Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some programs do not execute, cannot install new programs


  • Please log in to reply
12 replies to this topic

#1 coco1704

coco1704

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 10 November 2018 - 03:47 PM

Need help...

 

Several programs do not execute. 

Also, when trying to install new software - not installing.

Running Windows 7, 64 

Cannot run system restore point either.

Cannot run Combo.exe

Adware cleaner

Malwarebytes and any antivirus programs.

Also in the task bar a blank icon appears and it is running, sometimes there are two o three.


Edited by hamluis, 10 November 2018 - 05:53 PM.
Moved from Win 7 to Malware Removal - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,482 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:23 AM

Posted 12 November 2018 - 07:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
Download the version of this tool for your operating system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png
 
Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===
 
Please post the logs  for my review.
 
Wait for further instructions
 
p.s.
If you have problems downloading the program with the compromised computer try this.
If you have the means download the program with a good computer.
Copy the Farbar program to the Desktop of the compromised computer
Try to execute the application. Post the logs.


#3 coco1704

coco1704
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 12 November 2018 - 09:59 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11.11.2018
Ran by User (administrator) on USER-PC (12-11-2018 09:19:40)
Running from C:\Users\User\Desktop\FarBar64
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\weamrtxsvc.exe
(Qihoo 360 Technology Co. Ltd.) C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
(AOMEI Tech Co., Ltd.) C:\Program Files (x86)\AOMEI Backupper\ABService.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Qihoo 360 Technology Co. Ltd.) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\uTorrent\updates\3.5.4_44632\utorrentie.exe
() C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe
() C:\Users\User\AppData\Local\dscovgm\dscovgm.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\uTorrent\updates\3.5.4_44632\utorrentie.exe
() C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
() C:\Users\User\AppData\Local\mbsiekh\timhgrv.exe
(Softros Systems, Inc.) C:\Program Files\Softros Systems\Process Blocker\Process Blocker.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
() C:\Users\User\AppData\Local\dscovgm\pcimegb.exe
() C:\Users\User\AppData\Local\dscovgm\pcimegb.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera_crashreporter.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [242904 2018-08-21] (AVAST Software)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [301880 2018-08-23] (Apple Inc.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe [1828416 2018-10-29] (Qihoo 360 Technology Co. Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2018-06-26] (Apple Inc.)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [18594760 2018-09-19] (Piriform Ltd)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [uTorrent] => C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe [1987768 2018-09-29] (BitTorrent Inc.)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe [49805376 2018-10-26] (Skype Technologies S.A.)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-20] (Microsoft Corporation)
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.114.81.2 75.114.81.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1244DE39-4265-44D5-B02E-000A905A7FA3}: [DhcpNameServer] 65.32.5.74 65.32.5.75
Tcpip\..\Interfaces\{900B00B3-AC32-4716-A6E4-27D1404F2227}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{900B00B3-AC32-4716-A6E4-27D1404F2227}: [DhcpNameServer] 75.114.81.2 75.114.81.1
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://onet.pl/
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-176798144-3595912555-2340562074-1000] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll [2018-10-29] (Qihu 360 Software Co., Ltd.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-22] (Microsoft Corporation)
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon.dll [2018-10-29] (Qihu 360 Software Co., Ltd.)
Handler-x32: intu-help-qb9 - {C1252096-0E63-4C06-A38B-03DF9A16AA12} - C:\Program Files (x86)\Intuit\QuickBooks 2016\HelpAsyncPluggableProtocol.dll [2016-03-07] (Intuit, Inc.)
Handler: livecall - No CLSID Value
Handler: msnim - No CLSID Value
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} -  No File
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2017-08-15] (Microsoft Corporation)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll [2010-11-20] (Microsoft Corporation)
Handler: wlmailhtml - No CLSID Value
Handler: wlpg - No CLSID Value
Handler: WSISVCUchrome - No CLSID Value
Handler: WSWSVCUchrome - No CLSID Value
 
FireFox:
========
FF DefaultProfile: 
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_130.dll [2017-09-15] ()
FF Plugin: @java.com/DTPlugin,version=11.181.2 -> C:\Program Files\Java\jre1.8.0_181\bin\dtplugin\npDeployJava1.dll [2018-09-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.181.2 -> C:\Program Files\Java\jre1.8.0_181\bin\plugin2\npjp2.dll [2018-09-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\Microsoft Office\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_130.dll [2017-09-15] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1229199.dll [2017-03-31] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-02-26] (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-12-12] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\Microsoft Office\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @talk.google.com/O1DPlugin -> C:\Users\User\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @tools.google.com/Google Update;version=3 -> C:\Users\User\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @tools.google.com/Google Update;version=9 -> C:\Users\User\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://onet.pl/
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2018-11-08]
CHR Extension: (DocHub - Edit and Sign PDF Documents) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgncicbhbjfpijkdmbijninnhnmiblj [2018-10-08]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-02-25]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-10-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-10-13]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-02-25]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-10-13]
CHR HKU\S-1-5-21-176798144-3595912555-2340562074-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [dhdgffkkebhmkfjojejmpbldmpobfkfo] - hxxp://clients2.google.com/service/update2/crx
 
Opera: 
=======
OPR Extension: (Evernote Web Clipper) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\afgbccjghcnbcdjgogpckamibfkceahd [2018-06-26]
OPR Extension: (Translator) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\cnbpedcoekjafichoehopgaaldogogch [2018-08-17]
OPR Extension: (Adblocker for Youtube™) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\egmfaijlgimjnjgblmkhfpalbfkeocii [2018-09-22]
OPR Extension: (Disconnect) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\hciohocinlhbdkbjldffomiadmnhjnoj [2018-06-26]
OPR Extension: (convert2mp3.net Online Video Converter) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\kefimjmcofjhaphjiadipfoojljnoinn [2018-06-26]
OPR Extension: (Amazon Assistant for Opera) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\mmmbddcnnndpbdflpccgcknaaabgldak [2018-11-03]
OPR Extension: (SaveFrom.net helper) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\npdpplbicnmpoigidfdjadamgfkilaak [2018-10-16]
OPR Extension: (Enhancer for YouTube) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\ofhehnfmgbgnkjaojifkmebjjgffjaeh [2018-11-02]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\cxupt <==== ATTENTION (Rootkit!)
 
