft Corporation) [File not signed]
R3 mouhid; C:\WINDOWS\System32\drivers\MouHid.sys [12160 2001-08-17] (Microsoft Corporation) [File not signed]
S3 MSKSSRV; C:\WINDOWS\System32\drivers\MSKSSRV.sys [7552 2008-04-13] (Microsoft Corporation) [File not signed]
S3 MSPCLOCK; C:\WINDOWS\System32\drivers\MSPCLOCK.sys [5376 2008-04-13] (Microsoft Corporation) [File not signed]
S3 MSPQM; C:\WINDOWS\System32\drivers\MSPQM.sys [4992 2008-04-13] (Microsoft Corporation) [File not signed]
R3 mssmbios; C:\WINDOWS\System32\DRIVERS\mssmbios.sys [15488 2011-08-14] (Microsoft Corporation) [File not signed]
S3 MSTEE; C:\WINDOWS\System32\drivers\MSTEE.sys [5504 2008-04-13] (Microsoft Corporation) [File not signed]
R0 mv61xxmm; C:\WINDOWS\system32\Drivers\mv61xxmm.sys [13616 2011-08-14] (Marvell Semiconductor Inc.)
R0 mv64xxmm; C:\WINDOWS\system32\Drivers\mv64xxmm.sys [5632 2011-08-14] (Marvell Semiconductor Inc.) [File not signed]
R0 mvxxmm; C:\WINDOWS\system32\Drivers\mvxxmm.sys [13616 2010-11-22] (Marvell Semiconductor Inc.)
S3 NABTSFEC; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-13] (Microsoft Corporation) [File not signed]
R0 NDIS; C:\WINDOWS\system32\Drivers\NDIS.sys [182656 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) [File not signed]
R3 Ndisuio; C:\WINDOWS\System32\DRIVERS\ndisuio.sys [14592 2011-08-14] (Microsoft Corporation) [File not signed]
R3 NdisWan; C:\WINDOWS\System32\DRIVERS\ndiswan.sys [91520 2008-04-14] (Microsoft Corporation) [File not signed]
R1 NetBIOS; C:\WINDOWS\System32\DRIVERS\netbios.sys [34688 2008-04-14] (Microsoft Corporation) [File not signed]
R1 NetBT; C:\WINDOWS\System32\DRIVERS\netbt.sys [162816 2008-04-14] (Microsoft Corporation) [File not signed]
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Npfs; C:\WINDOWS\system32\Drivers\Npfs.sys [30848 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NSCIRDA; C:\WINDOWS\System32\DRIVERS\nscirda.sys [28672 2008-04-13] (National Semiconductor Corporation) [File not signed]
R1 Null; C:\WINDOWS\system32\Drivers\Null.sys [2944 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NwlnkFlt; C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [12416 2008-04-14] (Microsoft Corporation) [File not signed]
S3 NwlnkFwd; C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [32512 2008-04-14] (Microsoft Corporation) [File not signed]
R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-14] (Microsoft Corporation) [File not signed]
R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2008-04-14] (Microsoft Corporation) [File not signed]
R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Parport; C:\WINDOWS\System32\DRIVERS\parport.sys [80128 2011-08-14] (Microsoft Corporation) [File not signed]
U3 Partizan; C:\WINDOWS\System32\drivers\Partizan.sys [40304 2018-08-09] (Greatis Software) [File not signed]
R0 PartMgr; C:\WINDOWS\system32\Drivers\PartMgr.sys [19712 2008-04-14] (Microsoft Corporation) [File not signed]
R2 ParVdm; C:\WINDOWS\system32\Drivers\ParVdm.sys [6784 2008-04-14] (Microsoft Corporation) [File not signed]
R0 PCI; C:\WINDOWS\System32\DRIVERS\pci.sys [68224 2008-04-13] (Microsoft Corporation) [File not signed]
R0 Pcmcia; C:\WINDOWS\System32\DRIVERS\pcmcia.sys [120192 2008-04-13] (Microsoft Corporation) [File not signed]
R0 perc2hib; C:\WINDOWS\System32\DRIVERS\perc2hib.sys [5504 2011-04-08] (Microsoft Corporation) [File not signed]
R2 PMEM; C:\WINDOWS\system32\drivers\PMEMNT.SYS [7012 2004-05-05] (Microsoft Corporation) [File not signed]
R3 PptpMiniport; C:\WINDOWS\System32\DRIVERS\raspptp.sys [48384 2008-04-14] (Microsoft Corporation) [File not signed]
S1 Processor; C:\WINDOWS\System32\DRIVERS\processr.sys [35840 2011-08-14] (Microsoft Corporation) [File not signed]
R3 Ptilink; C:\WINDOWS\System32\DRIVERS\ptilink.sys [17792 2008-04-14] (Parallel Technologies, Inc.) [File not signed]
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R1 RasAcd; C:\WINDOWS\System32\DRIVERS\rasacd.sys [8832 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation) [File not signed]
R3 Rasl2tp; C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [51328 2008-04-14] (Microsoft Corporation) [File not signed]
R3 RasPppoe; C:\WINDOWS\System32\DRIVERS\raspppoe.sys [41472 2008-04-14] (Microsoft Corporation) [File not signed]
R3 Raspti; C:\WINDOWS\System32\DRIVERS\raspti.sys [16512 2008-04-14] (Microsoft Corporation) [File not signed]
R1 RDPCDD; C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [4224 2008-04-14] (Microsoft Corporation) [File not signed]
R1 redbook; C:\WINDOWS\System32\DRIVERS\redbook.sys [57600 2008-04-13] (Microsoft Corporation) [File not signed]
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [11354 2005-11-07] (Intel Corporation) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [20480 2008-04-14] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [File not signed]
R3 serenum; C:\WINDOWS\System32\DRIVERS\serenum.sys [15744 2008-04-14] (Microsoft Corporation) [File not signed]
R1 Serial; C:\WINDOWS\System32\DRIVERS\serial.sys [64512 2008-04-14] (Microsoft Corporation) [File not signed]
S3 SLIP; C:\WINDOWS\System32\DRIVERS\SLIP.sys [11136 2008-04-13] (Microsoft Corporation) [File not signed]
S3 splitter; C:\WINDOWS\System32\drivers\splitter.sys [6272 2008-04-13] (Microsoft Corporation) [File not signed]
R0 sr; C:\WINDOWS\System32\DRIVERS\sr.sys [73472 2008-04-14] (Microsoft Corporation) [File not signed]
R1 StarOpen; C:\WINDOWS\system32\Drivers\StarOpen.sys [5632 2006-07-24] () [File not signed]
S3 StillCam; C:\WINDOWS\System32\DRIVERS\serscan.sys [6784 2001-08-17] (Microsoft Corporation) [File not signed]
S3 streamip; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [15232 2008-04-13] (Microsoft Corporation) [File not signed]
R3 swenum; C:\WINDOWS\System32\DRIVERS\swenum.sys [4352 2011-08-14] (Microsoft Corporation) [File not signed]
S3 swmidi; C:\WINDOWS\System32\drivers\swmidi.sys [56576 2008-04-13] (Microsoft Corporation) [File not signed]
R3 SynTP; C:\WINDOWS\System32\DRIVERS\SynTP.sys [265744 2003-06-24] (Synaptics, Inc.) [File not signed]
R3 sysaudio; C:\WINDOWS\System32\drivers\sysaudio.sys [60800 2008-04-13] (Microsoft Corporation) [File not signed]
R1 Tcpip6; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [226880 2011-08-14] (Microsoft Corporation)
S3 TDPIPE; C:\WINDOWS\system32\Drivers\TDPIPE.sys [12040 2008-04-14] (Microsoft Corporation) [File not signed]
R1 TermDD; C:\WINDOWS\System32\DRIVERS\termdd.sys [40840 2008-04-14] (Microsoft Corporation) [File not signed]
R2 thdudf; C:\WINDOWS\System32\DRIVERS\thdudf.sys [66944 2010-04-30] (TOSHIBA Corporation) [File not signed]
R3 tunmp; C:\WINDOWS\System32\DRIVERS\tunmp.sys [12288 2011-08-14] (Microsoft Corporation) [File not signed]
S3 tusbaudio; C:\WINDOWS\System32\DRIVERS\tusbaudio.sys [188576 2013-10-24] ()
S3 tusbaudioks; C:\WINDOWS\System32\DRIVERS\tusbaudioks.sys [41632 2013-10-24] ()
R4 Udfs; C:\WINDOWS\system32\Drivers\Udfs.sys [66048 2008-04-14] (Microsoft Corporation) [File not signed]
U3 ujmynjg1; C:\WINDOWS\system32\Drivers\ujmynjg1.sys [10240 2018-08-11] (Zaitsev Oleg, 2006) [File not signed]
R3 Update; C:\WINDOWS\System32\DRIVERS\update.sys [384768 2008-04-14] (Microsoft Corporation) [File not signed]
S3 usbaudio; C:\WINDOWS\System32\drivers\usbaudio.sys [60032 2008-04-13] (Microsoft Corporation) [File not signed]
S3 usbccgp; C:\WINDOWS\System32\drivers\usbccgp.sys [32128 2008-04-13] (Microsoft Corporation) [File not signed]
R3 usbhub; C:\WINDOWS\System32\drivers\usbhub.sys [59520 2008-04-13] (Microsoft Corporation) [File not signed]
S3 usbscan; C:\WINDOWS\System32\DRIVERS\usbscan.sys [15104 2008-04-13] (Microsoft Corporation) [File not signed]
R3 usbstor; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [26368 2008-04-13] (Microsoft Corporation) [File not signed]
R3 usbuhci; C:\WINDOWS\System32\drivers\usbuhci.sys [20608 2008-04-13] (Microsoft Corporation) [File not signed]
S3 usbvideo; C:\WINDOWS\System32\Drivers\usbvideo.sys [121984 2008-04-13] (Microsoft Corporation) [File not signed]
R1 VgaSave; C:\WINDOWS\System32\drivers\vga.sys [20992 2008-04-14] (Microsoft Corporation) [File not signed]
R0 VolSnap; C:\WINDOWS\system32\Drivers\VolSnap.sys [52352 2008-04-14] (Microsoft Corporation) [File not signed]
R3 vpnpbus; C:\WINDOWS\System32\DRIVERS\vpnpbus.sys [15936 2013-10-18] (EldoS Corporation)
R3 w29n51; C:\WINDOWS\System32\DRIVERS\w29n51.sys [3325312 2006-01-18] (Intel® Corporation)
R3 Wanarp; C:\WINDOWS\System32\DRIVERS\wanarp.sys [34560 2008-04-14] (Microsoft Corporation) [File not signed]
R3 wdmaud; C:\WINDOWS\System32\drivers\wdmaud.sys [83072 2008-04-13] (Microsoft Corporation) [File not signed]
R3 winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [731264 2009-08-23] (Conexant Systems, Inc.) [File not signed]
S1 WmiAcpi; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [8832 2008-04-13] (Microsoft Corporation) [File not signed]
S3 WpdUsb; C:\WINDOWS\System32\DRIVERS\wpdusb.sys [38528 2006-10-18] (Microsoft Corporation) [File not signed]
S3 WSTCODEC; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-13] (Microsoft Corporation) [File not signed]
R0 WudfPf; C:\WINDOWS\System32\DRIVERS\WudfPf.sys [77568 2006-09-28] (Microsoft Corporation) [File not signed]
S3 WudfRd; C:\WINDOWS\System32\DRIVERS\wudfrd.sys [82944 2006-09-28] (Microsoft Corporation) [File not signed]
R2 X4HSEx_Pr143; C:\Program Files\Free Ride Games\X4HSEx_Pr143.Sys [58696 2012-08-02] (Exent Technologies Ltd.)
S3 Ambfilt; system32\drivers\Ambfilt.sys [X]
U5 BattC; C:\Windows\System32\Drivers\BattC.sys [14208 2008-04-13] (Microsoft Corporation) [File not signed]
S1 cnjjgcjj; \??\C:\WINDOWS\system32\drivers\cnjjgcjj.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_cdcecm; system32\DRIVERS\ew_jucdcecm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
S3 IntcAzAudAddService; system32\drivers\RtkHDAud.sys [X]
S3 Monfilt; system32\drivers\Monfilt.sys [X]
U5 phunter; C:\WINDOWS\system32\unikey.sys [13816 2013-08-18] ()
U1 WS2IFSL; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2028-01-12 15:19 - 2028-01-12 15:19 - 000195584 ____C (Microsoft Corporation) C:\WINDOWS\system32\Xvoice.dll
2018-08-11 01:35 - 2018-08-11 01:36 - 000000000 ____D C:\FRST
2018-08-11 00:52 - 2018-08-11 00:52 - 000010240 _____ (Zaitsev Oleg, 2006) C:\WINDOWS\system32\Drivers\ujmynjg1.sys
2018-08-11 00:38 - 2018-08-11 00:38 - 000000420 _____ C:\WINDOWS\Tasks\{3A4E34BC-92A7-61BF-D43F-5F2D47E34DBB}.job
2018-08-11 00:38 - 2018-08-11 00:38 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\{A65E1C8C-BA97-FDAF-D43F-5F2D47E34DBB}
2018-08-11 00:36 - 2018-08-11 00:36 - 000336896 _____ C:\Documents and Settings\Administrator\Application Data\6.exe
2018-08-11 00:36 - 2018-08-11 00:36 - 000114688 _____ (Toxic Coding Team Tool) C:\Documents and Settings\Administrator\Application Data\4.exe
2018-08-10 03:22 - 2018-08-10 03:22 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Doctor Web
2018-08-10 03:22 - 2018-08-10 03:22 - 000000000 ____D C:\Documents and Settings\Administrator\Doctor Web
2018-08-10 03:21 - 2018-08-11 00:31 - 000065536 _____ C:\WINDOWS\system32\config\Doctor Web.evt
2018-08-09 05:24 - 2018-08-09 05:24 - 000000000 _____ C:\WINDOWS\system32\Drivers\etc\hostsantiwebminer.txt
2018-08-09 04:55 - 2018-08-09 04:55 - 000090112 _____ C:\WINDOWS\Minidump\Mini080918-01.dmp
2018-08-09 04:47 - 2018-08-09 04:47 - 000001727 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
2018-08-09 04:47 - 2018-08-09 04:47 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
2018-08-09 04:47 - 2018-04-26 05:36 - 000128736 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae.sys
2018-08-09 01:22 - 2018-08-09 04:55 - 000000262 _____ C:\WINDOWS\system32\PARTIZAN.TXT
2018-08-09 01:12 - 2018-08-09 01:12 - 000040304 _____ (Greatis Software) C:\WINDOWS\system32\Drivers\Partizan.sys
2018-08-09 01:12 - 2018-08-08 02:13 - 000000406 _____ C:\WINDOWS\system32\Drivers\etc\hosts.old
2018-08-09 00:45 - 2018-08-09 00:45 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\RegRun
2018-08-09 00:39 - 2018-08-09 05:14 - 000000000 ____D C:\Documents and Settings\Administrator\My Documents\RegRun2
2018-08-08 23:27 - 2018-08-08 23:27 - 000000000 ____D C:\WINDOWS\CSC
2018-08-08 03:26 - 2018-08-08 02:51 - 000148600 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2018-08-08 02:45 - 2018-08-08 02:45 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\MB3Install
2018-08-08 02:25 - 2018-08-09 04:52 - 000014542 _____ C:\Documents and Settings\Administrator\Desktop\Rkill.txt
2018-08-08 02:13 - 2018-08-08 02:46 - 000000100 _____ C:\WINDOWS\system32\Drivers\etc\add.txt
2018-08-08 01:17 - 2018-08-08 01:17 - 000090112 _____ C:\WINDOWS\Minidump\Mini080818-01.dmp
2018-08-07 18:09 - 2018-08-10 03:43 - 000133120 _____ C:\Documents and Settings\Administrator\Application Data\c731200
2018-08-04 01:04 - 2018-08-04 01:04 - 000000725 _____ C:\Documents and Settings\All Users\Desktop\Tenorshare UltData for Android.lnk
2018-08-04 01:04 - 2018-08-04 01:04 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\(Default)
2018-08-04 01:03 - 2018-08-04 01:03 - 000000725 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Tenorshare UltData for Android.lnk
2018-08-04 00:22 - 2018-08-04 00:22 - 000000000 __HDC C:\WINDOWS\$NtUninstallwinusb0100$
2018-08-04 00:22 - 2018-08-04 00:22 - 000000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_WinUSB_01007.Wdf
2018-08-04 00:07 - 2018-08-04 00:07 - 000000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Aiseesoft Studio
2018-08-04 00:06 - 2018-08-04 00:06 - 000000801 _____ C:\Documents and Settings\All Users\Desktop\FoneLab for Android.lnk
2018-08-04 00:06 - 2018-08-04 00:06 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Aiseesoft Studio
2018-07-28 01:39 - 2018-07-28 01:39 - 000002204 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\f.lux.lnk
2018-07-12 06:24 - 2008-04-13 21:15 - 000060032 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBAUDIO.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-08-11 01:37 - 2014-06-29 04:20 - 000000462 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{1E0D3252-40B7-425F-A243-67CF18BC4C3D}.job
2018-08-11 01:37 - 2013-08-24 05:49 - 000000294 _____ C:\WINDOWS\Tasks\Browser Manager.job
2018-08-11 01:37 - 2011-09-04 12:37 - 000000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2018-08-11 01:36 - 2013-08-09 17:38 - 000000258 _____ C:\WINDOWS\Tasks\Clean System Memory.job
2018-08-11 01:28 - 2011-09-09 16:08 - 000032654 _____ C:\WINDOWS\SchedLgU.Txt
2018-08-11 01:06 - 2014-01-13 23:06 - 000000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2018-08-11 00:34 - 2011-09-04 12:36 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-08-11 00:34 - 2008-04-14 19:00 - 000002206 _____ C:\WINDOWS\system32\wpa.dbl
2018-08-11 00:31 - 2011-09-04 12:38 - 000000178 __SHC C:\Documents and Settings\Administrator\ntuser.ini
2018-08-11 00:31 - 2011-09-04 12:36 - 000000178 __SHC C:\Documents and Settings\LocalService\ntuser.ini
2018-08-11 00:30 - 2013-06-04 03:20 - 000000000 ____D C:\Documents and Settings\Administrator\Application Data\uTorrent
2018-08-10 20:48 - 2016-07-28 14:48 - 000000530 _____ C:\WINDOWS\Tasks\Обновление Браузера Яндекс.job
2018-08-10 20:48 - 2016-02-06 02:48 - 000000500 _____ C:\WINDOWS\Tasks\Обновление Браузера Яндекс .job
2018-08-10 03:22 - 2011-09-04 12:37 - 000000000 ____D C:\Documents and Settings\Administrator
2018-08-10 02:25 - 2013-04-25 14:55 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\SecTaskMan
2018-08-09 05:35 - 2008-04-14 19:00 - 000000576 _____ C:\WINDOWS\win.ini
2018-08-09 04:55 - 2011-10-04 17:32 - 000000000 ____D C:\WINDOWS\Minidump
2018-08-09 04:42 - 2013-07-08 02:48 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2018-08-09 02:16 - 2014-11-08 03:04 - 000000000 ____D C:\Program Files\Internet Download Manager
2018-08-09 01:00 - 2015-03-31 20:19 - 000000000 ____D C:\Documents and Settings\Administrator\Application Data\DMCache
2018-08-08 23:27 - 2016-02-01 01:18 - 000775296 _____ C:\WINDOWS\ntbtlog.txt
2018-08-08 03:44 - 2018-02-05 02:34 - 000000803 _____ C:\Documents and Settings\Administrator\Desktop\my letter to RHA.txt
2018-08-08 02:49 - 2011-09-04 12:36 - 000000000 __SHD C:\Documents and Settings\LocalService
2018-08-08 01:05 - 2015-06-29 00:19 - 000000000 ____D C:\Program Files\Wondershare
2018-08-08 00:54 - 2011-09-04 19:01 - 000606896 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-08-08 00:47 - 2013-07-01 00:23 - 000459734 ____C C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2018-08-08 00:27 - 2015-06-29 00:21 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Wondershare
2018-08-08 00:27 - 2014-08-16 22:32 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Wondershare
2018-08-07 19:04 - 2011-09-04 19:01 - 000000000 ____D C:\Documents and Settings\All Users
2018-08-07 00:27 - 2018-04-14 02:43 - 000008747 _____ C:\Documents and Settings\Administrator\Desktop\My story with Dieu 11.txt
2018-08-06 00:55 - 2011-09-04 18:58 - 000000000 ___HD C:\WINDOWS\inf
2018-08-06 00:00 - 2016-01-11 21:35 - 000000000 ____D C:\!!!disk d
2018-08-05 23:37 - 2011-09-04 12:42 - 000162296 ____C C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2018-08-04 01:58 - 2011-09-09 15:15 - 000000000 ____D C:\WINDOWS\system32\ReinstallBackups
2018-08-04 01:55 - 2015-06-24 02:06 - 001026938 _____ C:\WINDOWS\setupapi.log.1.old
2018-08-04 01:55 - 2013-11-22 12:50 - 002277710 ____C C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1343024091-1417001333-1801674531-500-0.dat
2018-08-04 01:26 - 2012-10-20 12:42 - 000165888 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2018-08-04 01:09 - 2013-06-26 23:49 - 000000000 ____D C:\Program Files\DIFX
2018-08-04 00:20 - 2015-06-24 02:06 - 001159483 _____ C:\WINDOWS\setupapi.log.0.old
2018-07-31 15:45 - 2018-06-13 00:44 - 000586464 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinUSBCoInstaller.dll
2018-07-31 15:45 - 2015-06-29 03:10 - 001468640 _____ (Microsoft Corporation) C:\WINDOWS\system32\WdfCoInstaller01009.dll
2018-07-31 15:45 - 2013-08-22 02:35 - 000857824 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinUSBCoInstaller2.dll
2018-07-31 15:45 - 2012-11-27 21:20 - 001115872 _____ (Microsoft Corporation) C:\WINDOWS\system32\WdfCoInstaller01007.dll
2018-07-31 10:21 - 2018-06-13 00:44 - 000191200 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\WINDOWS\system32\Drivers\ssudmdm.sys
2018-07-31 10:21 - 2018-06-13 00:44 - 000099296 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\WINDOWS\system32\Drivers\ssudbus.sys
2018-07-27 03:15 - 2014-11-08 03:04 - 000000000 ____D C:\Documents and Settings\Administrator\Application Data\IDM
 
