Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have done my homework - now need you help please

Malware Chrome

  • Please log in to reply

#16
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

ADDITION.TXT

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Raffi (30-03-2017 10:23:51)
Running from C:\Users\Raffi\Desktop\FIX
Windows 8.1 (Update) (X64) (2015-01-08 21:38:07)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1372970940-966452781-916677827-500 - Administrator - Disabled)
Guest (S-1-5-21-1372970940-966452781-916677827-501 - Limited - Disabled)
Raffi (S-1-5-21-1372970940-966452781-916677827-1001 - Administrator - Enabled) => C:\Users\Raffi
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security (Disabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Disabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
FW: Norton Security (Disabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.8105 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.8108 - Acer Incorporated)
Adobe Acrobat DC (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-0C0F074E4100}) (Version: 15.023.20070 - Adobe Systems Incorporated)
Brother MFL-Pro Suite MFC-9560CDW (HKLM-x32\...\{979742CC-2CBB-49D8-9BEE-C2F7875F5393}) (Version: 1.1.5.0 - Brother Industries, Ltd.)
Chrome Remote Desktop Host (HKLM-x32\...\{0F4FB60A-EBD8-445B-8117-128E8351647E}) (Version: 56.0.2924.51 - Google Inc.)
Dolby Digital Plus Home Theater (HKLM\...\{7E3D8FA1-6092-469A-955B-68FC4A2C67CA}) (Version: 7.6.3.1 - Dolby Laboratories Inc)
Google Chrome (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)
Google Drive (HKLM-x32\...\{A1238426-ECDF-4639-BE2F-8D12A97AE23C}) (Version: 2.34.5075.1619 - Google, Inc.)
Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Intel® Chipset Device Software (x32 Version: 10.0.20 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1168 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3643 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{AD6B46F2-FE21-496F-BE90-BE19AABE353C}) (Version: 2.2.12 - Intel Corporation)
Mediatek RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.38.101 - MediatekWiFi)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.7.133.0 - Microsoft Corporation)
Microsoft Office Home and Student 2013 - en-us (HKLM\...\HomeStudentRetail - en-us) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{d491dd9d-2eda-4d75-b504-1a201436e7fd}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.8.0.6273 - Mozilla)
Mozilla Thunderbird 45.8.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.8.0 (x86 en-US)) (Version: 45.8.0 - Mozilla)
Nexus Ultimate 14.11 (HKLM-x32\...\Winstep Xtreme_is1) (Version:  - )
Norton Security (HKLM-x32\...\NS) (Version: 22.9.1.12 - Symantec Corporation)
novaPDF 8 add-in for Microsoft Office (x64) (HKLM\...\{37AFBFC0-AE39-425B-97CB-A90319D39A4B}) (Version: 8.1.921 - Softland)
novaPDF 8 add-in for Microsoft Office (x86) (HKLM-x32\...\{056A3023-0724-49F0-82F8-88A1F0783D53}) (Version: 8.1.921 - Softland)
NVIDIA GeForce Experience 2.4.5.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.4.5.44 - NVIDIA Corporation)
NVIDIA Graphics Driver 347.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.52 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
Office 15 Click-to-Run Licensing Component (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.322 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.33 - Qualcomm Atheros)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.39059 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.32.508.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7260 - Realtek Semiconductor Corp.)
SHIELD Streaming (Version: 4.1.2000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.4.5.44 - NVIDIA Corporation) Hidden
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
Software Update Wizard (Redistributable) 4.5 (HKLM-x32\...\Software Update Wizard (Redistributable)) (Version: 4.5 - PowerProgrammer)
Sonos Controller (HKLM-x32\...\{7BBA9BF8-05DF-47D8-8880-82A9B99505B9}) (Version: 35.3.39010 - Sonos, Inc.)
SplashID Safe 7.2.4 (HKLM-x32\...\SplashID Safe) (Version: 7.2.4 - SplashData)
Spotify (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\Spotify) (Version: 1.0.45.186.g3b5036d6 - Spotify AB)
StartIsBack+ (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\StartIsBack) (Version: 1.7 - startisback.com)
Unity Web Player (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\UnityWebPlayer) (Version: 5.3.7f1 - Unity Technologies ApS)
Yahoo Messenger (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\yahoomessenger) (Version: 0.8.231 - Yahoo! Inc)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{61625667-893E-4707-B925-A82B528C00B9}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll (Google Inc.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {04F89BF8-A7C9-4A27-9B5D-82822A832CEE} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)
Task: {1D882325-E362-471E-8C38-88B0B404D67E} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2017-03-16] (Symantec Corporation)
Task: {334FFF8E-2DDA-494C-B039-2EF768812EFD} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)
Task: {462F1A1C-745C-4F45-9516-625366142B64} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {49694A82-66EA-4845-98CE-8D370A1178C3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1372970940-966452781-916677827-1001Core => C:\Users\Raffi\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-26] (Google Inc.)
Task: {4C46400E-6B73-445F-A45B-22F45477370E} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)
Task: {50796CE1-C0BA-46C5-9410-B421D9EBBA48} - System32\Tasks\Norton Security\Norton Security Error Processor => C:\Program Files (x86)\Norton Security\Engine\22.9.1.12\SymErr.exe [2017-02-20] (Symantec Corporation)
Task: {583233BC-7D8B-4F5A-BE0C-2444E46A9270} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTrayLauncher.exe [2014-06-12] (Acer Incorporated)
Task: {5F26B7FA-7914-412A-8CB9-4A5F49C77B90} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {703F5D18-1821-4CF2-9D1E-4E5C6047B95C} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2015-12-09] (Microsoft)