S3 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [495816 2015-06-10] ()
S3 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-05] (Adobe Systems, Incorporated)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-08-23] (Apple Inc.)
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7780400 2018-08-21] (AVAST Software)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [322464 2018-08-21] (AVAST Software)
R2 Backupper Service; C:\Program Files (x86)\AOMEI Backupper\ABService.exe [122728 2017-09-04] (AOMEI Tech Co., Ltd.)
S3 becldr3Service; C:\Program Files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [263168 2013-11-06] () [File not signed]
R2 BOT4Service; C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [23240 2015-09-10] ()
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
S3 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-08-04] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-08-04] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [51016 2018-01-08] (Dropbox, Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [31776 2016-12-07] (HP Inc.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 MSSQL$ACT7; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 MySQL; C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe [9700864 2014-05-11] () [File not signed]
S3 nlsX86cc; C:\Windows\SysWOW64\nlssrv32.exe [66560 2011-02-04] (Nalpeiron Ltd.) [File not signed]
R2 Process Blocker; C:\Program Files\Softros Systems\Process Blocker\Process Blocker.exe [2198352 2015-07-23] (Softros Systems, Inc.)
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2014-04-30] (arvato digital services llc)
S2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2016-03-07] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2016-03-07] (Intuit Inc.) [File not signed]
S3 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2016-03-07] (Intuit Inc.) [File not signed]
R2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [965184 2018-10-29] (Qihoo 360 Technology Co. Ltd.)
S3 RoxioBurnLauncher; C:\Program Files (x86)\Roxio Creator NXT 4\Roxio Burn\RoxioBurnLauncher.exe [810696 2015-09-10] ()
S3 RoxMediaDB15; C:\Program Files (x86)\Roxio Creator NXT 4\Common\RoxMediaDB15.exe [1097928 2015-09-11] (Corel Corporation)
S3 RoxWatch15; C:\Program Files (x86)\Roxio Creator NXT 4\Common\RoxWatch15.exe [342216 2015-09-11] (Corel Corporation)
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [752224 2017-01-16] (DEVGURU Co., LTD.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
S3 ABBYY.Licensing.FineReader.Professional.12.0; "C:\Program Files (x86)\ABBYY FineReader 12\NetworkLicenseServer.exe" -service [X]
S2 BotkindSyncService; C:\Program Files\Allway Sync\Bin\SyncService.exe service [X]
S3 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [X]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [183416 2018-10-29] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [86248 2018-10-29] (360.cn)
S3 360AvFlt; C:\Windows\SysWOW64\DRIVERS\360AvFlt.sys [86248 2018-02-09] (360.cn)
R1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [332384 2018-10-29] (360.cn)
R1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [49088 2018-10-29] (360.cn)
R1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [450624 2018-10-29] (360.cn)
R1 360netmon; C:\Windows\System32\DRIVERS\360netmon.sys [87672 2018-10-29] (360.cn)
R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [51120 2016-12-21] ()
R2 ammntdrv; C:\Windows\system32\ammntdrv.sys [171952 2016-12-21] ()
R2 amwrtdrv; C:\Windows\system32\amwrtdrv.sys [38320 2017-09-01] ()
S2 ASPI32; C:\Windows\SysWow64\Drivers\ASPI32.sys [14528 1996-07-12] (Adaptec)
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [197160 2018-08-21] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [229392 2018-08-21] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [201328 2018-08-21] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [346664 2018-08-21] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [59592 2018-08-21] (AVAST Software)
R1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [239680 2018-08-21] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2018-08-21] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [159640 2018-08-21] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [111872 2018-08-21] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [85968 2018-08-21] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1027728 2018-08-21] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [465640 2018-08-24] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [211160 2018-08-21] (AVAST Software)
S3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [53904 2017-03-20] (The OpenVPN Project)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [381584 2018-08-21] (AVAST Software)
S3 athur; C:\Windows\System32\DRIVERS\athurx.sys [1847296 2010-01-05] (Atheros Communications, Inc.) [File not signed]
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [210016 2018-10-29] (360.cn)
S3 catchme; no ImagePath
S3 dg_ssudbus; C:\Windows\System32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 DrvSnSht; C:\Program Files (x86)\R-Drive Image\DrvSnSht64.sys [132432 2010-06-01] (R-TT Inc.)
S1 Eve; C:\Windows\System32\DRIVERS\eve.sys [41304 2014-04-10] ()
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [28424 2018-05-28] (Glarysoft Ltd)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-12-28] (REALiX™)
S1 IMFCameraProtect; C:\Windows\system32\drivers\IMFCameraProtect.sys [26272 2017-04-06] (IObit.com)
S3 IMFDownProtect; no ImagePath
S3 IMFFilter; no ImagePath
S3 IMFForceDelete; no ImagePath
S4 IObitUnlocker; C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.sys [48672 2017-06-19] (IObit)
S4 IUFileFilter; no ImagePath
R2 PfFilter; C:\Program Files (x86)\IObit\Protected Folder\pffilter.sys [38392 2012-11-23] (IObit Information Technology)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
S3 R-ImageDisk; C:\Program Files (x86)\R-Drive Image\R-ImageDisk64.sys [213584 2014-10-10] (R-TT Inc.)
R1 RawDisk3; C:\Windows\system32\drivers\rawdsk3.sys [41576 2016-02-19] (EldoS Corporation)
S3 RegFilter; no ImagePath
S3 Revoflt; C:\Windows\SysWOW64\DRIVERS\revoflt.sys [40240 2016-12-21] (VS Revo Group)
R0 Sahdad64; C:\Windows\System32\Drivers\Sahdad64.sys [37032 2016-01-11] (Corel Corporation)
R0 Saibad64; C:\Windows\System32\Drivers\Saibad64.sys [28840 2016-01-11] (Corel Corporation)
R1 SaibVdAd64; C:\Windows\System32\Drivers\SaibVdAd64.sys [36520 2016-01-11] (Corel Corporation)
S3 ssudmdm; C:\Windows\System32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
R2 supersafer64; C:\Windows\SysWOW64\drivers\supersafer64.sys [238072 2011-11-15] (Spotmau)
S3 WsAudio_Device(1); C:\Windows\System32\drivers\VirtualAudio1.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(2); C:\Windows\System32\drivers\VirtualAudio2.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(3); C:\Windows\System32\drivers\VirtualAudio3.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(4); C:\Windows\System32\drivers\VirtualAudio4.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(5); C:\Windows\System32\drivers\VirtualAudio5.sys [31080 2014-11-26] (Wondershare)
U1 aswbdisk; no ImagePath
R3 cgjmpt; system32\drivers\jmptwz.sys [X]
S3 cpuz143; \??\C:\Windows\temp\cpuz143\cpuz143_x64.sys [X]
S3 iobit_monitor_server; \??\C:\Program Files (x86)\IObit\Advanced SystemCare\drivers\Monitor_win7_x64.sys [X]
S3 IUProcessFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUProcessFilter.sys [X]
S3 IURegistryFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegistryFilter.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-12 09:17 - 2018-11-12 09:19 - 000000000 ____D C:\Users\User\Desktop\FarBar64
2018-11-12 06:46 - 2018-11-12 06:46 - 000142672 ____N C:\Windows\system32\Drivers\upbuxaeh.sys
2018-11-11 16:10 - 2018-11-11 16:10 - 000257848 _____ C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2018-11-11 08:11 - 2018-11-11 08:11 - 000000000 _____ C:\attrib
2018-11-11 08:03 - 2018-11-11 08:03 - 002527376 _____ (Trend Micro Inc.) C:\Users\User\Downloads\HousecallLauncher64.exe
2018-11-11 07:03 - 2018-11-11 07:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kodi
2018-11-11 07:02 - 2018-11-11 07:03 - 000000000 ____D C:\Program Files (x86)\Kodi
2018-11-10 17:58 - 2018-11-10 17:58 - 000000000 ____D C:\Windows\system32\CleanLog
2018-11-10 15:23 - 2018-11-10 15:23 - 001296779 _____ C:\Users\User\Downloads\PPA - 7BE - Silvio Benetti - 09.11.2018.pdf
2018-11-10 15:22 - 2018-11-10 15:22 - 022595784 _____ C:\Users\User\Downloads\KYC - 7BE -  SILVIO DA SILVA BENETTI - 09.11.2018.pdf
2018-11-10 04:00 - 2018-11-10 04:00 - 001819429 _____ C:\Users\User\Downloads\KYCRENATO 12 10 18.pdf
2018-11-10 03:58 - 2018-11-10 04:00 - 000000000 ____D C:\Users\User\Desktop\Cotzen
2018-11-09 16:39 - 2018-11-09 16:39 - 003945778 _____ C:\Users\User\Downloads\EURO SCANNER HSBC - RUBERLEI XS1387219659-
2018-11-09 15:35 - 2018-11-09 15:36 - 002861772 _____ C:\Users\User\Downloads\fwdschmidtmartin1_2billiondeutchebank.zip
2018-11-09 12:38 - 2018-11-09 12:38 - 014267218 _____ C:\Users\User\Downloads\fwdnickdehartog16_6bbankmelli.zip
2018-11-09 10:33 - 2018-11-09 10:34 - 004437161 _____ C:\Users\User\Downloads\Voice 002.m4a
2018-11-08 15:44 - 2018-11-08 15:44 - 021298161 _____ C:\Users\User\Downloads\updated KYC - 7BE -  SILVIO DA SILVA BENETTI - 08.11.2018.pdf
2018-11-08 15:44 - 2018-11-08 15:44 - 001567929 _____ C:\Users\User\Downloads\RWA-7 BE - SILVIO DA SILVA BENETTI - 08.11.2018.pdf
2018-11-08 10:44 - 2018-11-08 10:44 - 021663745 _____ C:\Users\User\Downloads\Voice 001.m4a
2018-11-08 10:37 - 2018-11-08 10:37 - 000000000 ____D C:\Users\User\Desktop\Cindy Ng-NIQDs
2018-11-07 17:57 - 2018-11-07 18:02 - 000007711 _____ C:\Users\User\Downloads\BITCOIN EXCHANGE PROGRAM-GUSTAVO  31.10.18.odt
2018-11-07 16:32 - 2018-11-08 04:31 - 000000000 ____D C:\Users\User\AppData\Roaming\15FE0951-324B-43CF-9E68-9B749803BCF3
2018-11-07 12:24 - 2018-11-07 12:24 - 003964304 _____ (Power Software Ltd) C:\Users\User\Desktop\PowerISO7-cnet.exe
2018-11-07 08:36 - 2018-11-07 10:10 - 000000000 ____D C:\Users\User\Desktop\Rescue descriptions
2018-11-07 05:08 - 2018-11-07 05:10 - 000000000 ____D C:\Users\User\AppData\Roaming\InfraRecorder
2018-11-07 05:05 - 2018-11-07 05:05 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InfraRecorder
2018-11-07 05:05 - 2018-11-07 05:05 - 000000000 ____D C:\Program Files\InfraRecorder
2018-11-07 04:59 - 2018-11-07 04:59 - 004153344 _____ C:\Users\User\Downloads\ir053_x64.msi