==================== Files in the root of some directories =======
 
2014-02-05 13:59 - 2014-02-05 13:59 - 000000000 ____C () C:\Documents and Settings\Administrator\TempWmicBatchFile.bat
2018-08-11 00:36 - 2018-08-11 00:36 - 000114688 _____ (Toxic Coding Team Tool) C:\Documents and Settings\Administrator\Application Data\4.exe
2018-08-11 00:36 - 2018-08-11 00:36 - 000336896 _____ () C:\Documents and Settings\Administrator\Application Data\6.exe
2018-08-07 18:09 - 2018-08-10 03:43 - 000133120 _____ () C:\Documents and Settings\Administrator\Application Data\c731200
2018-01-23 05:31 - 2018-01-23 05:31 - 000000000 _____ () C:\Documents and Settings\Administrator\Application Data\ExtensionCount.csv
2018-01-23 03:27 - 2018-01-23 05:26 - 000153403 _____ () C:\Documents and Settings\Administrator\Application Data\GlobalStrData.txt
2018-01-23 03:27 - 2018-01-23 05:26 - 000153403 _____ () C:\Documents and Settings\Administrator\Application Data\GlobalStrDataWithExif.txt
2018-01-23 03:26 - 2018-01-23 05:31 - 000641729 _____ () C:\Documents and Settings\Administrator\Application Data\GlobalStrDataWithoutExif.txt
2014-07-28 15:07 - 2014-07-28 15:09 - 000000692 ____C () C:\Documents and Settings\Administrator\Application Data\MPQEditor.ini
2018-01-23 03:26 - 2018-01-23 05:31 - 000000129 _____ () C:\Documents and Settings\Administrator\Application Data\PhotoMoveOutput.txt
2017-02-27 03:19 - 2017-02-27 03:19 - 000000047 _____ () C:\Documents and Settings\Administrator\Application Data\splitterdirectorys.txt
2012-10-20 12:42 - 2018-08-04 01:26 - 000165888 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-10-28 18:50 - 2012-10-28 18:50 - 000000090 ____C () C:\Documents and Settings\Administrator\Local Settings\Application Data\FASTWiz.log
2012-11-07 20:59 - 2012-11-07 20:59 - 000000136 ____C () C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
2018-03-07 19:52 - 2018-03-07 19:52 - 000000001 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\llftool.4.40.agreement
2017-01-15 02:36 - 2017-01-15 02:36 - 000000218 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\recently-used.xbel
2013-07-01 03:32 - 2015-05-16 00:29 - 000000000 ____C () C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
2014-11-20 00:07 - 2014-11-20 00:07 - 000001746 ____C () C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
 
Files to move or delete:
====================
C:\Windows\Tasks\{3A4E34BC-92A7-61BF-D43F-5F2D47E34DBB}.job
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe
[2011-08-14 20:36] - [2010-12-28 15:26] - 001432064 _____ (Microsoft Corporation) F8A264D2E459A405BFCAA2EF3B4F3F4E
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
 
==================== End of FRST.txt ============================
 
 
RKILL LOG
Rkill 2.9.1 by Lawrence Abrams (Grinler)
 
 
Copyright 2008-2018 BleepingComputer.com
 
More Information about Rkill can be found at this link:
 
 
 
 
Program started at: 08/08/2018 02:41:27 AM in x86 mode.
 
Windows Version: Microsoft Windows XP Service Pack 3
 
 
 
Checking for Windows services to stop:
 
 
 
 * No malware services found to stop.
 
 
 
Checking for processes to terminate:
 
 
 
 * No malware processes found to kill.
 
 
 
Possibly Patched Files.
 
 
 
 * C:\WINDOWS\system32\lsass.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\System32\svchost.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\system32\ctfmon.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\system32\ctfmon.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\system32\svchost.exe
 
 * C:\WINDOWS\explorer.exe
 
 
 
Checking Registry for malware related settings:
 
 
 
 * No issues found in the Registry.
 