2018-11-07 04:08 - 2018-11-07 04:08 - 010249373 _____ C:\Users\User\Downloads\IMG_20181107_0001.pdf
2018-11-06 13:23 - 2018-11-06 13:23 - 000000000 ____D C:\Users\User\Downloads\fwvenezuelabondsoneuroclear
2018-11-05 04:21 - 2018-11-08 06:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Melody Assistant
2018-11-05 04:21 - 2018-11-05 04:21 - 000000000 ____D C:\Users\User\Documents\Myriad Documents
2018-11-05 04:20 - 2018-11-05 04:22 - 000000000 ____D C:\Users\User\AppData\Roaming\ACAMPREF
2018-11-04 17:06 - 2018-11-12 06:51 - 000000000 ____D C:\Users\User\AppData\LocalLow\uTorrent
2018-11-02 11:09 - 2018-11-02 12:41 - 000000000 ____D C:\Users\User\Desktop\Oliveira
2018-11-01 15:08 - 2018-11-01 15:08 - 000011215 _____ C:\Users\User\Downloads\SG Dividend Bullet Estimates  Sheet1.xlsx
2018-11-01 05:20 - 2018-11-01 05:20 - 000000000 ____D C:\Users\User\Downloads\MediaHuman
2018-11-01 04:01 - 2018-11-01 04:01 - 000000000 ____D C:\ProgramData\GridinSoft
2018-10-31 15:33 - 2018-10-31 15:33 - 000000165 _____ C:\Users\User\~$Rachunki 2018.xlsx
2018-10-31 15:03 - 2018-10-31 15:03 - 001960011 _____ C:\Users\User\Downloads\barclayssblc.zip
2018-10-31 13:30 - 2018-10-31 13:30 - 000000000 ____D C:\Users\User\Documents\TotalAV
2018-10-31 13:30 - 2018-10-31 13:30 - 000000000 ____D C:\ProgramData\SecuritySuite
2018-10-31 10:20 - 2018-11-10 03:13 - 000000000 ____D C:\$360Section
2018-10-31 07:55 - 2018-11-11 10:42 - 000000000 ____D C:\Users\User\AppData\Roaming\360DrvMgr
2018-10-31 06:55 - 2018-11-11 15:09 - 000000560 __RSH C:\ProgramData\ntuser.pol
2018-10-31 06:53 - 2018-11-12 07:02 - 000000000 ____D C:\Users\User\AppData\LocalLow\360WD
2018-10-31 06:53 - 2018-11-11 16:21 - 000000000 ____D C:\ProgramData\360safe
2018-10-31 06:53 - 2018-11-01 04:16 - 000000000 ____D C:\Users\User\AppData\Roaming\360safe
2018-10-31 06:53 - 2018-10-31 11:06 - 000000000 ____D C:\Users\User\AppData\Roaming\360TotalSecurity
2018-10-31 06:53 - 2018-10-31 06:53 - 000001157 _____ C:\Users\Public\Desktop\360 Total Security.lnk
2018-10-31 06:53 - 2018-10-31 06:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2018-10-31 06:53 - 2018-10-29 01:07 - 000450624 _____ (360.cn) C:\Windows\system32\Drivers\360fsflt.sys
2018-10-31 06:53 - 2018-10-29 01:07 - 000332384 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys
2018-10-31 06:53 - 2018-10-29 01:07 - 000210016 _____ (360.cn) C:\Windows\system32\Drivers\BAPIDRV64.SYS
2018-10-31 06:53 - 2018-10-29 01:07 - 000087672 _____ (360.cn) C:\Windows\system32\Drivers\360netmon.sys
2018-10-31 06:52 - 2018-11-11 12:49 - 000000000 ____D C:\ProgramData\360TotalSecurity
2018-10-31 06:52 - 2018-10-29 01:07 - 000183416 _____ (360.cn) C:\Windows\system32\Drivers\360AntiHacker64.sys
2018-10-31 06:52 - 2018-10-29 01:07 - 000086248 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2018-10-31 06:52 - 2018-10-29 01:07 - 000049088 _____ (360.cn) C:\Windows\system32\Drivers\360Camera64.sys
2018-10-31 06:51 - 2018-11-12 09:19 - 000000000 ____D C:\FRST
2018-10-30 09:09 - 2018-10-30 09:09 - 000000622 _____ C:\Users\User\win7.vbs
2018-10-29 07:47 - 2018-10-29 07:47 - 000010025 _____ C:\Users\User\Debt in EE.xlsx
2018-10-29 06:54 - 2018-10-29 06:54 - 000001066 _____ C:\Users\Public\Desktop\VLC media player.lnk
2018-10-26 15:17 - 2018-10-26 15:17 - 000843763 _____ C:\Users\User\22 PAGES 2B_MTN BOND_LEASE_EUROCLEAR TITLE TRANSFER_SCREEN BLOCK_CONFIRMATION_EYUP MEMIS.pdf
2018-10-25 13:01 - 2018-10-25 13:01 - 000438541 _____ C:\Users\User\€2B MTN EUROBOND LEASE_RBC_RWA.pdf
2018-10-24 04:03 - 2018-10-24 04:03 - 001664432 _____ C:\Users\User\Downloads\bookmarks_10_24_18.html
2018-10-14 05:08 - 2018-10-24 04:21 - 000000876 _____ C:\Users\User\exe.reg
2018-10-13 07:36 - 2018-10-13 07:37 - 000000000 ____D C:\Users\User\Desktop\Gifts and Taxes
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-12 09:21 - 2016-05-15 05:01 - 000000000 ____D C:\Users\User\AppData\Roaming\uTorrent
2018-11-12 09:18 - 2018-05-28 18:43 - 000000000 ____D C:\Users\User\Desktop\Misc
2018-11-12 09:15 - 2009-07-13 21:34 - 019398656 _____ C:\Windows\system32\config\HARDWARE
2018-11-12 08:40 - 2018-06-27 19:07 - 000081449 _____ C:\Users\User\Rachunki 2018.xlsx
2018-11-12 08:11 - 2018-05-26 07:53 - 000000000 ____D C:\Users\User\AppData\Roaming\WhatsApp
2018-11-12 07:58 - 2018-02-26 10:51 - 000000000 ____D C:\Users\User\AppData\Local\CrashDumps
2018-11-12 07:03 - 2009-07-13 23:45 - 000031904 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-11-12 07:03 - 2009-07-13 23:45 - 000031904 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-11-12 06:56 - 2018-10-09 08:25 - 000000000 ____D C:\Users\User\AppData\Local\dscovgm
2018-11-12 06:51 - 2018-02-06 20:33 - 000000000 ____D C:\Program Files (x86)\AOMEI Backupper
2018-11-12 06:51 - 2016-07-27 11:58 - 000000082 _____ C:\Windows\SysWOW64\winsevr.dat
2018-11-12 06:50 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-11-12 06:47 - 2018-10-09 08:24 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\weamrtxsvc.exe
2018-11-12 06:43 - 2014-11-16 05:17 - 000000000 ____D C:\Users\User\Desktop\SOFT 2018
2018-11-11 17:30 - 2016-07-27 11:58 - 000000000 ____D C:\ProgramData\AomeiBR
2018-11-11 17:29 - 2016-07-27 11:59 - 000001024 ____H C:\SYSTAG.BIN
2018-11-11 16:05 - 2018-10-08 14:20 - 001208040 _____ C:\Windows\ntbtlog.txt
2018-11-11 15:33 - 2018-06-26 10:04 - 000000000 ____D C:\Users\User\AppData\Roaming\Kodi
2018-11-11 07:43 - 2009-07-14 00:13 - 000998120 _____ C:\Windows\system32\PerfStringBackup.INI
2018-11-11 07:43 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-11-11 07:02 - 2018-07-29 12:51 - 000000000 ____D C:\Users\User\Desktop\Leszek zycie
2018-11-10 17:59 - 2018-03-11 04:41 - 000000000 ____D C:\Users\User\AppData\Local\Downloaded Installations
2018-11-10 17:59 - 2017-12-05 08:31 - 000000000 __RHD C:\MSOCache
2018-11-10 17:59 - 2016-07-14 15:52 - 000000000 ____D C:\Users\User\AppData\Local\Dropbox
2018-11-10 17:59 - 2016-05-31 14:03 - 000000000 ____D C:\Program Files (x86)\Opera
2018-11-10 17:59 - 2014-11-15 03:39 - 000000000 ____D C:\Users\User\AppData\Local\ElevatedDiagnostics
2018-11-10 09:35 - 2018-08-19 10:28 - 000000000 ____D C:\Users\User\Desktop\Writing Tips
2018-11-10 08:53 - 2017-09-16 04:52 - 000000000 ____D C:\Users\User\Desktop\Solo
2018-11-10 08:33 - 2018-03-04 15:39 - 000000000 ____D C:\Users\User\AppData\Roaming\MoneyManagerEx
2018-11-10 08:18 - 2017-12-30 08:38 - 000000000 ____D C:\Users\User\Finanse
2018-11-10 05:14 - 2018-06-27 19:18 - 000061440 _____ C:\Users\User\Artex-2018.xls
2018-11-10 04:20 - 2014-11-15 04:58 - 000000000 ____D C:\Users\User\Documents\Outlook Files
2018-11-10 03:13 - 2018-02-24 08:38 - 000000000 ____D C:\ProgramData\360Quarant
2018-11-09 11:06 - 2018-05-15 07:36 - 000000000 ____D C:\Users\User\Downloads\MOVIES
2018-11-09 10:57 - 2017-12-23 08:29 - 000000000 ____D C:\Users\User\AppData\Roaming\vlc
2018-11-09 07:40 - 2014-11-12 18:34 - 000000000 ____D C:\Users\User\Deals 2018
2018-11-09 06:39 - 2018-05-26 07:53 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhatsApp
2018-11-09 06:38 - 2018-05-26 07:52 - 000000000 ____D C:\Users\User\AppData\Local\WhatsApp
2018-11-09 06:38 - 2017-07-28 12:45 - 000000000 ____D C:\Users\User\AppData\Local\SquirrelTemp
2018-11-08 17:16 - 2014-12-23 08:45 - 000000000 ____D C:\Users\User\Desktop\Shorts
2018-11-08 12:49 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\rescache
2018-11-07 13:14 - 2018-06-26 04:24 - 000003832 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1519548753
2018-11-07 12:23 - 2014-12-13 10:29 - 000000000 ____D C:\ProgramData\Roxio
2018-11-07 09:42 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\SysWOW64\Setup
2018-11-07 09:42 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\system32\Setup
2018-11-07 08:58 - 2017-12-25 15:09 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2018-11-07 08:52 - 2009-07-13 21:34 - 000000541 _____ C:\Windows\win.ini
2018-11-05 08:49 - 2016-12-23 08:54 - 000000000 ____D C:\Users\User\Desktop\ALBUM XIII
2018-11-05 04:33 - 2018-07-14 10:12 - 000000000 ____D C:\Users\User\Downloads\Older
2018-11-02 04:33 - 2017-09-25 05:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ResumeMaker Professional
2018-11-02 04:33 - 2017-09-25 05:55 - 000000000 ____D C:\Program Files (x86)\ResumeMaker Professional
2018-11-02 04:22 - 2017-10-04 06:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaHuman
2018-11-02 04:22 - 2017-10-04 06:19 - 000000000 ____D C:\Program Files (x86)\MediaHuman
2018-11-02 04:19 - 2017-10-04 06:20 - 000000000 ____D C:\Users\User\AppData\Local\MediaHuman
2018-11-01 04:25 - 2018-06-30 19:07 - 000000000 ____D C:\Users\User\AppData\Roaming\IObit
2018-11-01 04:25 - 2014-11-12 10:32 - 000000000 ____D C:\ProgramData\IObit
2018-11-01 04:25 - 2014-11-12 10:32 - 000000000 ____D C:\Program Files (x86)\IObit
2018-10-31 10:32 - 2018-07-13 07:07 - 000000000 ____D C:\Program Files\KMSpico
2018-10-31 10:25 - 2017-12-28 13:42 - 000000000 ____D C:\Users\User\Desktop\Utilities
2018-10-31 10:24 - 2018-09-21 06:52 - 000003966 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-10-31 10:24 - 2018-05-28 12:01 - 000002970 _____ C:\Windows\System32\Tasks\GU5SkipUAC
2018-10-31 10:24 - 2018-01-19 03:45 - 000003456 _____ C:\Windows\System32\Tasks\AdobeGCInvoker-1.0-User-PC-User
2018-10-31 10:24 - 2017-11-26 10:29 - 000003142 _____ C:\Windows\System32\Tasks\{4DB282EB-E18E-4DB4-B600-DBA37078CFF2}
2018-10-31 06:51 - 2018-02-24 08:32 - 000000000 ____D C:\Program Files (x86)\360
2018-10-30 17:39 - 2018-01-13 20:39 - 000003334 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-10-30 17:39 - 2018-01-13 20:39 - 000003206 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-10-29 18:39 - 2009-07-14 00:32 - 000000000 ____D C:\Windows\system32\FxsTmp
2018-10-27 10:48 - 2017-12-16 16:43 - 000000000 ____D C:\Users\Classic .NET AppPool
2018-10-27 10:48 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\registration
2018-10-27 05:39 - 2018-07-09 18:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2018-10-27 05:39 - 2018-02-25 08:25 - 000000000 ____D C:\Users\User\AppData\Roaming\Skype
2018-10-27 05:39 - 2018-02-22 15:24 - 000001306 _____ C:\Users\Public\Desktop\Skype.lnk
2018-10-25 11:27 - 2014-12-24 07:09 - 000000000 ____D C:\Users\User\Documents\LZ-pers
2018-10-15 05:37 - 2018-09-04 05:54 - 000000000 ____D C:\Users\User\Offshore-SWIFTS
2018-10-14 12:55 - 2018-05-28 07:17 - 000001183 _____ C:\Users\Public\Desktop\Wise JetSearch.lnk
2018-10-14 12:55 - 2018-05-28 07:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wise JetSearch
 