 
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
 
 
Performing miscellaneous checks:
 
 
 
 * System Restore Disabled
 
 
 
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
 
   "DisableSR" = dword:00000001
 
 
 
 * Windows Firewall Disabled
 
 
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 
   "EnableFirewall" = dword:00000000
 
 
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
 
 
     * C:\WINDOWS\Cursors\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 [Dir]
 
     * C:\WINDOWS\Cursors\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e [Dir]
 
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
 
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]
 
 
 
Searching for Missing Digital Signatures: 
 
 
 
 * C:\WINDOWS\System32\appmgmts.dll : 167 936 : 04/14/2008 07:00 PM : d8849f77c0b66226335a59d26cb4edc6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\clipsrv.exe : 33 280 : 04/14/2008 07:00 PM : 34cbe729f38138217f9c80212a2a0c82 [NoSig]
 
 
 
 * C:\WINDOWS\System32\comres.dll : 792 064 : 04/14/2008 07:00 PM : 1280a158c722fa95a80fb7aebe78fa7d [NoSig]
 
 
 
 * C:\WINDOWS\System32\cryptsvc.dll : 62 464 : 04/14/2008 07:00 PM : 3d4e199942e29207970e04315d02ad3b [NoSig]
 
 
 
 * C:\WINDOWS\System32\csrss.exe : 6 144 : 04/14/2008 07:00 PM : 44f275c64738ea2056e3d9580c23b60f [NoSig]
 
 
 
 * C:\WINDOWS\System32\ctfmon.exe : 15 360 : 04/14/2008 07:00 PM : 5f1d5f88303d4a4dbc8e5f97ba967cc3 [NoSig]
 
 
 
 * C:\WINDOWS\System32\d3d8.dll : 1 179 648 : 04/14/2008 07:00 PM : f099b129022170f2df9e1c0185c9bcfb [NoSig]
 
 
 
 * C:\WINDOWS\System32\d3d8thk.dll : 8 192 : 04/14/2008 07:00 PM : 31b067c412fa1a9bad3ca2a63d7da440 [NoSig]
 
 
 
 * C:\WINDOWS\System32\ddraw.dll : 279 552 : 04/14/2008 07:00 PM : a340cd71eb535a3dd751b5f28723e50c [NoSig]
 
 
 
 * C:\WINDOWS\System32\dllhost.exe : 5 120 : 04/14/2008 07:00 PM : 0a9ba6af531afe7fa5e4fb973852d863 [NoSig]
 
 
 
 * C:\WINDOWS\System32\dsound.dll : 367 616 : 04/14/2008 07:00 PM : 4d83ed8bddec431fc8ad907b47cfb6e3 [NoSig]
 
 
 
 * C:\WINDOWS\System32\dssenh.dll : 138 752 : 04/14/2008 07:00 PM : fede68bf80052bad393afd5c2e60dcb0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\eventlog.dll : 56 320 : 04/14/2008 07:00 PM : 6d4feb43ee538fc5428cc7f0565aa656 [NoSig]
 
 
 
 * C:\WINDOWS\System32\hid.dll : 20 992 : 08/14/2011 08:44 PM : 8973122796e3b5d6b5900fc186e55fea [NoSig]
 
 
 
 * C:\WINDOWS\System32\imm32.dll : 110 080 : 04/14/2008 07:00 PM : 0da85218e92526972a821587e6a8bf8f [NoSig]
 
 
 
 * C:\WINDOWS\System32\ipsecsvc.dll : 183 808 : 04/14/2008 07:00 PM : 332760fba1655fcfd35bd6f4fd871300 [NoSig]
 
 
 
 * C:\WINDOWS\System32\ksuser.dll : 4 096 : 04/14/2008 02:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\ksuser.dll : 4 096 : 04/14/2008 02:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\ksuser.dll : 4 096 : 04/14/2008 02:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386\ksuser.dll : 4 096 : 04/14/2008 02:41 AM : 9b9f1c38d559047b8ac0dba2d5febde9 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\linkinfo.dll : 19 968 : 04/14/2008 07:00 PM : 2dc5a8019e2387987905f77c664e4be2 [NoSig]
 
 
 
 * C:\WINDOWS\System32\lpk.dll : 22 016 : 04/14/2008 07:00 PM : 012df358cebaa23acb26d82077820817 [NoSig]
 
 
 
 * C:\WINDOWS\System32\lsass.exe : 13 312 : 04/14/2008 07:00 PM : bf2466b3e18e970d8a976fb95fc1ca85 [NoSig]
 
 
 
 * C:\WINDOWS\System32\midimap.dll : 18 944 : 04/14/2008 07:00 PM : 5c12660a97822f6e61576943b49aaad6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\msgsvc.dll : 33 792 : 04/14/2008 07:00 PM : 986b1ff5814366d71e0ac5755c88f2d3 [NoSig]
 
 
 
 * C:\WINDOWS\System32\msimg32.dll : 4 608 : 04/14/2008 07:00 PM : affc87e2501fce8f09d4c10ba6421ccf [NoSig]
 
 
 
 * C:\WINDOWS\System32\mspmsnsv.dll : 27 136 : 10/18/2006 09:47 PM : c51b4a5c05a5475708e3c81c7765b71d [NoSig]
 
 
 
 * C:\WINDOWS\System32\msprivs.dll : 48 128 : 04/14/2008 07:00 PM : c6bb1d1500db4a0e224cb65e6c7e8a80 [NoSig]
 
 
 
 * C:\WINDOWS\System32\netman.dll : 198 144 : 04/14/2008 07:00 PM : 13e67b55b3abd7bf3fe7aae5a0f9a9de [NoSig]
 
 
 
 * C:\WINDOWS\System32\ntmssvc.dll : 435 200 : 04/14/2008 07:00 PM : 156f64a3345bd23c600655fb4d10bc08 [NoSig]
 
 
 
 * C:\WINDOWS\System32\olepro32.dll : 84 992 : 04/14/2008 07:00 PM : 5652f6ce1d9e9d8068b9d29bc21b5409 [NoSig]
 
 
 
 * C:\WINDOWS\System32\perfctrs.dll : 39 936 : 04/14/2008 07:00 PM : dbe2b62353660ecca0d75ea307a717e9 [NoSig]
 
 
 
 * C:\WINDOWS\System32\powrprof.dll : 17 408 : 04/14/2008 07:00 PM : 50a166237a0fa771261275a405646cc0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\pstorsvc.dll : 34 304 : 04/14/2008 07:00 PM : 853d0d0c6f02d7bfdf1cf99dd7553732 [NoSig]
 
 
 
 * C:\WINDOWS\System32\qmgr.dll : 409 088 : 04/14/2008 07:00 PM : 574738f61fca2935f5265dc4e5691314 [NoSig]
 
 
 
 * C:\WINDOWS\System32\rasadhlp.dll : 7 680 : 04/14/2008 07:00 PM : 6f9bef24c578d5d6740e080bedd6a448 [NoSig]
 
 
 
 * C:\WINDOWS\System32\regsvc.dll : 59 904 : 04/14/2008 07:00 PM : 5b19b557b0c188210a56a6b699d90b8f [NoSig]
 
 
 
 * C:\WINDOWS\System32\scecli.dll : 181 248 : 04/14/2008 07:00 PM : a86bb5e61bf3e39b62ab4c7e7085a084 [NoSig]
 
 
 
 * C:\WINDOWS\System32\schedsvc.dll : 192 512 : 04/14/2008 07:00 PM : 0a9a7365a1ca4319aa7c1d6cd8e4eafa [NoSig]
 
 
 
 * C:\WINDOWS\System32\sfc.dll : 5 120 : 04/14/2008 07:00 PM : 96e1c926f22ee1bfbae82901a35f6bf3 [NoSig]
 
 
 
 * C:\WINDOWS\System32\sfcfiles.dll : 1 614 848 : 08/14/2011 08:44 PM : e17798e1e6ff1ca9c67b8576570e05ee [NoSig]
 
 
 
 * C:\WINDOWS\System32\smss.exe : 50 688 : 04/14/2008 07:00 PM : 5f816c1f539266d2d4c78694239da0b5 [NoSig]
 
 
 
 * C:\WINDOWS\System32\srsvc.dll : 171 008 : 04/14/2008 07:00 PM : 3805df0ac4296a34ba4bf93b346cc378 [NoSig]
 
 
 
 * C:\WINDOWS\System32\ssdpsrv.dll : 71 680 : 04/14/2008 07:00 PM : 0a5679b3714edab99e357057ee88fca6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\svchost.exe : 14 336 : 04/14/2008 07:00 PM : 27c6d03bcdb8cfeb96b716f3d8be3e18 [NoSig]
 
 
 
 * C:\WINDOWS\System32\upnphost.dll : 185 856 : 04/14/2008 07:00 PM : 1ebafeb9a3fbdc41b8d9c7f0f687ad91 [NoSig]
 
 
 
 * C:\WINDOWS\System32\user32.dll : 578 560 : 04/14/2008 07:00 PM : b26b135ff1b9f60c9388b4a7d16f600b [NoSig]
 
 
 
 * C:\WINDOWS\System32\userinit.exe : 26 112 : 04/14/2008 07:00 PM : a93aee1928a9d7ce3e16d24ec7380f89 [NoSig]
 
 
 
 * C:\WINDOWS\System32\UxTheme.dll : 218 624 : 09/04/2011 04:17 PM : b2ee12503d1d8f3ce070fbbd7e30181e [NoSig]
 
 
 
 * C:\WINDOWS\System32\version.dll : 18 944 : 04/14/2008 07:00 PM : c7ce131408739b0b3a318be2d0032719 [NoSig]
 
 
 
 * C:\WINDOWS\System32\wiaservc.dll : 333 824 : 04/14/2008 07:00 PM : 8bad69cbac032d4bbacfce0306174c30 [NoSig]
 
 
 
 * C:\WINDOWS\System32\ws2_32.dll : 82 432 : 04/14/2008 07:00 PM : 2ccc474eb85ceaa3e1fa1726580a3e5a [NoSig]
 
 
 
 * C:\WINDOWS\System32\ws2help.dll : 19 968 : 04/14/2008 07:00 PM : 9789e95e1d88eeb4b922bf3ea7779c28 [NoSig]
 
 
 
 * C:\WINDOWS\System32\wscntfy.exe : 13 824 : 04/14/2008 07:00 PM : f92e1076c42fcd6db3d72d8cfe9816d5 [NoSig]
 
 
 
 * C:\WINDOWS\System32\xmlprov.dll : 129 024 : 04/14/2008 07:00 PM : 295d21f14c335b53cb8154e5b1f892b9 [NoSig]
 
 
 
 * C:\WINDOWS\explorer.exe : 1 432 064 : 12/28/2010 03:26 PM : f8a264d2e459a405bfcaa2ef3b4f3f4e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\acpiec.sys : 11 648 : 08/17/2001 10:57 AM : 9859c0f6936e723e4892d7141b1327d5 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\acpi.sys : 187 776 : 04/13/2008 09:06 PM : 8fd99680a539792a30e97944fdaecf17 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\aec.sys : 142 592 : 04/13/2008 07:09 PM : 8bed39e3c35d6a489438b8141717a557 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\agp440.sys : 42 368 : 04/13/2008 09:06 PM : 08fd04aa961bdc77fb983f328334e3d7 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\agp440.sys : 42 368 : 04/13/2008 09:06 PM : 08fd04aa961bdc77fb983f328334e3d7 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\amdk6.sys : 37 376 : 08/14/2011 08:44 PM : d7701d7e72243286cc88c9973d891057 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\amdk7.sys : 37 760 : 08/14/2011 08:44 PM : 8fce268cdbdd83b23419d1f35f42c7b1 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\arp1394.sys : 60 800 : 08/14/2011 08:44 PM : b5b8a80875c1dededa8b02765642c32f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\asyncmac.sys : 14 336 : 04/14/2008 07:00 PM : b153affac761e7f5fcfa822b9c4e97bc [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys : 96 512 : 04/14/2008 04:10 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\audstub.sys : 3 072 : 08/17/2001 05:59 PM : d9f724aa26c010a217c97606b160ed68 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\battc.sys : 14 208 : 04/13/2008 09:06 PM : 0d93976f7801b7fcd8135cc77257bbd0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\beep.sys : 4 224 : 04/14/2008 07:00 PM : da1f27d85e0d1525f6621372e7b685e9 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\bridge.sys : 71 552 : 04/14/2008 07:00 PM : f934d1b230f84e1d19dd00ac5a7a83ed [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\cbidf2k.sys : 13 952 : 08/17/2001 10:52 AM : 90a673fc8e12a79afbed2576f6a7aaf9 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\cbidf2k.sys : 13 952 : 08/17/2001 10:52 AM : 90a673fc8e12a79afbed2576f6a7aaf9 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\cdaudio.sys : 18 688 : 08/14/2011 08:43 PM : c1b486a7658353d33a10cc15211a873b [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\cdfs.sys : 63 744 : 04/14/2008 07:00 PM : c885b02847f5d2fd45a24e219ed93b32 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\classpnp.sys : 49 536 : 04/14/2008 07:00 PM : fe47dd8fe6d7768ff94ebec6c74b2719 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\CmBatt.sys : 13 952 : 04/13/2008 09:06 PM : 0f6c187d38d98f8df904589a5f94d411 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\compbatt.sys : 10 240 : 04/13/2008 09:06 PM : 6e4c9f21f0fae8940661144f41b13203 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\cpqdap01.sys : 11 776 : 08/14/2011 08:43 PM : 9624293e55ad405415862b504ca95b73 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\crusoe.sys : 36 736 : 08/14/2011 08:44 PM : f50d9bdbb25cce075e514dc07472a22f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\diskdump.sys : 14 208 : 04/14/2008 07:00 PM : e65e2353a5d74ea89971cb918eeeb2f6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\dmboot.sys : 799 744 : 04/14/2008 07:00 PM : d992fe1274bde0f84ad826acae022a41 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\dmio.sys : 153 344 : 04/14/2008 07:00 PM : 7c824cf7bbde77d95c08005717a95f6f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\dmload.sys : 5 888 : 04/14/2008 07:00 PM : e9317282a63ca4d188c0df5e09c6ac5f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\DMusic.sys : 52 864 : 04/13/2008 09:15 PM : 8a208dfcf89792a484e76c40e5f50b45 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\drmkaud.sys : 2 944 : 04/13/2008 09:15 PM : 8f5fcff8e8848afac920905fbd9d33c8 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\drmk.sys : 60 160 : 04/13/2008 09:15 PM : 6cb08593487f5701d2d2254e693eafce [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\drmk.sys : 60 160 : 04/13/2008 09:15 PM : 6cb08593487f5701d2d2254e693eafce [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\dxapi.sys : 10 496 : 04/14/2008 07:00 PM : fe97d0343acfdebdd578fc67cc91fa87 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\dxg.sys : 71 168 : 04/14/2008 07:00 PM : ac7280566a7bb85cb3291f04ddc1198e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\dxgthk.sys : 3 328 : 04/14/2008 07:00 PM : a73f5d6705b1d820c19b18782e176efd [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\fastfat.sys : 143 744 : 04/14/2008 07:00 PM : 38d332a6d56af32635675f132548343e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\fdc.sys : 27 392 : 04/14/2008 07:00 PM : 92cdd60b6730b9f50f6a1a0c1f8cdc81 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\fips.sys : 44 544 : 04/14/2008 07:00 PM : d45926117eb9fa946a6af572fbe1caa3 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\flpydisk.sys : 20 480 : 04/14/2008 07:00 PM : 9d27e7b80bfcdf1cdd9b555862d5e7f0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\fltMgr.sys : 129 792 : 04/14/2008 07:00 PM : b2cf4b0786f8212cb92ed2b50c6db6b0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\fsvga.sys : 12 160 : 08/14/2011 08:43 PM : 455f778ee14368468560bd7cb8c854d0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ftdisk.sys : 125 056 : 04/14/2008 07:00 PM : 6ac26732762483366c3969c9e4d2259d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\hidclass.sys : 36 864 : 04/13/2008 09:15 PM : 1af592532532a402ed7c060f6954004f [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\hidclass.sys : 36 864 : 04/13/2008 09:15 PM : 1af592532532a402ed7c060f6954004f [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\hidparse.sys : 24 960 : 04/13/2008 09:15 PM : 96eccf28fdbf1b2cc12725818a63628d [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\hidparse.sys : 24 960 : 04/13/2008 09:15 PM : 96eccf28fdbf1b2cc12725818a63628d [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\hidusb.sys : 10 368 : 04/13/2008 09:15 PM : ccf82c5ec8a7326c3066de870c06daf1 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\hidusb.sys : 10 368 : 04/13/2008 09:15 PM : ccf82c5ec8a7326c3066de870c06daf1 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\i8042prt.sys : 52 480 : 04/13/2008 09:48 PM : 4a0b06aa8943c1e332520f7440c0aa30 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\i8042prt.sys : 52 480 : 04/13/2008 09:48 PM : 4a0b06aa8943c1e332520f7440c0aa30 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\i8042prt.sys : 52 480 : 04/14/2008 07:00 PM : 4a0b06aa8943c1e332520f7440c0aa30 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\imapi.sys : 42 112 : 04/13/2008 09:11 PM : 083a052659f5310dd8b6a6cb05edcf8e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\intelide.sys : 5 504 : 04/13/2008 09:10 PM : b5466a9250342a7aa0cd1fba13420678 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\intelide.sys : 5 504 : 04/13/2008 09:10 PM : b5466a9250342a7aa0cd1fba13420678 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\intelppm.sys : 36 352 : 04/14/2008 07:00 PM : 8c953733d8f36eb2133f5bb58808b66b [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ip6fw.sys : 36 608 : 04/14/2008 07:00 PM : 3bb22519a194418d5fec05d800a19ad0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ipfltdrv.sys : 32 896 : 04/14/2008 07:00 PM : 731f22ba402ee4b62748adaf6363c182 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ipinip.sys : 20 864 : 04/14/2008 07:00 PM : b87ab476dcf76e72010632b5550955f5 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ipnat.sys : 152 832 : 04/14/2008 07:00 PM : cc748ea12c6effde940ee98098bf96bb [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ipsec.sys : 75 264 : 04/14/2008 07:00 PM : 23c74d75e36e7158768dd63d92789a91 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\irenum.sys : 11 264 : 04/14/2008 07:00 PM : c93c9ff7b04d772627a3646d89f7bf89 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\isapnp.sys : 37 248 : 04/13/2008 09:06 PM : 05a299ec56e52649b1cf2fc52d20f2d7 [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\isapnp.sys : 37 248 : 04/13/2008 09:06 PM : 05a299ec56e52649b1cf2fc52d20f2d7 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\kbdclass.sys : 24 576 : 04/14/2008 07:00 PM : 463c1ec80cd17420a542b7f36a36f128 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\kmixer.sys : 172 416 : 04/13/2008 09:15 PM : 692bcf44383d056aed41b045a323d378 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ks.sys : 141 056 : 04/13/2008 09:46 PM : 0753515f78df7f271a5e61c20bcd36a1 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\ks.sys : 141 056 : 04/13/2008 09:46 PM : 0753515f78df7f271a5e61c20bcd36a1 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\ks.sys : 141 056 : 04/13/2008 09:46 PM : 0753515f78df7f271a5e61c20bcd36a1 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\i386\ks.sys : 141 056 : 04/13/2008 09:46 PM : 0753515f78df7f271a5e61c20bcd36a1 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\mcd.sys : 7 680 : 04/14/2008 07:00 PM : d1f8be91ed4ddb671d42e473e3fe71ab [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\mf.sys : 63 744 : 08/14/2011 08:44 PM : a7da20ab18a1bdae28b0f349e57da0d1 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\mnmdd.sys : 4 224 : 04/14/2008 07:00 PM : 4ae068242760a1fb6e1a44bf4e16afa6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\modem.sys : 30 080 : 08/14/2011 08:44 PM : dfcbad3cec1c5f964962ae10e0bcc8e1 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\mouclass.sys : 23 040 : 04/13/2008 09:09 PM : 35c9e97194c8cfb8430125f8dbc34d04 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\mouclass.sys : 23 040 : 04/13/2008 09:09 PM : 35c9e97194c8cfb8430125f8dbc34d04 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\mouclass.sys : 23 040 : 04/13/2008 09:09 PM : 35c9e97194c8cfb8430125f8dbc34d04 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\mouhid.sys : 12 160 : 08/17/2001 10:48 AM : b1c303e17fb9d46e87a98e4ba6769685 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\mqac.sys : 92 544 : 04/14/2008 07:00 PM : 70c14f5cca5cf73f8a645c73a01d8726 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\msfs.sys : 19 072 : 04/14/2008 07:00 PM : c941ea2454ba8350021d774daf0f1027 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\msgpc.sys : 35 072 : 04/14/2008 07:00 PM : 0a02c63c8b144bd8c86b103dee7c86a2 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\MSKSSRV.sys : 7 552 : 04/13/2008 09:09 PM : d1575e71568f4d9e14ca56b7b0453bf1 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\MSPCLOCK.sys : 5 376 : 04/13/2008 09:09 PM : 325bb26842fc7ccc1fcce2c457317f3e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\MSPQM.sys : 4 992 : 04/13/2008 09:09 PM : bad59648ba099da4a17680b39730cb3d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\mssmbios.sys : 15 488 : 08/14/2011 08:44 PM : af5f4f3f14a8ea2c26de30f7a1e17136 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ndis.sys : 182 656 : 04/14/2008 07:00 PM : 1df7f42665c94b825322fae71721130d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ndisuio.sys : 14 592 : 08/14/2011 08:44 PM : f927a4434c5028758a842943ef1a3849 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ndiswan.sys : 91 520 : 04/14/2008 07:00 PM : edc1531a49c80614b2cfda43ca8659ab [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\netbios.sys : 34 688 : 04/14/2008 07:00 PM : 5d81cf9a2f1a3a756b66cf684911cdf0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\netbt.sys : 162 816 : 04/14/2008 07:00 PM : 74b2b2f5bea5e9a3dc021d685551bd3d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nic1394.sys : 61 824 : 08/14/2011 08:44 PM : e9e47cfb2d461fa0fc75b7a74c6383ea [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nikedrv.sys : 12 032 : 08/14/2011 08:43 PM : be984d604d91c217355cdd3737aad25d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nmnt.sys : 40 320 : 04/14/2008 07:00 PM : 1e421a6bcf2203cc61b821ada9de878b [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\npfs.sys : 30 848 : 04/14/2008 07:00 PM : 3182d64ae053d6fb034f44b6def8034a [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\null.sys : 2 944 : 04/14/2008 07:00 PM : 73c1e1f395918bc2c6dd67af7591a3ad [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nwlnkflt.sys : 12 416 : 04/14/2008 07:00 PM : b305f3fad35083837ef46a0bbce2fc57 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nwlnkfwd.sys : 32 512 : 04/14/2008 07:00 PM : c99b3415198d1aab7227f2c88fd664b9 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nwlnkipx.sys : 88 320 : 04/14/2008 07:00 PM : 8b8b1be2dba4025da6786c645f77f123 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nwlnknb.sys : 63 232 : 04/14/2008 07:00 PM : 56d34a67c05e94e16377c60609741ff8 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nwlnkspx.sys : 55 936 : 04/14/2008 07:00 PM : c0bb7d1615e1acbdc99757f6ceaf8cf0 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\nwrdr.sys : 163 584 : 04/14/2008 07:00 PM : 36b9b950e3d2e100970a48d8bad86740 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\oprghdlr.sys : 3 456 : 04/14/2008 07:00 PM : 4bb30ddc53ebc76895e38694580cdfe9 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\p3.sys : 42 752 : 08/14/2011 08:44 PM : c90018bafdc7098619a4a95b046b30f3 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\parport.sys : 80 128 : 08/14/2011 08:44 PM : 5575faf8f97ce5e713d108c2a58d7c7c [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\partmgr.sys : 19 712 : 04/14/2008 07:00 PM : beb3ba25197665d82ec7065b724171c6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\parvdm.sys : 6 784 : 04/14/2008 07:00 PM : 70e98b3fd8e963a6a46a2e6247e0bea1 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\pciidex.sys : 24 960 : 04/14/2008 04:10 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\pci.sys : 68 224 : 04/13/2008 09:06 PM : a219903ccf74233761d92bef471a07b1 [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\pci.sys : 68 224 : 04/14/2008 07:00 PM : a219903ccf74233761d92bef471a07b1 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\pcmcia.sys : 120 192 : 04/13/2008 09:06 PM : 9e89ef60e9ee05e3f2eef2da7397f1c1 [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\pcmcia.sys : 120 192 : 04/14/2008 07:00 PM : 9e89ef60e9ee05e3f2eef2da7397f1c1 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\processr.sys : 35 840 : 08/14/2011 08:44 PM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\ptilink.sys : 17 792 : 04/14/2008 07:00 PM : 80d317bd1c3dbc5d4fe7b1678c60cadd [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\rasacd.sys : 8 832 : 04/14/2008 07:00 PM : fe0d99d6f31e4fad8159f690d68ded9c [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\rasl2tp.sys : 51 328 : 04/14/2008 07:00 PM : 11b4a627bc9614b885c4969bfa5ff8a6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\raspppoe.sys : 41 472 : 04/14/2008 07:00 PM : 5bc962f2654137c9909c3d4603587dee [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\raspptp.sys : 48 384 : 04/14/2008 07:00 PM : efeec01b1d3cf84f16ddd24d9d9d8f99 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\raspti.sys : 16 512 : 04/14/2008 07:00 PM : fdbb1d60066fcfbb7452fd8f9829b242 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\rawwan.sys : 34 432 : 04/14/2008 07:00 PM : 01524cd237223b18adbb48f70083f101 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\rdpcdd.sys : 4 224 : 04/14/2008 07:00 PM : 4912d5b403614ce99c28420f75353332 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\redbook.sys : 57 600 : 04/13/2008 09:10 PM : f828dd7e1419b6653894a8f97a0094c5 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\rndismp.sys : 30 592 : 04/14/2008 07:00 PM : 601844cbcf617ff8c868130ca5b2039d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\rootmdm.sys : 5 888 : 04/14/2008 07:00 PM : d8b0b4ade32574b2d9c5cc34dc0dbbe7 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sdbus.sys : 79 232 : 04/14/2008 07:00 PM : 8d04819a3ce51b9eb47e5689b44d43c4 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\serenum.sys : 15 744 : 04/14/2008 07:00 PM : 0f29512ccd6bead730039fb4bd2c85ce [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\serial.sys : 64 512 : 04/14/2008 07:00 PM : cca207a8896d4c6a0c9ce29a4ae411a7 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sffdisk.sys : 11 904 : 04/14/2008 07:00 PM : 0fa803c64df0914b41f807ea276bf2a6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sffp_sd.sys : 11 008 : 04/14/2008 07:00 PM : c17c331e435ed8737525c86a7557b3ac [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sfloppy.sys : 11 392 : 04/14/2008 07:00 PM : 8e6b8c671615d126fdc553d1e2de5562 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\smclib.sys : 14 592 : 04/14/2008 07:00 PM : 017daecf0ed3aa731313433601ec40fa [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sonydcam.sys : 25 344 : 08/14/2011 08:44 PM : 489703624dac94ed943c2abda022a1cd [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\splitter.sys : 6 272 : 04/13/2008 09:15 PM : ab8b92451ecb048a4d1de7c3ffcb4a9f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sr.sys : 73 472 : 04/14/2008 07:00 PM : 76bb022c2fb6902fd5bdd4f78fc13a5d [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\stream.sys : 49 408 : 04/13/2008 09:15 PM : 3e5d89099ded9e86e5639f411693218f [NoSig]
 
 +-> C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\stream.sys : 49 408 : 04/13/2008 09:15 PM : 3e5d89099ded9e86e5639f411693218f [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\swenum.sys : 4 352 : 08/14/2011 08:44 PM : 3941d127aef12e93addf6fe6ee027e0f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\swmidi.sys : 56 576 : 04/13/2008 09:15 PM : 8ce882bcc6cf8a62f2b2323d95cb3d01 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\sysaudio.sys : 60 800 : 04/13/2008 09:45 PM : 8b83f3ed0f1688b4958f77cd6d2bf290 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\tape.sys : 14 976 : 04/14/2008 07:00 PM : fd6093e3decd925f1cffc8a0dd539d72 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\tdi.sys : 19 072 : 04/14/2008 07:00 PM : 0539d5e53587f82d1b4fd74c5be205cf [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\tdpipe.sys : 12 040 : 04/14/2008 07:00 PM : 6471a66807f5e104e4885f5b67349397 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\termdd.sys : 40 840 : 04/14/2008 02:43 AM : 88155247177638048422893737429d9e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\tosdvd.sys : 51 712 : 08/14/2011 08:43 PM : 699450901c5ccfd82357cbc531cedd23 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\tunmp.sys : 12 288 : 08/14/2011 08:44 PM : 8f861eda21c05857eb8197300a92501c [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\udfs.sys : 66 048 : 04/14/2008 07:00 PM : 5787b80c2e3c5e2f56c2a233d91fa2c9 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\update.sys : 384 768 : 04/14/2008 07:00 PM : 402ddc88356b1bac0ee3dd1580c76a31 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\usbcamd2.sys : 25 728 : 08/14/2011 08:44 PM : ce97845d2e3f0d274b8bac1ed07c6149 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\usbcamd.sys : 25 600 : 08/14/2011 08:44 PM : 1c1a47b40c23358245aa8d0443b6935e [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\usbccgp.sys : 32 128 : 04/13/2008 09:15 PM : 173f317ce0db8e21322e71b7e60a27e8 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\usbccgp.sys : 32 128 : 04/13/2008 09:15 PM : 173f317ce0db8e21322e71b7e60a27e8 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\usbd.sys : 4 736 : 04/14/2008 07:00 PM : 596eb39b50d6ebd9b734dc4ae0544693 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\usbhub.sys : 59 520 : 04/13/2008 09:15 PM : 1ab3cdde553b6e064d2e754efe20285c [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\usbhub.sys : 59 520 : 04/13/2008 09:15 PM : 1ab3cdde553b6e064d2e754efe20285c [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\usbintel.sys : 15 872 : 08/14/2011 08:44 PM : 290913dc4f1125e5a82de52579a44c43 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\USBSTOR.sys : 26 368 : 04/13/2008 09:15 PM : a32426d9b14a089eaa1d922e0c5801a9 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\usbstor.sys : 26 368 : 04/13/2008 09:15 PM : a32426d9b14a089eaa1d922e0c5801a9 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\usbuhci.sys : 20 608 : 04/13/2008 09:15 PM : 26496f9dee2d787fc3e61ad54821ffe6 [NoSig]
 