==================== Files in the root of some directories =======
 
2018-10-14 05:08 - 2018-10-24 04:21 - 000000876 _____ () C:\Users\User\exe.reg
2018-10-30 09:09 - 2018-10-30 09:09 - 000000622 _____ () C:\Users\User\win7.vbs
2017-12-02 15:13 - 2017-12-02 15:13 - 000000192 ____H () C:\Program Files (x86)\file_id.diz
2018-09-22 04:00 - 2018-09-22 04:00 - 000000000 _____ () C:\Program Files (x86)\Common Files\Timer
2018-07-09 04:27 - 2018-07-09 04:27 - 000000000 ____N () C:\Users\User\AppData\Roaming\ActUpdate.log
2014-11-13 08:04 - 2017-03-01 08:27 - 000007859 _____ () C:\Users\User\AppData\Roaming\pcouffin.cat
2014-11-13 08:04 - 2017-03-01 08:27 - 000001167 _____ () C:\Users\User\AppData\Roaming\pcouffin.inf
2014-11-13 08:04 - 2017-03-01 08:27 - 000082816 _____ (VSO Software) C:\Users\User\AppData\Roaming\pcouffin.sys
2015-05-19 10:48 - 2015-05-19 10:48 - 000000047 _____ () C:\Users\User\AppData\Roaming\WB.CFG
2017-03-02 19:15 - 2018-08-17 05:36 - 000008192 _____ () C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2018-05-19 07:23 - 2018-05-19 07:30 - 000005785 _____ () C:\Users\User\AppData\Local\flip.txt
2018-05-19 07:23 - 2018-05-19 07:23 - 003418355 _____ () C:\Users\User\AppData\Local\flip.zip
2018-09-22 04:02 - 2018-09-22 04:02 - 000140800 _____ () C:\Users\User\AppData\Local\installer.dat
2018-05-19 07:26 - 2018-05-19 07:26 - 000000028 _____ () C:\Users\User\AppData\Local\pdfFli.ini
2018-05-19 07:27 - 2018-05-19 07:29 - 000000088 _____ () C:\Users\User\AppData\Local\recent.txt
2017-12-18 07:46 - 2017-12-18 07:46 - 000000759 _____ () C:\Users\User\AppData\Local\recently-used.xbel
2018-04-10 19:33 - 2018-04-10 19:33 - 000007602 _____ () C:\Users\User\AppData\Local\Resmon.ResmonCfg
2015-07-04 19:03 - 2018-06-14 15:04 - 004224000 _____ () C:\Users\User\AppData\Local\rx_audio.Cache
2015-07-04 18:57 - 2018-05-04 16:26 - 082116608 _____ () C:\Users\User\AppData\Local\rx_image32.Cache
2018-06-04 12:52 - 2018-06-04 12:52 - 000000000 _____ () C:\Users\User\AppData\Local\{00018DC7-BF40-47DB-86AF-A5056643AF38}
2016-09-03 04:57 - 2016-09-03 04:57 - 000000000 _____ () C:\Users\User\AppData\Local\{1967AC26-8830-4077-9E98-9A9492FD5D24}
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\upbuxaeh.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-11-11 16:50
 
==================== End of FRST.txt ============================


#4 coco1704

coco1704
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 12 November 2018 - 10:52 AM

When I sent the First.txt repoert, I missed Addition.txt. Here it is.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,482 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:23 AM

Posted 12 November 2018 - 11:13 AM

Hi,

 

Try again. It's not in your last post.

 

Copy and paste it your next post.



#6 coco1704

coco1704
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 13 November 2018 - 06:00 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11.11.2018
Ran by User (administrator) on USER-PC (12-11-2018 09:19:40)
Running from C:\Users\User\Desktop\FarBar64
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\weamrtxsvc.exe
(Qihoo 360 Technology Co. Ltd.) C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
(AOMEI Tech Co., Ltd.) C:\Program Files (x86)\AOMEI Backupper\ABService.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Qihoo 360 Technology Co. Ltd.) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\uTorrent\updates\3.5.4_44632\utorrentie.exe
() C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe
() C:\Users\User\AppData\Local\dscovgm\dscovgm.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(BitTorrent Inc.) C:\Users\User\AppData\Roaming\uTorrent\updates\3.5.4_44632\utorrentie.exe
() C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
() C:\Users\User\AppData\Local\mbsiekh\timhgrv.exe
(Softros Systems, Inc.) C:\Program Files\Softros Systems\Process Blocker\Process Blocker.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
() C:\Users\User\AppData\Local\dscovgm\pcimegb.exe
() C:\Users\User\AppData\Local\dscovgm\pcimegb.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera_crashreporter.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\56.0.3051.99\opera.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [242904 2018-08-21] (AVAST Software)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [301880 2018-08-23] (Apple Inc.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe [1828416 2018-10-29] (Qihoo 360 Technology Co. Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2018-06-26] (Apple Inc.)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [18594760 2018-09-19] (Piriform Ltd)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [uTorrent] => C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe [1987768 2018-09-29] (BitTorrent Inc.)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe [49805376 2018-10-26] (Skype Technologies S.A.)
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-20] (Microsoft Corporation)
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.114.81.2 75.114.81.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1244DE39-4265-44D5-B02E-000A905A7FA3}: [DhcpNameServer] 65.32.5.74 65.32.5.75
Tcpip\..\Interfaces\{900B00B3-AC32-4716-A6E4-27D1404F2227}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{900B00B3-AC32-4716-A6E4-27D1404F2227}: [DhcpNameServer] 75.114.81.2 75.114.81.1
 
Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://onet.pl/
HKU\S-1-5-21-176798144-3595912555-2340562074-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-176798144-3595912555-2340562074-1000] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll [2018-10-29] (Qihu 360 Software Co., Ltd.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-22] (Microsoft Corporation)
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\Total Security\safemon\safemon.dll [2018-10-29] (Qihu 360 Software Co., Ltd.)
Handler-x32: intu-help-qb9 - {C1252096-0E63-4C06-A38B-03DF9A16AA12} - C:\Program Files (x86)\Intuit\QuickBooks 2016\HelpAsyncPluggableProtocol.dll [2016-03-07] (Intuit, Inc.)
Handler: livecall - No CLSID Value
Handler: msnim - No CLSID Value
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} -  No File
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2017-08-15] (Microsoft Corporation)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll [2010-11-20] (Microsoft Corporation)
Handler: wlmailhtml - No CLSID Value
Handler: wlpg - No CLSID Value
Handler: WSISVCUchrome - No CLSID Value
Handler: WSWSVCUchrome - No CLSID Value
 
FireFox:
========
FF DefaultProfile: 
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_130.dll [2017-09-15] ()
FF Plugin: @java.com/DTPlugin,version=11.181.2 -> C:\Program Files\Java\jre1.8.0_181\bin\dtplugin\npDeployJava1.dll [2018-09-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.181.2 -> C:\Program Files\Java\jre1.8.0_181\bin\plugin2\npjp2.dll [2018-09-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\Microsoft Office\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_130.dll [2017-09-15] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1229199.dll [2017-03-31] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-02-26] (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-12-12] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\Microsoft Office\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-08-09] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @talk.google.com/O1DPlugin -> C:\Users\User\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @tools.google.com/Google Update;version=3 -> C:\Users\User\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-176798144-3595912555-2340562074-1000: @tools.google.com/Google Update;version=9 -> C:\Users\User\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://onet.pl/
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2018-11-08]
CHR Extension: (DocHub - Edit and Sign PDF Documents) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\adgncicbhbjfpijkdmbijninnhnmiblj [2018-10-08]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-02-25]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-10-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-10-13]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-02-25]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-10-13]
CHR HKU\S-1-5-21-176798144-3595912555-2340562074-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [dhdgffkkebhmkfjojejmpbldmpobfkfo] - hxxp://clients2.google.com/service/update2/crx
 
Opera: 
=======
OPR Extension: (Evernote Web Clipper) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\afgbccjghcnbcdjgogpckamibfkceahd [2018-06-26]
OPR Extension: (Translator) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\cnbpedcoekjafichoehopgaaldogogch [2018-08-17]
OPR Extension: (Adblocker for Youtube™) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\egmfaijlgimjnjgblmkhfpalbfkeocii [2018-09-22]
OPR Extension: (Disconnect) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\hciohocinlhbdkbjldffomiadmnhjnoj [2018-06-26]
OPR Extension: (convert2mp3.net Online Video Converter) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\kefimjmcofjhaphjiadipfoojljnoinn [2018-06-26]
OPR Extension: (Amazon Assistant for Opera) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\mmmbddcnnndpbdflpccgcknaaabgldak [2018-11-03]
OPR Extension: (SaveFrom.net helper) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\npdpplbicnmpoigidfdjadamgfkilaak [2018-10-16]
OPR Extension: (Enhancer for YouTube) - C:\Users\User\AppData\Roaming\Opera Software\Opera Stable\Extensions\ofhehnfmgbgnkjaojifkmebjjgffjaeh [2018-11-02]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\cxupt <==== ATTENTION (Rootkit!)
 