 +-> C:\WINDOWS\system32\dllcache\usbuhci.sys : 20 608 : 04/13/2008 09:15 PM : 26496f9dee2d787fc3e61ad54821ffe6 [Pos Repl]
 
 
 
 * C:\WINDOWS\System32\drivers\vga.sys : 20 992 : 04/14/2008 07:00 PM : 0d3a8fafceacd8b7625cd549757a7df1 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\videoprt.sys : 81 664 : 04/14/2008 07:00 PM : e28726b72c46821a28830e077d39a55b [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\volsnap.sys : 52 352 : 04/14/2008 07:00 PM : 4c8fcb5cc53aab716d810740fe59d025 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\wanarp.sys : 34 560 : 04/14/2008 07:00 PM : e20b95baedb550f32dd489265c1da1f6 [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\wdmaud.sys : 83 072 : 04/13/2008 09:47 PM : 6768acf64b18196494413695f0c3a00f [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\wmilib.sys : 4 352 : 04/14/2008 07:00 PM : 2f31b7f954bed437f2c75026c65caf7b [NoSig]
 
 
 
 * C:\WINDOWS\System32\drivers\ws2ifsl.sys : 12 032 : 04/14/2008 07:00 PM : 6abe6e225adb5a751622a9cc3bc19ce8 [NoSig]
 
 
 
Checking HOSTS File: 
 
 
 
 * HOSTS file entries found: 
 
 
 
  127.0.0.1 tonec.com
 
  127.0.0.1 www.tonec.com
 
  127.0.0.1 registeridm.com
 
  127.0.0.1 www.registeridm.com
 
  127.0.0.1 secure.registeridm.com
 
  127.0.0.1 internetdownloadmanager.com
 
  127.0.0.1 www.internetdownloadmanager.com
 
  127.0.0.1 secure.internetdownloadmanager.com
 
  127.0.0.1 mirror.internetdownloadmanager.com
 
  127.0.0.1 mirror2.internetdownloadmanager.com
 
  127.0.0.1 mirror3.internetdownloadmanager.com
 

Edited by Ranidf, 10 August 2018 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 10 August 2018 - 03:30 PM

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02.08.2018
Ran by Administrator (11-08-2018 01:38:00)
Running from D:\
Microsoft Windows XP Service Pack 3 (X86) (2012-10-19 11:29:29)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1343024091-1417001333-1801674531-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1343024091-1417001333-1801674531-1003 - Limited - Enabled)
Guest (S-1-5-21-1343024091-1417001333-1801674531-501 - Limited - Disabled) => %SystemDrive%\Documents and Settings\Guest.KKD-20121019PWK
HelpAssistant (S-1-5-21-1343024091-1417001333-1801674531-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1343024091-1417001333-1801674531-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ยตTorrent (HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\uTorrent) (Version: 3.5.3.44396 - BitTorrent Inc.)
7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
A43 File Management Utility 3.90 (HKLM\...\A43 File Management Utility) (Version: 3.90 - Bradley G. Miller)
AAC ACM Codec 1.9 (HKLM\...\AACACM) (Version: 1.9 - fccHandler)
AC-3 ACM Codec 1.9 (HKLM\...\AC3ACM) (Version: 1.9 - fccHandler)
Access IBM (HKLM\...\{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}) (Version: 4.51 - IBM Corporation)
ACDSee Pro 4 (HKLM\...\{88D4FE78-6EA6-4DFB-9FC2-8BC316F0C2FD}) (Version: 4.0.198 - ACD Systems International Inc.)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.2.202.235 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.8.800.94 - Adobe Systems Incorporated)
Angry Birds Space (HKLM\...\{3F2A323E-60C4-41E8-8CCB-9715D1D750C3}) (Version: 1.0.0 - Rovio)
Apple Application Support (32-bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{E1DB0812-2D60-43DB-AE09-6C7027D93B28}) (Version: 8.1.1.3 - Apple Inc.)
Avidemux 2.6 (32-bit) (HKLM\...\Avidemux 2.6) (Version: 2.6.4.8696 - )
CCleaner (HKLM\...\CCleaner) (Version: 4.03 - Piriform)
CleanMem (HKLM\...\CleanMem) (Version: v2.4.3 - PcWinTech.com)
ClipGrab 3.5.5 (HKLM\...\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1) (Version:  - Philipp Schmieder Medien)
CometBird (3.6.10) (HKLM\...\CometBird (3.6.10)) (Version: 3.6.10 (en-US) - CometNetwork)
CopyTrans Control Center Uninstall Only (HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\CopyTrans Suite) (Version: 3.01 - WindSolutions)
Digital Power Station version 1.2.3 (HKLM\...\{ABAC2C1F-1BD5-45B1-89D8-1AA34CD16B7B}_is1) (Version: 1.2.3 - Bongiovi Acoustics)
Download Master version 6.10.2.1527 (HKLM\...\Download Master_is1) (Version: 6.10.2.1527 - WestByte)
EasyBCD 2.2 (HKLM\...\EasyBCD) (Version: 2.2 - NeoSmart Technologies)
Edraw Max 7 (HKLM\...\Edraw Max_is1) (Version:  - EdrawSoft)
eMule (HKLM\...\eMule) (Version:  - )
EnglishToThai (HKLM\...\ST6UNST #1) (Version:  - )
f.lux (HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Flux) (Version:  - f.lux Software LLC)
Facebook Video Calling 3.1.0.521 (HKLM\...\{2091F234-EB58-4B80-8C96-8EB78C808CF7}) (Version: 3.1.521 - Skype Limited)
ffdshow v1.2.4496 [2012-12-13] (HKLM\...\ffdshow_is1) (Version: 1.2.4496.0 - )
FoneLab for Android (HKLM\...\{11D92B38-7BEC-2612-3940-653E6DEF7DC9}) (Version: 1.2.12 - Aiseesoft Studio)
Free ISO to USB version 1.0 (HKLM\...\Free ISO to USB_is1) (Version: 1.0 - )
Free MKV Splitter (HKLM\...\{DA298F38-85EE-4807-9CDE-C2BDDDD91982}) (Version: 1.0.0 - Media Freeware)
Free Ride Games Player (HKLM\...\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}) (Version:  - Exent Technologies Ltd) <==== ATTENTION
FreeFixer (HKLM\...\FreeFixer1.05) (Version: 1.05 - Kephyr)
GOM Player (HKLM\...\GOM Player) (Version: 2.2.64.5211 - Gretech Corporation)
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.21.153 - Google Inc.) Hidden
GPAC (remove only) (HKLM\...\GPAC) (Version:  - )
Greenshot 1.1.5.2643 (HKLM\...\Greenshot_is1) (Version: 1.1.5.2643 - Greenshot)
IBM ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version:  - )
IconTweaker 1.12 (HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\IconTweaker) (Version: 1.12 - Joost Verburg)
iDealshare VideoGo 6.0.8.5809 (HKLM\...\{CC4C06C4-7C78-4AAB-B5AF-33FB11CCD850}_is1) (Version:  - iDealshare Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
Intel® PROSet/Wireless Software (HKLM\...\ProInst) (Version:  - Intel Corporation)
Intel® Sebring API  (HKLM\...\{67D7BC74-E8DF-4811-9B41-6023A8C9BB3F}) (Version: 1.07.0000 - Intel)
Internet Download Manager (HKLM\...\Internet Download Manager) (Version:  - Tonec Inc.)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Java 7 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.400 - Oracle)
jetAudio Basic (HKLM\...\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}) (Version: 8.1.0 - COWON)
Junk Mail filter update (HKLM\...\{8E5233E1-7495-44FB-8DEB-4BE906D59619}) (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Kels' CPL Bonus Pack! (HKLM\...\CPLBonus) (Version: 12.2 - Kelsenellenelvian EverDawn)
K-Lite Codec Pack 7.7.0 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 7.7.0 - )
Lame ACM MP3 Codec (HKLM\...\LameACM) (Version:  - )
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Maxthon Cloud Browser (HKLM\...\Maxthon3) (Version: 4.1.2.4000 - Maxthon International Limited)
mCore (HKLM\...\{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}) (Version: 1.45.0000 - Intel Corporation) Hidden
mDriver (HKLM\...\{28DA872A-0848-48CF-B749-19A198157A2A}) (Version: 1.45.0000 - Intel) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Language Pack 2010 - English (HKLM\...\Office14.OMUI.en-us) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft WinUsb 1.0 (HKLM\...\winusb0100) (Version:  - Microsoft Corporation)
Microsoft WinUsb 2.0 (HKLM\...\winusb0200) (Version:  - Microsoft Corporation)
MiniTool Partition Wizard Home Edition 8.1.1 (HKLM\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version:  - MiniTool Solution Ltd.)
MKV Demux All RC1 (HKLM\...\MKV Demux All_is1) (Version:  - Nisarg Kothari)
MKVToolNix 9.9.0 (32bit) (HKLM\...\MKVToolNix) (Version: 9.9.0 - Moritz Bunkus)
mMHouse (HKLM\...\{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}) (Version: 1.45.0000 - Intel Corporation) Hidden
Mozilla Firefox 52.9.0 ESR (x86 en-US) (HKLM\...\Mozilla Firefox 52.9.0 ESR (x86 en-US)) (Version: 52.9.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.9.0.6746 - Mozilla)
MP3 Remix for Windows Media Player (HKLM\...\MP3 Remix for Windows Media Player) (Version: 3.811.0.0 - Power Technology)
Mp3nity 2.2.010 (HKLM\...\Mp3nity_is1) (Version:  - LittleLan.com)
MP3Test (HKLM\...\{BE802A6E-7F0D-4333-B45E-80F06C4DC59C}}_is1) (Version: 1.6.0.161 - Markus Stein)
MPC-HC 1.7.6 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.6 - MPC-HC Team)
MPEG Video Wizard DVD 5.0.1.108 (06/2013) (HKLM\...\{9FD45917-95E6-449D-ACC9-01E634A34CBD}_is1) (Version: 5.0.1.108 - Womble Multimedia, Inc.)
MPEG Video Wizard DVD 5.0.1.108 (06/2013) (HKLM\...\Mpeg Video Wizard DVD 5.0) (Version: 5.0.1.108 (06/2013) - Womble Multimedia, Inc.)
mPfMgr (HKLM\...\{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}) (Version: 1.45.0000 - Intel Corporation) Hidden
mProSafe (HKLM\...\{23FB368F-1399-4EAC-817C-4B83ECBE3D83}) (Version: 9.00.0000 - Intel) Hidden
MSXML 4.0 SP3 Parser (KB2721691) (HKLM\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MTP Porting Kit (HKLM\...\{353B1E6D-7073-4450-8C80-699BD8FCFB49}) (Version: 12.0.0 - Microsoft Corp)
mWlsSafe (HKLM\...\{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}) (Version: 9.00.0000 - Intel) Hidden
mXML (HKLM\...\{9CC89556-3578-48DD-8408-04E66EBEF401}) (Version: 1.45.0000 - Intel Corporation) Hidden
Notepad++ (HKLM\...\Notepad++) (Version: 5.9.3 - )
NTFS Data Recovery 9 (HKLM\...\{E208650E-BC95-4331-965C-052D9EC59890}_is1) (Version: 9 - LSoft Technologies Inc)
PhotoMove 2.5 version 2.5.2.1 (HKLM\...\{546443DF-4D82-484A-8E00-2136243B8B9A}}_is1) (Version: 2.5.2.1 - Mike Baker @ Rediscovering Photography)
PhotoScape (HKLM\...\PhotoScape) (Version:  - )
Plants vs Zombies (HKLM\...\{5439E271-4123-45D2-81AC-F0426AF7C969}_is1) (Version:  - MyPlayBus.com)
Potplayer (HKLM\...\PotPlayer) (Version:  - Kakao Corp.)
Python 2.7.7 (HKLM\...\{049CA433-77A0-4e48-AC76-180A282C4E10}) (Version: 2.7.7150 - Python Software Foundation)
RMPrepUSB (HKLM\...\RMPrepUSB) (Version:  - )
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.51.0 - SAMSUNG Electronics Co., Ltd.)
SDFormatter (HKLM\...\{179324FF-7B16-4BA8-9836-055CAAEE4F08}) (Version: 4.0.0 - SD Association)
Security Task Manager 1.8g (HKLM\...\Security Task Manager) (Version: 1.8g - Neuber Software)
Segoe UI (HKLM\...\{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}) (Version: 14.0.4327.805 - Microsoft Corp) Hidden
SolveigMM Video Splitter (HKLM\...\SolveigMM Video Splitter 3.6.1309.3) (Version: 3.6.1309.3 - Solveig Multimedia)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.12.01.5410 - Analog Devices)
Speccy (HKLM\...\Speccy) (Version: 1.28 - Piriform)
Starcraft (HKLM\...\Starcraft) (Version:  - )
Starcraft Expansion Set (HKLM\...\Starcraft Expansion Set_is1) (Version: Starcraft Expansion Set - )
Street Fighter (HKLM\...\{6F8150FD-31C0-4082-B15A-62A67352F69B}_is1) (Version:  - Nowstat.com)
SUPER เธ Version 2010.bld.41 (Oct 31, 2010) (HKLM\...\SUPER เธ) (Version: Version 2010.bld.41 (Oct 31, 2010) - eRightSoft)
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.29327 - TeamViewer)
Tenorshare UltData for Android (HKLM\...\{TenorshareUltDataforAndroid}_is1) (Version: 5.2.1.0 - Tenorshare, Inc.)
TheSage (HKLM\...\TheSage) (Version: 4.0.1774 - Sequence Publishing)
ThinkPad Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.62.00.00 - )
ThinkVantage Access Connections (HKLM\...\{7EB114D8-207F-45AE-BABD-1669715F2630}) (Version: 6.01 - )
TuneWiki WebPlayer (HKLM\...\TuneWikiWebPlayer) (Version: 1.1.0.010 - TuneWiki) <==== ATTENTION
TUSBAudio Driver v1.61.0 (HKLM\...\TUSBAudio Driver v1.61.0) (Version: 1.61.0 - USBAudio)
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
UE BOOM Update Assistant (HKLM\...\{2FE9AC52-E1C3-476D-8473-EFB3DCDA552A}) (Version: 1.2.8 - Logitech, Inc.)
UE BOOM Update Assistant (HKLM\...\{8D9BD07C-C098-4BC9-A83B-2CE454A2776C}) (Version: 1.4.57 - Logitech, Inc.)
UE BOOM Update Assistant (HKLM\...\{F1C3951A-69FF-401B-99C6-D9577FEA753C}) (Version: 1.2.38 - Logitech, Inc.)
UltraISO Premium V9.33 (HKLM\...\UltraISO_is1) (Version:  - )
VC80CRTRedist - 8.0.50727.6195 (HKLM\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
WinAVI All in One Converter (HKLM\...\WinAVI All in One Converter) (Version: 1.6.0.4147 - ZJMedia Digital Technology Ltd.)
WinAVI Video Converter (HKLM\...\WinAVI Video Converter_is1) (Version:  - ZJ Computing, Inc.)
Windows Cleaner (HKLM\...\Vtools_WindowsCleaner_is1) (Version: 1.0.0 - Vtools)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (06/06/2013 4.0.0000.00000) (HKLM\...\965A8AFA71761A101FF07DBE162F208AC681A5F3) (Version: 06/06/2013 4.0.0000.00000 - Google, Inc.)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (08/27/2012 7.0.0000.00004) (HKLM\...\BE156A27AFEAEA39D6A7C9D25CFA8DAFAF91756B) (Version: 08/27/2012 7.0.0000.00004 - Google, Inc.)
Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass  (08/27/2012 7.0.0000.00004) (HKLM\...\D43FD4059F47ACA9539247D6CF690AAEA503AF2D) (Version: 08/27/2012 7.0.0000.00004 - Google, Inc.)
Windows Driver Package - Intel (NETw4x32) net  (11/27/2007 11.5.0.36) (HKLM\...\2BFA56D22F9A1E3382C6C22AC377F97932ABB3FD) (Version: 11/27/2007 11.5.0.36 - Intel)
Windows Driver Package - Intel (w29n51) net  (07/25/2007 9.0.4.37) (HKLM\...\EFD65E7CD7A28D00217941F33C5CA55964F96136) (Version: 07/25/2007 9.0.4.37 - Intel)
Windows Driver Package - Intel net  (11/27/2007 11.5.0.36) (HKLM\...\AA50C5938456EF4A1C98D24E2FB458C653208D15) (Version: 11/27/2007 11.5.0.36 - Intel)
Windows Driver Package - SAMSUNG Electronics Co., Ltd.  (dg_ssudbus) USB  (12/02/2015 2.12.1.0) (HKLM\...\85A33267F12961AF9ED9AE799DEDA5E62BEA236F) (Version: 12/02/2015 2.12.1.0 - SAMSUNG Electronics Co., Ltd. )
Windows Driver Package - SAMSUNG Electronics Co., Ltd.  (ssudmdm) Modem  (12/02/2015 2.12.1.0) (HKLM\...\88ED314360B98E6E82E7CC3201FAEB4A9FD291B4) (Version: 12/02/2015 2.12.1.0 - SAMSUNG Electronics Co., Ltd. )
Windows Driver Package - SAMSUNG Electronics Co., Ltd.  (WinUSB) AndroidUsbDeviceClass  (12/02/2015 2.12.1.0) (HKLM\...\701281E8283E9E3681220099A9DA5013A5A437AF) (Version: 12/02/2015 2.12.1.0 - SAMSUNG Electronics Co., Ltd. )
Windows Grep 2.3 (HKLM\...\Windows Grep_is1) (Version:  - )
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
Wondershare Dr.Fone for Android(Build 4.8.0.135) (HKLM\...\{1DB91A95-C548-4BA5-9D4C-18C7DEAAC39F}_is1) (Version: 4.8.0.135 - Wondershare Software Co.,Ltd.)
WordWeb (HKLM\...\WordWeb) (Version: 6 - WordWeb Software)
XP Services Optimizer (HKLM\...\{E607E2F2-970E-4354-A08C-E573F19601E7}) (Version: 1.0.52 - Smart PC Utilities)
Yandex (HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\YandexBrowser) (Version: 17.4.1.1026 - ะะะย ยซะฏะะ”ะ•ะะกยป)
เธเธ”เธซเธกเธฒเธข Windows Live (HKLM\...\{07F0FD47-305E-4C4D-9BE0-6D829D4CFF44}) (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
็พŽๅพ็ง€็ง€ 3.1.5  (HKLM\...\็พŽๅพ็ง€็ง€) (Version:  - ็พŽๅพ็ฝ‘)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}\localserver32 -> "C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{3100A299-7D18-481A-B24A-23BDEFB424B8}\InprocServer32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{5E71E4F3-E8C7-4906-9626-973E418762B6}\InprocServer32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Update\1.2.205.0\goopdate.dll (Facebook Inc.)
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{8B9F5BF4-0407-4BB2-9FED-4C0372DABD00}\localserver32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCallingProxy.exe (Skype Limited)
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\npGoogleUpdate3.dll => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\npGoogleUpdate3.dll => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{CBE9C57E-FFA9-4123-8354-AD360D6DD3CC}\InprocServer32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\GoogleUpdateOnDemand.exe" => No File
CustomCLSID: HKU\S-1-5-21-1343024091-1417001333-1801674531-500_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.67\psuser.dll => No File
ShellIconOverlayIdentifiers: [EldosIconOverlay-cbdisk3] -> {758DB4C4-6563-4B16-A266-ECB35A76FCA3} => C:\WINDOWS\system32\cbdiskMntNtf3.dll -> No File
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll -> No File
ShellIconOverlayIdentifiers: [ShellExt1] -> {2012DE06-50C0-48BD-ACDE-88F95D4CAD1F} => C:\Program Files\4Sync\ShellExt.dll [2012-11-01] ()
ShellIconOverlayIdentifiers: [ShellExt2] -> {C72C6188-BEF2-46E5-A89A-52F0ED75219E} => C:\Program Files\4Sync\ShellExt.dll [2012-11-01] ()
ShellIconOverlayIdentifiers: [ShellExt3] -> {C92F6BC2-AF61-4C0E-80E0-939B8282DDB7} => C:\Program Files\4Sync\ShellExt.dll [2012-11-01] ()
ShellIconOverlayIdentifiers: [ShellExt4] -> {CB1EFEF8-D5E0-49D1-B768-41B48B1D7803} => C:\Program Files\4Sync\ShellExt.dll [2012-11-01] ()
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers1: [Foxit_ConvertToPDF_Reader] -> {A94757A0-0226-426F-B4F1-4DF381C630D3} =>  -> No File
ContextMenuHandlers1: [Notepad++] -> {00F3C2EC-A6EE-11DE-A03A-EF8F55D89593} => C:\Program Files\Notepad++\NppShell_04.dll [2011-07-19] ()
ContextMenuHandlers1: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2008-09-16] ()
ContextMenuHandlers2: [UltraISO] -> {AD392E40-428C-459F-961E-9B147782D099} => C:\Program Files\UltraISO\isoshell.dll [2007-07-17] (EZB Systems, Inc.)
ContextMenuHandlers3: [jetAudio] -> {8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} => C:\Program Files\JetAudio\JetFlExt.dll [2013-05-09] (JetAudio)
ContextMenuHandlers3: [SendAnywhere] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers4: [UltraISO] -> {AD392E40-428C-459F-961E-9B147782D099} => C:\Program Files\UltraISO\isoshell.dll [2007-07-17] (EZB Systems, Inc.)
ContextMenuHandlers4: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2008-09-16] ()
ContextMenuHandlers6: [jetAudio] -> {8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} => C:\Program Files\JetAudio\JetFlExt.dll [2013-05-09] (JetAudio)
ContextMenuHandlers6: [UltraISO] -> {AD392E40-428C-459F-961E-9B147782D099} => C:\Program Files\UltraISO\isoshell.dll [2007-07-17] (EZB Systems, Inc.)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2008-09-16] ()
 
==================== Scheduled Tasks=============================
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Browser Manager.job => C:\WINDOWS\system32\sc.exe
Task: C:\WINDOWS\Tasks\Clean System Memory.job => C:\WINDOWS\system32\CleanMem.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{1E0D3252-40B7-425F-A243-67CF18BC4C3D}.job => C:\WINDOWS\system32\msfeedssync.exe
Task: C:\WINDOWS\Tasks\{3A4E34BC-92A7-61BF-D43F-5F2D47E34DBB}.job => c:\documents and settings\all users\application data\{A65E1C8C-BA97-FDAF-D43F-5F2D47E34DBB}\0be1cc13.exe
Task: C:\WINDOWS\Tasks\ะะฑะฝะพะฒะปะตะฝะธะต ะ‘ั€ะฐัะทะตั€ะฐ ะฏะฝะดะตะบั .job => C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe
Task: C:\WINDOWS\Tasks\ะะฑะฝะพะฒะปะตะฝะธะต ะ‘ั€ะฐัะทะตั€ะฐ ะฏะฝะดะตะบั.job => C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Documents and Settings\Administrator\Start Menu\Programs\SolveigMM Video Splitter\Home Page.lnk -> hxxp://www.solveigmm.com/?Products&id=VideoSplitte
Shortcut: C:\Documents and Settings\Administrator\Start Menu\Programs\SolveigMM Video Splitter\Web Forum.lnk -> hxxp://www.elecard.com/forum/viewforum.php?f=26&sid=7701d7d23f498b59ecf14e886b88212
Shortcut: C:\Documents and Settings\Administrator\Desktop\ะะพะธะณั€ะฐะน!.lnk -> C:\Program Files\Download Master\games.url () <==== Cyrillic
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Solveig Multimedia\SolveigMM Video Splitter\Home Page.lnk -> hxxp://www.solveigmm.com/en/products/video-splitter
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Solveig Multimedia\SolveigMM Video Splitter\Web Forum.lnk -> hxxp://www.solveigmm.com/forum/index.php?board=26.
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\NeoSmart Technologies\EasyBCD\Online Documentation.lnk -> hxxp://neosmart.net/wiki/display/EBCD
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Aiseesoft Studio\FoneLab for Android\ะฃะดะฐะปะธัั FoneLab for Android.lnk -> D:\Program Files\Aiseesoft Studio\FoneLab for Android\Uninstall.exe () <==== Cyrillic
 
==================== Loaded Modules (Whitelisted) ==============
 
2011-03-17 00:11 - 2011-03-17 00:11 - 004297568 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-03-24 21:17 - 2010-03-24 21:17 - 008794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2012-11-01 22:02 - 2012-11-01 22:02 - 001353216 _____ () C:\Program Files\4Sync\ShellExt.dll
2012-11-01 22:03 - 2012-11-01 22:03 - 000520234 _____ () C:\Program Files\4Sync\lbase.dll
2012-11-01 22:02 - 2012-11-01 22:02 - 000495104 _____ () C:\Program Files\4Sync\ShellCp.dll
2013-07-21 01:00 - 2008-09-16 20:18 - 000132608 _____ () C:\Program Files\WinRAR\rarext.dll
2011-07-19 04:04 - 2011-07-19 04:04 - 000296448 _____ () C:\Program Files\Notepad++\NppShell_04.dll
2008-04-14 19:00 - 2008-04-14 19:00 - 000014336 _____ () C:\WINDOWS\system32\msdmo.dll
2008-04-14 19:00 - 2008-04-14 19:00 - 000498742 _____ () C:\WINDOWS\system32\dxmasf.dll
2014-04-06 23:49 - 2013-07-10 18:58 - 000970240 _____ () D:\Program Files\IronPortable\Iron\ffmpegsumo.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\WINDOWS:AstInfo [0]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\Temp:1CE11B51 [132]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\.DEFAULT\...\localhost -> localhost
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\webcompanion.com -> hxxp://webcompanion.com
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2018-08-03 03:52 - 2018-08-09 05:28 - 000023218 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 tonec.com
127.0.0.1 www.tonec.com
127.0.0.1 registeridm.com
127.0.0.1 www.registeridm.com
127.0.0.1 secure.registeridm.com
127.0.0.1 internetdownloadmanager.com
127.0.0.1 www.internetdownloadmanager.com
127.0.0.1 secure.internetdownloadmanager.com
127.0.0.1 mirror.internetdownloadmanager.com
127.0.0.1 mirror2.internetdownloadmanager.com
127.0.0.1 mirror3.internetdownloadmanager.com
0.0.0.0 0123movies.com
0.0.0.0 11bet.com
0.0.0.0 12kotov.ru
0.0.0.0 1406588359.rsc.cdn77.org
0.0.0.0 1dnscontrol.com
0.0.0.0 360installer.com
0.0.0.0 77.mycfg.site
0.0.0.0 78325.alexsoff.com
0.0.0.0 88796.alexsoff.com
0.0.0.0 addons-chrome.com
0.0.0.0 adf.ly
0.0.0.0 adsrvr.org
0.0.0.0 adsymptotic.com
0.0.0.0 adturtle.biz
0.0.0.0 adult.yourblocksite.com
0.0.0.0 advertising.com
0.0.0.0 advmaker.su
0.0.0.0 agkn.com
0.0.0.0 akisho.ru
 