S3 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [495816 2015-06-10] ()
S3 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-05] (Adobe Systems, Incorporated)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-08-23] (Apple Inc.)
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7780400 2018-08-21] (AVAST Software)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [322464 2018-08-21] (AVAST Software)
R2 Backupper Service; C:\Program Files (x86)\AOMEI Backupper\ABService.exe [122728 2017-09-04] (AOMEI Tech Co., Ltd.)
S3 becldr3Service; C:\Program Files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [263168 2013-11-06] () [File not signed]
R2 BOT4Service; C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [23240 2015-09-10] ()
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
S3 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-08-04] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-08-04] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [51016 2018-01-08] (Dropbox, Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [31776 2016-12-07] (HP Inc.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 MSSQL$ACT7; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 MySQL; C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe [9700864 2014-05-11] () [File not signed]
S3 nlsX86cc; C:\Windows\SysWOW64\nlssrv32.exe [66560 2011-02-04] (Nalpeiron Ltd.) [File not signed]
R2 Process Blocker; C:\Program Files\Softros Systems\Process Blocker\Process Blocker.exe [2198352 2015-07-23] (Softros Systems, Inc.)
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2014-04-30] (arvato digital services llc)
S2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2016-03-07] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2016-03-07] (Intuit Inc.) [File not signed]
S3 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2016-03-07] (Intuit Inc.) [File not signed]
R2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [965184 2018-10-29] (Qihoo 360 Technology Co. Ltd.)
S3 RoxioBurnLauncher; C:\Program Files (x86)\Roxio Creator NXT 4\Roxio Burn\RoxioBurnLauncher.exe [810696 2015-09-10] ()
S3 RoxMediaDB15; C:\Program Files (x86)\Roxio Creator NXT 4\Common\RoxMediaDB15.exe [1097928 2015-09-11] (Corel Corporation)
S3 RoxWatch15; C:\Program Files (x86)\Roxio Creator NXT 4\Common\RoxWatch15.exe [342216 2015-09-11] (Corel Corporation)
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [752224 2017-01-16] (DEVGURU Co., LTD.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
S3 ABBYY.Licensing.FineReader.Professional.12.0; "C:\Program Files (x86)\ABBYY FineReader 12\NetworkLicenseServer.exe" -service [X]
S2 BotkindSyncService; C:\Program Files\Allway Sync\Bin\SyncService.exe service [X]
S3 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [X]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [183416 2018-10-29] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [86248 2018-10-29] (360.cn)
S3 360AvFlt; C:\Windows\SysWOW64\DRIVERS\360AvFlt.sys [86248 2018-02-09] (360.cn)
R1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [332384 2018-10-29] (360.cn)
R1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [49088 2018-10-29] (360.cn)
R1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [450624 2018-10-29] (360.cn)
R1 360netmon; C:\Windows\System32\DRIVERS\360netmon.sys [87672 2018-10-29] (360.cn)
R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [51120 2016-12-21] ()
R2 ammntdrv; C:\Windows\system32\ammntdrv.sys [171952 2016-12-21] ()
R2 amwrtdrv; C:\Windows\system32\amwrtdrv.sys [38320 2017-09-01] ()
S2 ASPI32; C:\Windows\SysWow64\Drivers\ASPI32.sys [14528 1996-07-12] (Adaptec)
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [197160 2018-08-21] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [229392 2018-08-21] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [201328 2018-08-21] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [346664 2018-08-21] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [59592 2018-08-21] (AVAST Software)
R1 aswHdsKe; C:\Windows\System32\drivers\aswHdsKe.sys [239680 2018-08-21] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2018-08-21] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [159640 2018-08-21] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [111872 2018-08-21] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [85968 2018-08-21] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1027728 2018-08-21] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [465640 2018-08-24] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [211160 2018-08-21] (AVAST Software)
S3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [53904 2017-03-20] (The OpenVPN Project)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [381584 2018-08-21] (AVAST Software)
S3 athur; C:\Windows\System32\DRIVERS\athurx.sys [1847296 2010-01-05] (Atheros Communications, Inc.) [File not signed]
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [210016 2018-10-29] (360.cn)
S3 catchme; no ImagePath
S3 dg_ssudbus; C:\Windows\System32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 DrvSnSht; C:\Program Files (x86)\R-Drive Image\DrvSnSht64.sys [132432 2010-06-01] (R-TT Inc.)
S1 Eve; C:\Windows\System32\DRIVERS\eve.sys [41304 2014-04-10] ()
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [28424 2018-05-28] (Glarysoft Ltd)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2017-12-28] (REALiX™)
S1 IMFCameraProtect; C:\Windows\system32\drivers\IMFCameraProtect.sys [26272 2017-04-06] (IObit.com)
S3 IMFDownProtect; no ImagePath
S3 IMFFilter; no ImagePath
S3 IMFForceDelete; no ImagePath
S4 IObitUnlocker; C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.sys [48672 2017-06-19] (IObit)
S4 IUFileFilter; no ImagePath
R2 PfFilter; C:\Program Files (x86)\IObit\Protected Folder\pffilter.sys [38392 2012-11-23] (IObit Information Technology)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
S3 R-ImageDisk; C:\Program Files (x86)\R-Drive Image\R-ImageDisk64.sys [213584 2014-10-10] (R-TT Inc.)
R1 RawDisk3; C:\Windows\system32\drivers\rawdsk3.sys [41576 2016-02-19] (EldoS Corporation)
S3 RegFilter; no ImagePath
S3 Revoflt; C:\Windows\SysWOW64\DRIVERS\revoflt.sys [40240 2016-12-21] (VS Revo Group)
R0 Sahdad64; C:\Windows\System32\Drivers\Sahdad64.sys [37032 2016-01-11] (Corel Corporation)
R0 Saibad64; C:\Windows\System32\Drivers\Saibad64.sys [28840 2016-01-11] (Corel Corporation)
R1 SaibVdAd64; C:\Windows\System32\Drivers\SaibVdAd64.sys [36520 2016-01-11] (Corel Corporation)
S3 ssudmdm; C:\Windows\System32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
R2 supersafer64; C:\Windows\SysWOW64\drivers\supersafer64.sys [238072 2011-11-15] (Spotmau)
S3 WsAudio_Device(1); C:\Windows\System32\drivers\VirtualAudio1.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(2); C:\Windows\System32\drivers\VirtualAudio2.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(3); C:\Windows\System32\drivers\VirtualAudio3.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(4); C:\Windows\System32\drivers\VirtualAudio4.sys [31080 2014-11-26] (Wondershare)
S3 WsAudio_Device(5); C:\Windows\System32\drivers\VirtualAudio5.sys [31080 2014-11-26] (Wondershare)
U1 aswbdisk; no ImagePath
R3 cgjmpt; system32\drivers\jmptwz.sys [X]
S3 cpuz143; \??\C:\Windows\temp\cpuz143\cpuz143_x64.sys [X]
S3 iobit_monitor_server; \??\C:\Program Files (x86)\IObit\Advanced SystemCare\drivers\Monitor_win7_x64.sys [X]
S3 IUProcessFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUProcessFilter.sys [X]
S3 IURegistryFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegistryFilter.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-12 09:17 - 2018-11-12 09:19 - 000000000 ____D C:\Users\User\Desktop\FarBar64
2018-11-12 06:46 - 2018-11-12 06:46 - 000142672 ____N C:\Windows\system32\Drivers\upbuxaeh.sys
2018-11-11 16:10 - 2018-11-11 16:10 - 000257848 _____ C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2018-11-11 08:11 - 2018-11-11 08:11 - 000000000 _____ C:\attrib
2018-11-11 08:03 - 2018-11-11 08:03 - 002527376 _____ (Trend Micro Inc.) C:\Users\User\Downloads\HousecallLauncher64.exe
2018-11-11 07:03 - 2018-11-11 07:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kodi
2018-11-11 07:02 - 2018-11-11 07:03 - 000000000 ____D C:\Program Files (x86)\Kodi
2018-11-10 17:58 - 2018-11-10 17:58 - 000000000 ____D C:\Windows\system32\CleanLog
2018-11-10 15:23 - 2018-11-10 15:23 - 001296779 _____ C:\Users\User\Downloads\PPA - 7BE - Silvio Benetti - 09.11.2018.pdf
2018-11-10 15:22 - 2018-11-10 15:22 - 022595784 _____ C:\Users\User\Downloads\KYC - 7BE -  SILVIO DA SILVA BENETTI - 09.11.2018.pdf
2018-11-10 04:00 - 2018-11-10 04:00 - 001819429 _____ C:\Users\User\Downloads\KYCRENATO 12 10 18.pdf
2018-11-10 03:58 - 2018-11-10 04:00 - 000000000 ____D C:\Users\User\Desktop\Cotzen
2018-11-09 16:39 - 2018-11-09 16:39 - 003945778 _____ C:\Users\User\Downloads\EURO SCANNER HSBC - RUBERLEI XS1387219659-
2018-11-09 15:35 - 2018-11-09 15:36 - 002861772 _____ C:\Users\User\Downloads\fwdschmidtmartin1_2billiondeutchebank.zip
2018-11-09 12:38 - 2018-11-09 12:38 - 014267218 _____ C:\Users\User\Downloads\fwdnickdehartog16_6bbankmelli.zip
2018-11-09 10:33 - 2018-11-09 10:34 - 004437161 _____ C:\Users\User\Downloads\Voice 002.m4a
2018-11-08 15:44 - 2018-11-08 15:44 - 021298161 _____ C:\Users\User\Downloads\updated KYC - 7BE -  SILVIO DA SILVA BENETTI - 08.11.2018.pdf
2018-11-08 15:44 - 2018-11-08 15:44 - 001567929 _____ C:\Users\User\Downloads\RWA-7 BE - SILVIO DA SILVA BENETTI - 08.11.2018.pdf
2018-11-08 10:44 - 2018-11-08 10:44 - 021663745 _____ C:\Users\User\Downloads\Voice 001.m4a
2018-11-08 10:37 - 2018-11-08 10:37 - 000000000 ____D C:\Users\User\Desktop\Cindy Ng-NIQDs
2018-11-07 17:57 - 2018-11-07 18:02 - 000007711 _____ C:\Users\User\Downloads\BITCOIN EXCHANGE PROGRAM-GUSTAVO  31.10.18.odt
2018-11-07 16:32 - 2018-11-08 04:31 - 000000000 ____D C:\Users\User\AppData\Roaming\15FE0951-324B-43CF-9E68-9B749803BCF3
2018-11-07 12:24 - 2018-11-07 12:24 - 003964304 _____ (Power Software Ltd) C:\Users\User\Desktop\PowerISO7-cnet.exe
2018-11-07 08:36 - 2018-11-07 10:10 - 000000000 ____D C:\Users\User\Desktop\Rescue descriptions
2018-11-07 05:08 - 2018-11-07 05:10 - 000000000 ____D C:\Users\User\AppData\Roaming\InfraRecorder
2018-11-07 05:05 - 2018-11-07 05:05 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InfraRecorder
2018-11-07 05:05 - 2018-11-07 05:05 - 000000000 ____D C:\Program Files\InfraRecorder
2018-11-07 04:59 - 2018-11-07 04:59 - 004153344 _____ C:\Users\User\Downloads\ir053_x64.msi
2018-11-07 04:08 - 2018-11-07 04:08 - 010249373 _____ C:\Users\User\Downloads\IMG_20181107_0001.pdf
2018-11-06 13:23 - 2018-11-06 13:23 - 000000000 ____D C:\Users\User\Downloads\fwvenezuelabondsoneuroclear
2018-11-05 04:21 - 2018-11-08 06:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Melody Assistant
2018-11-05 04:21 - 2018-11-05 04:21 - 000000000 ____D C:\Users\User\Documents\Myriad Documents
2018-11-05 04:20 - 2018-11-05 04:22 - 000000000 ____D C:\Users\User\AppData\Roaming\ACAMPREF
2018-11-04 17:06 - 2018-11-12 06:51 - 000000000 ____D C:\Users\User\AppData\LocalLow\uTorrent
2018-11-02 11:09 - 2018-11-02 12:41 - 000000000 ____D C:\Users\User\Desktop\Oliveira
2018-11-01 15:08 - 2018-11-01 15:08 - 000011215 _____ C:\Users\User\Downloads\SG Dividend Bullet Estimates  Sheet1.xlsx
2018-11-01 05:20 - 2018-11-01 05:20 - 000000000 ____D C:\Users\User\Downloads\MediaHuman
2018-11-01 04:01 - 2018-11-01 04:01 - 000000000 ____D C:\ProgramData\GridinSoft
2018-10-31 15:33 - 2018-10-31 15:33 - 000000165 _____ C:\Users\User\~$Rachunki 2018.xlsx
2018-10-31 15:03 - 2018-10-31 15:03 - 001960011 _____ C:\Users\User\Downloads\barclayssblc.zip
2018-10-31 13:30 - 2018-10-31 13:30 - 000000000 ____D C:\Users\User\Documents\TotalAV
2018-10-31 13:30 - 2018-10-31 13:30 - 000000000 ____D C:\ProgramData\SecuritySuite
2018-10-31 10:20 - 2018-11-10 03:13 - 000000000 ____D C:\$360Section
2018-10-31 07:55 - 2018-11-11 10:42 - 000000000 ____D C:\Users\User\AppData\Roaming\360DrvMgr
2018-10-31 06:55 - 2018-11-11 15:09 - 000000560 __RSH C:\ProgramData\ntuser.pol
2018-10-31 06:53 - 2018-11-12 07:02 - 000000000 ____D C:\Users\User\AppData\LocalLow\360WD
2018-10-31 06:53 - 2018-11-11 16:21 - 000000000 ____D C:\ProgramData\360safe
2018-10-31 06:53 - 2018-11-01 04:16 - 000000000 ____D C:\Users\User\AppData\Roaming\360safe
2018-10-31 06:53 - 2018-10-31 11:06 - 000000000 ____D C:\Users\User\AppData\Roaming\360TotalSecurity
2018-10-31 06:53 - 2018-10-31 06:53 - 000001157 _____ C:\Users\Public\Desktop\360 Total Security.lnk
2018-10-31 06:53 - 2018-10-31 06:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2018-10-31 06:53 - 2018-10-29 01:07 - 000450624 _____ (360.cn) C:\Windows\system32\Drivers\360fsflt.sys
2018-10-31 06:53 - 2018-10-29 01:07 - 000332384 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys
2018-10-31 06:53 - 2018-10-29 01:07 - 000210016 _____ (360.cn) C:\Windows\system32\Drivers\BAPIDRV64.SYS
2018-10-31 06:53 - 2018-10-29 01:07 - 000087672 _____ (360.cn) C:\Windows\system32\Drivers\360netmon.sys
2018-10-31 06:52 - 2018-11-11 12:49 - 000000000 ____D C:\ProgramData\360TotalSecurity
2018-10-31 06:52 - 2018-10-29 01:07 - 000183416 _____ (360.cn) C:\Windows\system32\Drivers\360AntiHacker64.sys
2018-10-31 06:52 - 2018-10-29 01:07 - 000086248 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2018-10-31 06:52 - 2018-10-29 01:07 - 000049088 _____ (360.cn) C:\Windows\system32\Drivers\360Camera64.sys
2018-10-31 06:51 - 2018-11-12 09:19 - 000000000 ____D C:\FRST
2018-10-30 09:09 - 2018-10-30 09:09 - 000000622 _____ C:\Users\User\win7.vbs
2018-10-29 07:47 - 2018-10-29 07:47 - 000010025 _____ C:\Users\User\Debt in EE.xlsx
2018-10-29 06:54 - 2018-10-29 06:54 - 000001066 _____ C:\Users\Public\Desktop\VLC media player.lnk
2018-10-26 15:17 - 2018-10-26 15:17 - 000843763 _____ C:\Users\User\22 PAGES 2B_MTN BOND_LEASE_EUROCLEAR TITLE TRANSFER_SCREEN BLOCK_CONFIRMATION_EYUP MEMIS.pdf
2018-10-25 13:01 - 2018-10-25 13:01 - 000438541 _____ C:\Users\User\€2B MTN EUROBOND LEASE_RBC_RWA.pdf
2018-10-24 04:03 - 2018-10-24 04:03 - 001664432 _____ C:\Users\User\Downloads\bookmarks_10_24_18.html
2018-10-14 05:08 - 2018-10-24 04:21 - 000000876 _____ C:\Users\User\exe.reg
2018-10-13 07:36 - 2018-10-13 07:37 - 000000000 ____D C:\Users\User\Desktop\Gifts and Taxes
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-11-12 09:21 - 2016-05-15 05:01 - 000000000 ____D C:\Users\User\AppData\Roaming\uTorrent
2018-11-12 09:18 - 2018-05-28 18:43 - 000000000 ____D C:\Users\User\Desktop\Misc
2018-11-12 09:15 - 2009-07-13 21:34 - 019398656 _____ C:\Windows\system32\config\HARDWARE
2018-11-12 08:40 - 2018-06-27 19:07 - 000081449 _____ C:\Users\User\Rachunki 2018.xlsx
2018-11-12 08:11 - 2018-05-26 07:53 - 000000000 ____D C:\Users\User\AppData\Roaming\WhatsApp
2018-11-12 07:58 - 2018-02-26 10:51 - 000000000 ____D C:\Users\User\AppData\Local\CrashDumps
2018-11-12 07:03 - 2009-07-13 23:45 - 000031904 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-11-12 07:03 - 2009-07-13 23:45 - 000031904 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-11-12 06:56 - 2018-10-09 08:25 - 000000000 ____D C:\Users\User\AppData\Local\dscovgm
2018-11-12 06:51 - 2018-02-06 20:33 - 000000000 ____D C:\Program Files (x86)\AOMEI Backupper
2018-11-12 06:51 - 2016-07-27 11:58 - 000000082 _____ C:\Windows\SysWOW64\winsevr.dat
2018-11-12 06:50 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-11-12 06:47 - 2018-10-09 08:24 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\weamrtxsvc.exe
2018-11-12 06:43 - 2014-11-16 05:17 - 000000000 ____D C:\Users\User\Desktop\SOFT 2018
2018-11-11 17:30 - 2016-07-27 11:58 - 000000000 ____D C:\ProgramData\AomeiBR
2018-11-11 17:29 - 2016-07-27 11:59 - 000001024 ____H C:\SYSTAG.BIN
2018-11-11 16:05 - 2018-10-08 14:20 - 001208040 _____ C:\Windows\ntbtlog.txt
2018-11-11 15:33 - 2018-06-26 10:04 - 000000000 ____D C:\Users\User\AppData\Roaming\Kodi
2018-11-11 07:43 - 2009-07-14 00:13 - 000998120 _____ C:\Windows\system32\PerfStringBackup.INI
2018-11-11 07:43 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-11-11 07:02 - 2018-07-29 12:51 - 000000000 ____D C:\Users\User\Desktop\Leszek zycie
2018-11-10 17:59 - 2018-03-11 04:41 - 000000000 ____D C:\Users\User\AppData\Local\Downloaded Installations
2018-11-10 17:59 - 2017-12-05 08:31 - 000000000 __RHD C:\MSOCache
2018-11-10 17:59 - 2016-07-14 15:52 - 000000000 ____D C:\Users\User\AppData\Local\Dropbox
2018-11-10 17:59 - 2016-05-31 14:03 - 000000000 ____D C:\Program Files (x86)\Opera
2018-11-10 17:59 - 2014-11-15 03:39 - 000000000 ____D C:\Users\User\AppData\Local\ElevatedDiagnostics
2018-11-10 09:35 - 2018-08-19 10:28 - 000000000 ____D C:\Users\User\Desktop\Writing Tips
2018-11-10 08:53 - 2017-09-16 04:52 - 000000000 ____D C:\Users\User\Desktop\Solo
2018-11-10 08:33 - 2018-03-04 15:39 - 000000000 ____D C:\Users\User\AppData\Roaming\MoneyManagerEx
2018-11-10 08:18 - 2017-12-30 08:38 - 000000000 ____D C:\Users\User\Finanse
2018-11-10 05:14 - 2018-06-27 19:18 - 000061440 _____ C:\Users\User\Artex-2018.xls
2018-11-10 04:20 - 2014-11-15 04:58 - 000000000 ____D C:\Users\User\Documents\Outlook Files
2018-11-10 03:13 - 2018-02-24 08:38 - 000000000 ____D C:\ProgramData\360Quarant
2018-11-09 11:06 - 2018-05-15 07:36 - 000000000 ____D C:\Users\User\Downloads\MOVIES
2018-11-09 10:57 - 2017-12-23 08:29 - 000000000 ____D C:\Users\User\AppData\Roaming\vlc
2018-11-09 07:40 - 2014-11-12 18:34 - 000000000 ____D C:\Users\User\Deals 2018
2018-11-09 06:39 - 2018-05-26 07:53 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhatsApp
2018-11-09 06:38 - 2018-05-26 07:52 - 000000000 ____D C:\Users\User\AppData\Local\WhatsApp
2018-11-09 06:38 - 2017-07-28 12:45 - 000000000 ____D C:\Users\User\AppData\Local\SquirrelTemp
2018-11-08 17:16 - 2014-12-23 08:45 - 000000000 ____D C:\Users\User\Desktop\Shorts
2018-11-08 12:49 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\rescache
2018-11-07 13:14 - 2018-06-26 04:24 - 000003832 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1519548753
2018-11-07 12:23 - 2014-12-13 10:29 - 000000000 ____D C:\ProgramData\Roxio
2018-11-07 09:42 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\SysWOW64\Setup
2018-11-07 09:42 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\system32\Setup
2018-11-07 08:58 - 2017-12-25 15:09 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2018-11-07 08:52 - 2009-07-13 21:34 - 000000541 _____ C:\Windows\win.ini
2018-11-05 08:49 - 2016-12-23 08:54 - 000000000 ____D C:\Users\User\Desktop\ALBUM XIII
2018-11-05 04:33 - 2018-07-14 10:12 - 000000000 ____D C:\Users\User\Downloads\Older
2018-11-02 04:33 - 2017-09-25 05:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ResumeMaker Professional
2018-11-02 04:33 - 2017-09-25 05:55 - 000000000 ____D C:\Program Files (x86)\ResumeMaker Professional
2018-11-02 04:22 - 2017-10-04 06:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaHuman
2018-11-02 04:22 - 2017-10-04 06:19 - 000000000 ____D C:\Program Files (x86)\MediaHuman
2018-11-02 04:19 - 2017-10-04 06:20 - 000000000 ____D C:\Users\User\AppData\Local\MediaHuman
2018-11-01 04:25 - 2018-06-30 19:07 - 000000000 ____D C:\Users\User\AppData\Roaming\IObit
2018-11-01 04:25 - 2014-11-12 10:32 - 000000000 ____D C:\ProgramData\IObit
2018-11-01 04:25 - 2014-11-12 10:32 - 000000000 ____D C:\Program Files (x86)\IObit
2018-10-31 10:32 - 2018-07-13 07:07 - 000000000 ____D C:\Program Files\KMSpico
2018-10-31 10:25 - 2017-12-28 13:42 - 000000000 ____D C:\Users\User\Desktop\Utilities
2018-10-31 10:24 - 2018-09-21 06:52 - 000003966 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-10-31 10:24 - 2018-05-28 12:01 - 000002970 _____ C:\Windows\System32\Tasks\GU5SkipUAC
2018-10-31 10:24 - 2018-01-19 03:45 - 000003456 _____ C:\Windows\System32\Tasks\AdobeGCInvoker-1.0-User-PC-User
2018-10-31 10:24 - 2017-11-26 10:29 - 000003142 _____ C:\Windows\System32\Tasks\{4DB282EB-E18E-4DB4-B600-DBA37078CFF2}
2018-10-31 06:51 - 2018-02-24 08:32 - 000000000 ____D C:\Program Files (x86)\360
2018-10-30 17:39 - 2018-01-13 20:39 - 000003334 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-10-30 17:39 - 2018-01-13 20:39 - 000003206 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-10-29 18:39 - 2009-07-14 00:32 - 000000000 ____D C:\Windows\system32\FxsTmp
2018-10-27 10:48 - 2017-12-16 16:43 - 000000000 ____D C:\Users\Classic .NET AppPool
2018-10-27 10:48 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\registration
2018-10-27 05:39 - 2018-07-09 18:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2018-10-27 05:39 - 2018-02-25 08:25 - 000000000 ____D C:\Users\User\AppData\Roaming\Skype
2018-10-27 05:39 - 2018-02-22 15:24 - 000001306 _____ C:\Users\Public\Desktop\Skype.lnk
2018-10-25 11:27 - 2014-12-24 07:09 - 000000000 ____D C:\Users\User\Documents\LZ-pers
2018-10-15 05:37 - 2018-09-04 05:54 - 000000000 ____D C:\Users\User\Offshore-SWIFTS
2018-10-14 12:55 - 2018-05-28 07:17 - 000001183 _____ C:\Users\Public\Desktop\Wise JetSearch.lnk
2018-10-14 12:55 - 2018-05-28 07:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wise JetSearch
 