There are 893 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 172.16.0.1
sharedaccess => Firewall Service is not running.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
DomainProfile\AuthorizedApplications: [D:\Program Files\DAUM\PotPlayer\PotPlayerMini.exe] => Enabled:Daum PotPlayer
DomainProfile\AuthorizedApplications: [C:\Program Files\Akruto\AkrutoSync.exe] => Enabled:AkrutoSync 5.1.20
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe] => Enabled:Visual Basic Command Line Compiler
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Skype\Phone\Skype.exe] => Enabled:Skype
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\GROOVE.EXE] => Enabled:Microsoft SharePoint Workspace
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\msiexec.exe] => Enabled:UpdateManagerSetup
StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version6\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
StandardProfile\AuthorizedApplications: [F:\gvbif.scr] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [\??\C:\WINDOWS\system32\winlogon.exe] => \??:*:enabled:@shell32.dll,-1
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Explorer.EXE] => Enabled:ipsec
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe] => Enabled:Google Talk Plugin
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Application Data\uTorrent\uTorrent.exe] => Enabled:ยตTorrent
StandardProfile\AuthorizedApplications: [C:\Program Files\Maxthon\Bin\MxUp.exe] => Enabled:MxUp
StandardProfile\AuthorizedApplications: [C:\Program Files\Maxthon\Bin\Maxthon.exe] => Enabled:Maxthon
StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version9\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe] => Enabled:Facebook Video Calling Plugin
StandardProfile\AuthorizedApplications: [D:\Program Files\DAUM\PotPlayer\PotPlayerMini.exe] => Enabled:Daum PotPlayer
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe] => Enabled:Yandex
StandardProfile\AuthorizedApplications: [C:\Program Files\Akruto\AkrutoSync.exe] => Enabled:AkrutoSync 5.1.20
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
DomainProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
DomainProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
DomainProfile\GloballyOpenPorts: [10243:TCP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10280:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10281:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10282:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10283:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10284:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [3389:TCP] => Disabled:@xpsp2res.dll,-22009
StandardProfile\GloballyOpenPorts: [10243:TCP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10280:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10281:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10282:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10283:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10284:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check "winmgmt" service or repair WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/08/2018 02:49:19 AM) (Source: MBAMIService) (EventID: 0) (User: )
Description: Event-ID 0
 
Error: (08/08/2018 01:41:26 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
 
Error: (08/08/2018 01:41:26 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
 
Error: (08/08/2018 01:41:26 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
 
Error: (08/08/2018 01:41:25 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (08/08/2018 01:35:42 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (08/08/2018 01:35:12 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (08/08/2018 01:34:33 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
 
System errors:
=============
Error: (08/11/2018 01:38:44 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:38:44 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:36:15 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:12:52 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:12:52 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:12:52 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:12:52 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
Error: (08/11/2018 01:07:24 AM) (Source: DCOM) (EventID: 10000) (User: NT AUTHORITY)
Description: Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}.
The error:
"%%5 = Access is denied."
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding
 
 
==================== Memory info =========================== 
 
Processor: Intel® Celeron® M processor 1500MHz
Percentage of memory in use: 81%
Total physical RAM: 502.42 MB
Available physical RAM: 90.45 MB
Total Virtual: 726.39 MB
Available Virtual: 197.4 MB
 
==================== Drives ================================
 
Drive c: (KKD 2011 V.2) (Fixed) (Total:15 GB) (Free:1.91 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: (Disk D) (Fixed) (Total:12.95 GB) (Free:7.5 GB) NTFS
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 27.9 GB) (Disk ID: B6C92891)
Partition 1: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=12.9 GB) - (Type=0F Extended)
 
==================== End of Addition.txt ============================


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 11 August 2018 - 08:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Enable that service
https://www.itprotoday.com/management-mobility/how-do-i-enable-and-disable-windows-xps-system-restore-feature
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
ClipGrab 3.5.5 (HKLM\...\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1) (Version: - Philipp Schmieder Medien)
Yandex (HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\YandexBrowser) (Version: 17.4.1.1026 - ???? ??????”?•?????)
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [Ivsasi] => C:\Documents and Settings\Administrator\Application Data\Identities\Ivsasi.exe [133120 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [{3A4E34BC-92A7-61BF-D43F-5F2D47E34DBB}] => c:\documents and settings\all users\application data\{A65E1C8C-BA97-FDAF-D43F-5F2D47E34DBB}\0be1cc13.exe [325632 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lansys32] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lansys32.exe [115200 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne10] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne10.exe [112640 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne2] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne2.exe [116224 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne3] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne3.exe [112128 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne6] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne6.exe [110592 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lja7shayne7] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne7.exe [114688 2018-08-10] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [syseeeaz] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-6985472110112323\systeez.exe [140800 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lliseconc8] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lliseconc8.exe [203776 2018-08-11] (Taloon Energy Saving Machine)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Run: [lanconnect35] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lanconnect35.exe [167936 2018-08-11] (Ford Focus Enterprise Establishment)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lansys32] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lansys32.exe [115200 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne10] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne10.exe [112640 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne2] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne2.exe [116224 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne3] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne3.exe [112128 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne6] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne6.exe [110592 2018-08-11] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lja7shayne7] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lja7shayne7.exe [114688 2018-08-10] (Toxic Coding Team Tool)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [syseeeaz] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-6985472110112323\systeez.exe [140800 2018-08-11] ()
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lliseconc8] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lliseconc8.exe [203776 2018-08-11] (Taloon Energy Saving Machine)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\RunOnce: [lanconnect35] => C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711\lanconnect35.exe [167936 2018-08-11] (Ford Focus Enterprise Establishment)
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoSMHelp] 01000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoLogoff] 01000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoSMMyPictures] 01000000
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\...\Policies\Explorer: [NoDrives] 00000000
SSODL: EldosMountNotificator-cbdisk3 - {BA569D84-B7FD-47D8-A47F-735F5AFA52DD} - C:\WINDOWS\system32\cbdiskMntNtf3.dll No File
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1343024091-1417001333-1801674531-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
URLSearchHook: HKU\S-1-5-21-1343024091-1417001333-1801674531-500 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://search.softonic.com/INF00176/tb_v1/?SearchSource=15&cc=&mi=9cfcaf19000000000000020e35bba7cb" <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
CHR HKLM\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetNT.crx <not found>
ContextMenuHandlers3: [SendAnywhere] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} =>  -> No File
Task: C:\WINDOWS\Tasks\{3A4E34BC-92A7-61BF-D43F-5F2D47E34DBB}.job => c:\documents and settings\all users\application data\{A65E1C8C-BA97-FDAF-D43F-5F2D47E34DBB}\0be1cc13.exe
Task: C:\WINDOWS\Tasks\??????????????????? ?‘?€????????€?? ??????????? .job => C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe
Task: C:\WINDOWS\Tasks\??????????????????? ?‘?€????????€?? ???????????.job => C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\Temp:1CE11B51 [132]
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser\Application\browser.exe] => Enabled:Yandex
C:\Documents and Settings\Administrator\Local Settings\Application Data\Yandex\YandexBrowser
C:\Documents and Settings\Administrator\Application Data\Identities
c:\documents and settings\all users\application data\{A65E1C8C-BA97-FDAF-D43F-5F2D47E34DBB}
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-6985472110112323
C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18617711

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the logs and let me know what problem persists.

p.s.

I suggest you read these article and see what you can do to improve your internet security.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.

I wish I could suggest other cleaning tools but none that I know work on Windows XP
===

#4 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 12 August 2018 - 03:05 AM

Hi,

 

Do you think it will work? I doubt, because RKill said that 7 of Windows files such as explore.exe are probably patched and further check in AVZ "File: C:\WINDOWS\explorer.exe. Result: Microsoft file authenticity check: failed" suggests the same.

 

I think what I need is some program that will check authenticity of all core windows files and will replace those that are patched. After that following the steps you suggested should be successful.  What's your opinion?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 12 August 2018 - 07:13 AM

Hi,

I know nothing on how to interpret the AVZ report.

I know that in the time of Windows XP many files were not signed by Microsoft.

You must execute my fix.
You got hit badly by this infection and you must remove it.
===

Run the fix and let me know what problem persists.

p.s.
When the fix is completed and you have restarted the computer you can run this SFC.EXE program.

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Include the Fixlog.txt that will be created by my suggested fix.

#6 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 14 August 2018 - 03:43 AM

Hello,

 

It was relatively successful, but some malware is still there.

 

For example WPFFontCache.. process. I never had it before. Now if I try to kill it via Task manager it reappears within a second.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 14 August 2018 - 08:12 AM

Hi,

The service WPFFontCache is not reported in hour logs.

I did find these items in your Files.

C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1343024091-1417001333-1801674531-500-0.dat

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
WPFFontCache
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#8 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 19 August 2018 - 01:23 PM

1. Now I don't see WPFFontCache process anymore. Anyway I attached below the frst registry scan.
 
2. I created AVG bootable usb and it found 3 files reset.exe in c:\windows directory. How is it possible that 3 files with the same name are in one directory? What's interesting is that rkill complained about 3 svchost.exe files that were patched. I thought AVG cleared the malware, but no. Unfortunately, it's database is up 2016 and when I try to update it I get "general error". Subsequent full scan by bootable AVG didn't find anything.
 
3. Malware is still there.
The symptoms: it applies hidden attribute to all files/directories on any flashdrive I would insert in my computer and creates *.lnk file for each file/dir it applied hidden attribute.
It also adds random websites to the hosts file.
 
Now I can run malwaresbytes but it still not working 100%. Whenever I select "scan for rootkits" it becomes stuck in it for 5 hours. Malwaresbytes system scan (with scan for rootkits turned off) finds something and removes it, but the symptoms still remain. (I updated Malwaresytes to the latest definitions.)
The program that checks integrity of windows files is working for a long time and then doesn't create the log file. Tried in normal and safe modes.
Rkill finds some service that it kills and 1 or 2 harmful processes. One of them is identified as locator.com. I'll provide here results of registry scan for "locator.exe" too. And just in case, for "locator" also.
 
4. Hitmanpro finds something but doesn't remove it because something is blocking it's activation.
 
Farbar Recovery Scan Tool (x86) Version: 02.08.2018
Ran by Administrator (20-08-2018 01:04:01)
Running from D:\
Boot Mode: Normal
 
================== Search Registry: "WPFFontCache" ===========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000]
"Service"="WPFFontCache_v0400"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPFFontCache_v0400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPFFontCache_v0400]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPFFontCache_v0400\Enum]
"0"="Root\LEGACY_WPFFONTCACHE_V0400\0000"
 
====== End of Search ======
 
Farbar Recovery Scan Tool (x86) Version: 02.08.2018
Ran by Administrator (20-08-2018 01:16:08)
Running from D:\
Boot Mode: Normal
 
================== Search Registry: "Locator.exe" ===========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"
 
====== End of Search ======
 
Farbar Recovery Scan Tool (x86) Version: 02.08.2018
Ran by Administrator (20-08-2018 01:19:48)
Running from D:\
Boot Mode: Normal
 