==================== Files in the root of some directories =======
 
2018-10-14 05:08 - 2018-10-24 04:21 - 000000876 _____ () C:\Users\User\exe.reg
2018-10-30 09:09 - 2018-10-30 09:09 - 000000622 _____ () C:\Users\User\win7.vbs
2017-12-02 15:13 - 2017-12-02 15:13 - 000000192 ____H () C:\Program Files (x86)\file_id.diz
2018-09-22 04:00 - 2018-09-22 04:00 - 000000000 _____ () C:\Program Files (x86)\Common Files\Timer
2018-07-09 04:27 - 2018-07-09 04:27 - 000000000 ____N () C:\Users\User\AppData\Roaming\ActUpdate.log
2014-11-13 08:04 - 2017-03-01 08:27 - 000007859 _____ () C:\Users\User\AppData\Roaming\pcouffin.cat
2014-11-13 08:04 - 2017-03-01 08:27 - 000001167 _____ () C:\Users\User\AppData\Roaming\pcouffin.inf
2014-11-13 08:04 - 2017-03-01 08:27 - 000082816 _____ (VSO Software) C:\Users\User\AppData\Roaming\pcouffin.sys
2015-05-19 10:48 - 2015-05-19 10:48 - 000000047 _____ () C:\Users\User\AppData\Roaming\WB.CFG
2017-03-02 19:15 - 2018-08-17 05:36 - 000008192 _____ () C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2018-05-19 07:23 - 2018-05-19 07:30 - 000005785 _____ () C:\Users\User\AppData\Local\flip.txt
2018-05-19 07:23 - 2018-05-19 07:23 - 003418355 _____ () C:\Users\User\AppData\Local\flip.zip
2018-09-22 04:02 - 2018-09-22 04:02 - 000140800 _____ () C:\Users\User\AppData\Local\installer.dat
2018-05-19 07:26 - 2018-05-19 07:26 - 000000028 _____ () C:\Users\User\AppData\Local\pdfFli.ini
2018-05-19 07:27 - 2018-05-19 07:29 - 000000088 _____ () C:\Users\User\AppData\Local\recent.txt
2017-12-18 07:46 - 2017-12-18 07:46 - 000000759 _____ () C:\Users\User\AppData\Local\recently-used.xbel
2018-04-10 19:33 - 2018-04-10 19:33 - 000007602 _____ () C:\Users\User\AppData\Local\Resmon.ResmonCfg
2015-07-04 19:03 - 2018-06-14 15:04 - 004224000 _____ () C:\Users\User\AppData\Local\rx_audio.Cache
2015-07-04 18:57 - 2018-05-04 16:26 - 082116608 _____ () C:\Users\User\AppData\Local\rx_image32.Cache
2018-06-04 12:52 - 2018-06-04 12:52 - 000000000 _____ () C:\Users\User\AppData\Local\{00018DC7-BF40-47DB-86AF-A5056643AF38}
2016-09-03 04:57 - 2016-09-03 04:57 - 000000000 _____ () C:\Users\User\AppData\Local\{1967AC26-8830-4077-9E98-9A9492FD5D24}
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\upbuxaeh.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-11-11 16:50
 
==================== End of FRST.txt ============================

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,482 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:23 AM

Posted 13 November 2018 - 07:51 AM

Hi,
 
I have identified a bad SmartService infection.
 
You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have access to these devices.
 
I need to know first if you can enable the Recovery Environment...
 
Open FRST {Farbar program) on the compromised computer:
 
copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.
 
Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::
 
On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.
 
Wait for further instructions.
<<<>>>
 


#8 coco1704

coco1704
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 13 November 2018 - 08:32 AM

I have a spare PC and USB drive.

 

 

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,482 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:23 AM

Posted 13 November 2018 - 10:51 AM

Lets proceed:
 
Preparing the USB Flash Drive
 
Using the Clean computer download the right version of Farbar program for your system to Desktop.
64-bit or 32 bit version. Select the one you need.
 
Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
 

 

 
===
 
Boot in the Recovery Environment WINDOWS 7 USERS
 
To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
Restart the computer
Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
 
Look at this video if not familiar with it.
 
Use the arrow keys to select Repair your computer, and press on Enter
Select your keyboard layout (US, French, etc.) and click on Next
 
Once in the command prompt
Plug your USB Flash Drive in the infected computer
---
 
Click on Command Prompt to open the command prompt
 
In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
 
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
 
Note: Replace the letter e with the drive letter of your USB Flash Drive
 
FRST will open
 
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.
 
Wait for further instructions.
 
p.s.
If at any time you need additional information please ask before proceeding.


#10 coco1704

coco1704
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 13 November 2018 - 02:53 PM

As requested.

Attached Files

  • Attached File  FRST.txt   25.43KB   6 downloads


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,482 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:23 AM

Posted 14 November 2018 - 08:14 AM

 
 
Hi,
 
Good work.
 
Remove this program in bold via the Control Panel > Programs > Programs and Features.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )
===
 
Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
 
Please copy the entire contents of the code box below to a new file.
 
 
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKU\User\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
GroupPolicy: Restriction - Chrome <==== ATTENTION
"HKLM\System\ControlSet001\Services\cxupt" => removed successfully
C:\Windows\System32\drivers\upbrvybe.sys => moved successfully
C:\Users\User\AppData\Local\dscovgm\dscovgm.exe => moved successfully
C:\Users\User\AppData\Local\dscovgm\pcimegb.exe => moved successfully
C:\Users\User\AppData\Local\mbsiekh\timhgrv.exe => moved successfully
S2 BotkindSyncService; C:\Program Files\Allway Sync\Bin\SyncService.exe service [X]
S3 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [X]
S2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [X]
S3 iobit_monitor_server; \??\C:\Program Files (x86)\IObit\Advanced SystemCare\drivers\Monitor_win7_x64.sys [X]
S3 IUProcessFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IUProcessFilter.sys [X]
S3 IURegistryFilter; \??\C:\Program Files (x86)\IObit\IObit Uninstaller\drivers\win7_amd64\IURegistryFilter.sys [X]
S0 Partizan; system32\drivers\Partizan.sys [X]
2018-11-13 14:42 - 2018-10-09 05:25 - 000000000 ____D C:\Users\User\AppData\Local\mbsiekh
2018-11-13 14:42 - 2018-10-09 05:25 - 000000000 ____D C:\Users\User\AppData\Local\dscovgm
2018-10-31 07:32 - 2018-07-13 04:07 - 000000000 ____D C:\Program Files\KMSpico
 
ShellIconOverlayIdentifiers: [  00BitrixShellExt] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506B} =>  -> No File
ShellIconOverlayIdentifiers: [  00BitrixShellExt_C] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506E} =>  -> No File
ShellIconOverlayIdentifiers: [  00BitrixShellExt_E] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506D} =>  -> No File
ShellIconOverlayIdentifiers: [  00BitrixShellExt_L] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506F} =>  -> No File
ShellIconOverlayIdentifiers: [  00BitrixShellExt_S] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506C} =>  -> No File
ShellIconOverlayIdentifiers: [GGDriveOverlay1] -> {E68D0A50-3C40-4712-B90D-DCFA93FF2534} =>  -> No File
ShellIconOverlayIdentifiers: [GGDriveOverlay2] -> {E68D0A51-3C40-4712-B90D-DCFA93FF2534} =>  -> No File
ShellIconOverlayIdentifiers: [GGDriveOverlay3] -> {E68D0A52-3C40-4712-B90D-DCFA93FF2534} =>  -> No File
ShellIconOverlayIdentifiers: [GGDriveOverlay4] -> {E68D0A53-3C40-4712-B90D-DCFA93FF2534} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  00BitrixShellExt] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  00BitrixShellExt_C] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  00BitrixShellExt_E] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506D} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  00BitrixShellExt_L] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506F} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  00BitrixShellExt_S] -> {A11A1EE5-F9F8-4BE0-907F-D74A49CC506C} =>  -> No File
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} =>  -> No File
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} =>  -> No File
ContextMenuHandlers5_S-1-5-21-176798144-3595912555-2340562074-1000: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} =>  -> No File
Task: {66A4B43B-1F6E-4CDB-BF93-3C6917C40438} - \ASC11_SkipUac_User -> No File <==== ATTENTION
Task: {6B1F8CD8-20D1-4318-B5A0-C61820AA66DC} - \ZGkhmCM2qflB -> No File <==== ATTENTION
Task: {BF392C93-D917-4C6B-87B9-982DEF12EB20} - \{A25EF729-D8D5-642D-2944-4D364B425331} -> No File <==== ATTENTION
Task: {BF62FBA2-DE27-4C68-BC41-AFBFBDEA5BEC} - \Uninstaller_SkipUac_User -> No File <==== ATTENTION
Task: {C7C18262-617E-4D7A-9296-15AA23B3E4AC} - \Odkurzacz -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData:Easy$Duplicate$Finder [126]
AlternateDataStreams: C:\Users\All Users:Easy$Duplicate$Finder [126]
AlternateDataStreams: C:\ProgramData\Application Data:Easy$Duplicate$Finder [126]
AlternateDataStreams: C:\ProgramData\Temp:F169C698 [133]
AlternateDataStreams: C:\ProgramData\Temp:F336C880 [125]
 
Reboot:
 
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.
 
Run FRST and click Fix only once and wait.
 
The tool will create a log (Fixlog.txt) please post it to your reply.
===
 
Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>
 
Please download Malwarebytes Anti-Malware from here
 
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  • Please post the log for my review.
     
    Note: If asked to restart the computer, please do so immediately.
    ===
     
    Please post the logs and  let me know what problem persists with this computer.


    #12 coco1704

    coco1704
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Local time:09:23 AM

    Posted Yesterday, 05:44 PM

    I cannot run FRST because it continues to update. Tool is ready - it says. Then I cannot shut it down. It runs over and over.



    #13 nasdaq

    nasdaq

    • Malware Response Team
    • 40,482 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:09:23 AM

    Posted Today, 08:32 AM

    Open the Task Manager and stop the process.

    Restart the computer normally.

    Run the Fix suggested in post No. 11.
    This fix must be executed in Normal Mode.

    Keep me posted.




    2 user(s) are reading this topic

    0 members, 2 guests, 0 anonymous users