================== Search Registry: "Locator" ===========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.ATSCLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.ATSCLocator\CurVer]
""="BDATuner.ATSCLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.ATSCLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBCLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBCLocator]
""="BDA Tuning Model DVB Cable Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBCLocator\CurVer]
""="BDATuner.DVBCLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBCLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBCLocator.1]
""="BDA Tuning Model DVB Cable Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBSLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBSLocator]
""="BDA Tuning Model DVB Satellite Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBSLocator\CurVer]
""="BDATuner.DVBSLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBSLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBSLocator.1]
""="BDA Tuning Model DVB Satellite Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBTLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBTLocator]
""="BDA Tuning Model DVB Terrestrial Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBTLocator\CurVer]
""="BDATuner.DVBTLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBTLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BDATuner.DVBTLocator.1]
""="BDA Tuning Model DVB Terrestrial Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{814B9800-1C88-11D1-BAD9-00609744111A}]
"FriendlyName"="VBI Surface Allocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{C0D076C5-E4C6-4561-8BF4-80DA8DB819D7}]
"FriendlyName"="Allocator Fix"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}]
""="BDA Tuning Model DVB Satellite Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}\ProgID]
""="BDATuner.DVBSLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}\VersionIndependentProgID]
""="BDATuner.DVBSLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}]
""="Memory Allocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}]
""="File System Client DocStore Locator Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}]
""="VMR Allocator Presenter 9"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}]
""="VMR Allocator Presenter DDXcl Mode"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{458AA3B5-265A-4B75-BC05-9BEA4630CF18}]
""="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{458AA3B5-265A-4B75-BC05-9BEA4630CF18}\InprocServer32]
"Class"="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{458AA3B5-265A-4B75-BC05-9BEA4630CF18}\InprocServer32\1.0.5000.0]
"Class"="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{458AA3B5-265A-4B75-BC05-9BEA4630CF18}\InprocServer32\2.0.0.0]
"Class"="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{458AA3B5-265A-4B75-BC05-9BEA4630CF18}\InprocServer32\4.0.0.0]
"Class"="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{458AA3B5-265A-4B75-BC05-9BEA4630CF18}\ProgId]
""="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}]
""="WBEM Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}]
""="WBEM Scripting Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\ProgID]
""="WbemScripting.SWbemLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\VersionIndependentProgID]
""="WbemScripting.SWbemLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{814B9800-1C88-11D1-BAD9-00609744111A}]
""="VBI Surface Allocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}\ProgID]
""="BDATuner.ATSCLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}\VersionIndependentProgID]
""="BDATuner.ATSCLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}]
""="VMR Allocator Presenter"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CD64701-BDF3-4D14-8E03-F12983D86664}]
""="BDA Tuning Model DVB Terrestrial Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CD64701-BDF3-4D14-8E03-F12983D86664}\ProgID]
""="BDATuner.DVBTLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CD64701-BDF3-4D14-8E03-F12983D86664}\VersionIndependentProgID]
""="BDATuner.DVBTLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}]
""="PaneLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C0D076C5-E4C6-4561-8BF4-80DA8DB819D7}]
""="Allocator Fix"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C531D9FD-9685-4028-8B68-6E1232079F1E}]
""="BDA Tuning Model DVB Cable Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C531D9FD-9685-4028-8B68-6E1232079F1E}\ProgID]
""="BDATuner.DVBCLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C531D9FD-9685-4028-8B68-6E1232079F1E}\VersionIndependentProgID]
""="BDATuner.DVBCLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1101F2-79DC-11D2-8CE6-00A0C9441E20}]
""="MediaLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1101F2-79DC-11D2-8CE6-00A0C9441E20}\ProgID]
""="qedit.MediaLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1101F2-79DC-11D2-8CE6-00A0C9441E20}\VersionIndependentProgID]
""="qedit.MediaLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ecabb0ac-7f19-11d2-978e-0000f8757e2a}]
""="MTSLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ecabb0ac-7f19-11d2-978e-0000f8757e2a}\ProgID]
""="MTSLocator.MTSLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ecabb0ac-7f19-11d2-978e-0000f8757e2a}\VersionIndependentProgID]
""="MTSLocator.MTSLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD853CDD-7F86-11d0-8252-00C04FD85AB4}]
""="CLSID_IMimeAllocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{11183231-0222-11D3-AAAF-00104B9B174A}]
""="IGrooveLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1921006E-2AD4-3300-86E0-DB33AFEFD81F}]
""="_AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2206CCB2-19C1-11D1-89E0-00C04FD7A829}]
""="IDataSourceLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{286D7F89-760C-4F89-80C4-66841D2507AA}]
""="ILocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{379A0CF0-C1DE-11D2-ABF5-00A0C905F375}]
""="IMemAllocatorCallbackTemp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{391FFBB9-A8EE-432A-ABC8-BAA238DAB90F}]
""="IAssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3D7C353C-0D04-45F1-A742-F97CC1188DC8}]
""="IDVBSLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{56A8689C-0AD4-11CE-B03A-0020AF0BA770}]
""="IMemAllocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E42F36E-1DD2-43C4-9F78-69D25AE39034}]
""="IDVBCLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{76A6415B-CB41-11D1-8B02-00600806D9B6}]
""="ISWbemLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{796E7AC5-5AA2-4EFF-ACAD-3FAAF01A3288}]
""="IVBSAXLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8664DA16-DDA2-42AC-926A-C18F9127C302}]
""="IDVBTLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{92980B30-C1DE-11D2-ABF5-00A0C905F375}]
""="IMemAllocatorNotifyCallbackTemp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BF8D986F-8C2B-4131-94D7-4D3D9FCC21EF}]
""="IATSCLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6545BF0-E76B-11D0-BD52-00A0C911CE86}]
""="IAMDevMemoryAllocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D19B8BFD-7F88-11D0-B16E-00AA00BA3258}]
""="IMTSLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocater.MTSLocater]
""="MTSLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocater.MTSLocater.1]
""="MTSLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocator.MTSLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocator.MTSLocator]
""="MTSLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocator.MTSLocator\CurVer]
""="MTSLocator.MTSLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocator.MTSLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MTSLocator.MTSLocator.1]
""="MTSLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qedit.MediaLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qedit.MediaLocator]
""="MediaLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qedit.MediaLocator\CurVer]
""="qedit.MediaLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qedit.MediaLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qedit.MediaLocator.1]
""="MediaLocator Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\System.EnterpriseServices.Internal.AssemblyLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\System.EnterpriseServices.Internal.AssemblyLocator]
""="System.EnterpriseServices.Internal.AssemblyLocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WBEMComLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WBEMComLocator]
""="WBEM Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator]
""="WBEM Scripting Locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CurVer]
""="WbemScripting.SWbemLocator.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator.1]
""="WBEM Scripting Locator 1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{7DD43A45-1950-410F-8DBF-54881CA696A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\ENTH\MSB1ENTH.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{A8BA8760-E619-11D3-8F5D-00C04F9CF4A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\FREN\MSB1FREN.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{A8BA8764-E619-11D3-8F5D-00C04F9CF4A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\ESEN\MSB1ESEN.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{A8BA8765-E619-11D3-8F5D-00C04F9CF4A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\ENES\MSB1ENES.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{A8BA8772-E619-11D3-8F5D-00C04F9CF4A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\ARFR\MSB1ARFR.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{A8BA8773-E619-11D3-8F5D-00C04F9CF4A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\FRAR\MSB1FRAR.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Reference\Bilinguals 1.0\{FAD473D6-E564-11D3-8F5D-00C04F9CF4A0}]
"Locator"="C:\PROGRA~1\COMMON~1\MICROS~1\TRANSLAT\ENFR\MSB1ENFR.ITS!Attributes"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ip\AUTODHCP]
"Title"="DHCP Allocator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NameService]
"Endpoint"="\pipe\locator"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tuning Spaces\3\Default Locator]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tuning Spaces\7\Default Locator]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\{777564B3-F508-49BD-8BBA-FB0040061032}\Ndi]
"CoServices"="LanmanWorkstation
Alerter
Browser
Netlogon
Messenger
NtLmSsp
RpcLocator"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\{777564B3-F508-49BD-8BBA-FB0040061032}\Ndi]
"ExcludeSetupStartServices"="Alerter
Browser
Netlogon
Messenger
NtLmSsp
RpcLocator"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCLOCATOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCLOCATOR\0000]
"Service"="RpcLocator"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCLOCATOR\0000]
"DeviceDesc"="Remote Procedure Call (RPC) Locator"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCLOCATOR\0000\Control]
"ActiveService"="RpcLocator"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"DisplayName"="Remote Procedure Call (RPC) Locator"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator\Enum]
"0"="Root\LEGACY_RPCLOCATOR\0000"
[HKEY_USERS\.DEFAULT\Software\Nitro PDF\Professional\6.0\NitroPDFCreator]
"LocatorName"=""
[HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Nitro PDF\Professional\6.0\NitroPDFCreator]
"LocatorName"=""
 
====== End of Search ======

Edited by Ranidf, 19 August 2018 - 01:28 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 20 August 2018 - 06:58 AM

Hi,

My first fix did remove a lot of entries.

Please run the Farbar program one more time and post a fresh FRST.TXT log for my review.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 26 August 2018 - 07:51 AM

Are you still with me?

#11 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 29 August 2018 - 02:31 PM

Have managed to update AVG Rescue USB bootable to latest definitions. It found a virus in one file and a trojan in another file. That one file was a 3GB file in IronPortable/Profiles/FileSystem folder. What the hell is that? :)

I asked about it on Iron forum, about what could it be and what is the purpose of FileSystem folder, so far no replies.

 

Anyway, since the AVG Rescue is bootable and runs under Linux, I thought it should fix my issue. But, rkill still finds PUP process that it kills. SFC /scannow produces no log file. In fact my c:\windows\logs directory contains no logs and no subdirectories. I tried to scan the whole disk for the log, and nothing.

Other thing, when I start sfc /scannow in windows safe with command prompt I get: "Windows File Protection could not initiate a scan of protected system files. The specific error code is 0x000006ba [The RPC server is unavailable]." That's weird as I read that sfc should work in safe mode.

 

I'll perform what you suggested and soon will post the results.



#12 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 29 August 2018 - 02:34 PM

p.s. Cannot access https://www.adlice.com as it says The webpage is not available.

 

p.s.2 Read https://answers.microsoft.com/en-us/windows/forum/windows_xp-performance/proper-way-to-setup-for-run-sfc-scannow-with-xp-sp/ac9d1a69-660f-4424-843b-eeaaa6a13691 that says sfc won't run in safe mode. I still don't understand whether it will check the integrity of Windows core files as you have suggested. If I understood the article correctly, it will only replace missing files in /dllcache directory from Windows CD. Please read the info in the link, as I need to find a way to check if the core windows files weren't patched by the malware (as Rkill suggests might be.)


Edited by Ranidf, 29 August 2018 - 02:56 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 30 August 2018 - 08:04 AM

Hi,

Do not do anything on the FileSystem.
Have a look at this article.
You can find out which file system is used on your computer.

https://www.computerhope.com/jargon/f/filesyst.htm
===

p.s. Cannot access https://www.adlice.com as it says The webpage is not available.


I just tried and it's working. Try again.

===

Your current problems are not caused by malware.

Windows XP has been discontinued by Microsoft awhile ago.

I can only suggest you start a new topic in the Windows XP forum.
https://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Someone with XP experience will be able to help your better than I can.
This is not my forte.

#14 Ranidf

Ranidf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 30 August 2018 - 03:12 PM

Are you serious? Filesystem I mentioned is a name of a subfolder in /ironportable browser. I'm not talking about FAT or NTFS.

 

Can't you make 2 + 2? If adlice.com is working on your comp, but is not working on my computer (while most other websites are ok on my comp) that can mean only one thing, that malware is preventing access to it. (And it's not in the hosts file.)

 

Have you got someone who have got even more expertise than yourself? I think I have gotten some pretty advanced malware infection. Something modular or maybe it got AI? I just kidding, but seriously, it changes the names of it's processes. In the past it would block access to malwaresbytes website, but once I managed to install it and update it, it doesn't block it anymore. Huh? Interesting. [As if it detected that it's being installed and updated already, so no need to block access to it's website.] But it blocks access to wikitravel, adlice and some other sites. Hmm.

 

I had to download roguekiller via another computer, thanks for the suggestion. After I removed everything it detected and restarted the computer, I still cannot access adlice.com and wikitravel via ironportable browser (prior to the infection I had no problems accessing wikitravel), so something is still need to be corrected. I can open it now via another browser.

 

What is LL2 MBR? I overwritten MBR with AVG, so it should be clean now, but how can I overwrite LL2 MBR?

 

Here is the report of RogueKiller (I'll do another scan with it and also with FRST later):

 

RogueKiller V12.12.33.0 [Aug 27 2018] (Free) by Adlice Software
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Administrator]
Started from : D:\Rogue\RogueKiller_portable32.exe
Mode : Scan -- Date : 08/31/2018 01:13:37 (Duration : 01:20:50)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 43 ¤¤¤
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D} (C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\visic_coupon.dll) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472} (C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\visic_coupon.dll) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B} -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e} (C:\Program Files\Free Ride Games\npGameTreatWidget.dll) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762} (ole32.dll) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25} (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HYD1F.tmp.1492103044\HTA\3rdparty\FS.ocx) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} (C:\PROGRA~1\COMMON~1\WONDER~1\WONDER~1\WSHelper.exe) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E} -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{A3E2F089-DDBB-4CBF-B06C-5D44DA316ED3} ("C:\Program Files\Softonic\Softonic\1.8.19.3\Softonicsrv.exe") -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9} (C:\WINDOWS\system32\Dxtmsft.dll) -> Found
[PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370} -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Babylon -> Found
[PUP.Conduit|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Conduit -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\iLividSRTB -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\PerformerSoft -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\PIP -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Softonic -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Torch -> Found
[PUP.SpeedUpMyPc|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Uniblue -> Found
[PUP.Gen1] HKEY_USERS\.DEFAULT\Software\IBUpdaterService -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\APN PIP -> Found
[PUP.BabSolution|PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\BabSolution -> Found
[PUP.Conduit|PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Conduit -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\iLivid -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\OCS -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\PerformerSoft -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\PIP -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\SmartTweak -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Softonic -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\StartSearch -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Torch -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-18\Software\IBUpdaterService -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7} -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\FilesFrog Update Checker -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Updater Service -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4efd-BAD7-B9B4CB4BC693} -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7} -> Found
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D} -> Found
[PUP.Gen1] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\eType -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 172.16.0.1 ([])  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4BC90E87-0E5A-4E12-B3CA-6C67D2290DD1} | DhcpNameServer : 172.16.0.1 ([])  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1343024091-1417001333-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
 
¤¤¤ Tasks : 1 ¤¤¤
[PUP.Gen0] %WINDIR%\Tasks\Browser Manager.job -- C:\WINDOWS\system32\sc.exe (start Browser Manager) -> Found
 
¤¤¤ Files : 19 ¤¤¤
[PUP.HackTool][Folder] C:\WINDOWS\AutoKMS -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\Administrator\Application Data\eType -> Found
[PUP.uTorrentAds][File] C:\Documents and Settings\Administrator\Application Data\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Found
[PUP.uTorrentAds][File] C:\Documents and Settings\Administrator\Application Data\uTorrent\updates\3.5.3_44396\utorrentie.exe -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\Administrator\Local Settings\Application Data\IAC -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Browser Manager -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Wincert -> Found
[PUP.Gen1][Folder] C:\Program Files\File Scout -> Found
[PUP.Gen1][Folder] C:\Program Files\Free Ride Games -> Found
[PUP.Gen1][Folder] C:\Program Files\Movies Toolbar -> Found
[PUP.Plumbytes][Folder] C:\Program Files\Plumbytes Software -> Found
[PUP.Gen1][Folder] C:\Program Files\Search Results Toolbar -> Found
[PUP.Gen0|PUP.Gen1][Folder] C:\Program Files\Settings Manager -> Found
[PUP.Gen0][Folder] C:\Program Files\System -> Found
[PUP.Gen1][Folder] C:\Program Files\Yuna Software -> Found
[PUP.Gen1][Folder] C:\Program Files\~BabylonToolbar -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\Administrator\Application Data\eType -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Browser Manager -> Found
[PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Wincert -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] mz5mwmuu.default-1521231873678 : user_pref("browser.search.selectedEngine", "Yahoo! Search Engine"); -> Found
[PUM.SearchEngine][Firefox:Config] mz5mwmuu.default-1521231873678 : user_pref("browser.search.defaultenginename", "Yahoo! Search Engine"); -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HTS424030M9AT00 +++++
--- User ---
[MBR] e70c499677a21b917dcae09835de0d91
[BSP] 90b5bccdbd64ae2119144574ae35a65e : Legit.Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 15356 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 31449600 | Size: 13259 MB
User = LL1 ... OK
Error reading LL2 MBR! NOT VALID!

Edited by Ranidf, 30 August 2018 - 03:14 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 31 August 2018 - 06:34 AM

Hi,

Fist keep you comments about me to yourself.
If you continue on I will close your topic.

Are you serious? Filesystem I mentioned is a name of a subfolder in /ironportable browser. I'm not talking about FAT or NTFS.

Google Firesystem and you may find better definitions.
This is an XP computer wich I do have to to find out if it's valid.
Check with the XP forum.
===

If adlice.com is working on your comp, but is not working on my computer

Clean your cookies it may help.
===

There is nothing wrong with your LL2 MBR? it's a false positive.
Google LL2 MBR and find out.
===

If not already done clean all the entries found in the RogueKiller.
Restart the computer when finished.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users