Task: {7658A0C9-245B-4D1D-A967-7C35EEAACF5B} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-01-17] ()
Task: {8295A939-1F99-4CCD-B68F-C09FB8424C8E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {83A782A7-5307-4CD9-BA8D-108D4AB0F882} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-01-17] ()
Task: {A18B2024-A522-4906-BBD1-11088AB13083} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe [2014-06-17] (Acer Incorporated)
Task: {ACEB3C48-6781-4D00-9F67-4F7DCB930D0A} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security\Engine\22.9.1.12\WSCStub.exe [2017-03-16] (Symantec Corporation)
Task: {BF12C8B9-F090-4923-8EC7-0E3A6DFE3DA0} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1372970940-966452781-916677827-1001UA => C:\Users\Raffi\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-26] (Google Inc.)
Task: {D47B4DDA-07A1-498F-B37B-BED508A70A9E} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)
Task: {D9383B6A-E1B9-43B7-A99F-50CBBA9ABB3C} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2013-12-17] (Microsoft Corporation)
Task: {E9431CCC-0887-4C9D-9E94-510A19CEB747} - System32\Tasks\DolbySelectorTask => C:\Program Files\Dolby Digital Plus\ddp.exe [2014-04-07] (Dolby Laboratories Inc.)
Task: {F7BE031D-4707-4938-9845-B69382C3994E} - System32\Tasks\Norton Security\Norton Security Error Analyzer => C:\Program Files (x86)\Norton Security\Engine\22.9.1.12\SymErr.exe [2017-02-20] (Symantec Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-02-11 01:26 - 2015-02-05 12:07 - 00117576 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-01-08 14:44 - 2013-10-31 18:13 - 00102568 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2015-01-08 14:44 - 2014-01-02 19:41 - 00621736 _____ () C:\Program Files\Microsoft Office 15\ClientX64\StreamServer.dll
2015-01-10 00:34 - 2010-03-15 16:18 - 00143360 _____ () C:\Windows\system32\BrSNMP64.dll
2015-01-08 14:44 - 2015-01-08 14:44 - 08878248 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-04-29 02:38 - 2014-04-29 02:38 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2014-04-29 02:35 - 2014-04-29 02:35 - 00086016 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2014-04-29 02:42 - 2014-04-29 02:42 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
2014-04-07 16:13 - 2014-04-07 16:13 - 00052096 _____ () C:\Program Files\Dolby Digital Plus\Dolby.DDP.Controls_Desktop.dll
2014-10-05 15:49 - 2013-10-01 02:09 - 00078880 _____ () C:\Program Files\Realtek\Audio\HDA\FMAPP.exe
2015-06-20 12:35 - 2015-06-03 14:06 - 00011920 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
2016-08-10 11:14 - 2016-08-10 11:14 - 40523480 _____ () C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\libcef.dll
2017-03-30 10:21 - 2017-03-30 10:21 - 00098816 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32api.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00110080 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pywintypes27.dll
2017-03-30 10:21 - 2017-03-30 10:21 - 00364544 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pythoncom27.dll
2017-03-30 10:21 - 2017-03-30 10:21 - 00320512 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32com.shell.shell.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00914432 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_hashlib.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 01176576 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._core_.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00806400 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._gdi_.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00816128 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._windows_.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 01067008 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._controls_.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00733184 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._misc_.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00682496 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pysqlite2._sqlite.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00088064 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_ctypes.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00686080 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\unicodedata.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00119808 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32file.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00108544 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32security.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00007168 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\hashobjs_ext.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00017920 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\thumbnails_ext.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00088064 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\usb_ext.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00012800 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\common.time34.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00018432 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32event.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00167936 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32gui.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00046080 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_socket.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 01303552 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_ssl.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00128512 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_elementtree.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00127488 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pyexpat.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00038912 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32inet.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00036864 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_psutil_windows.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00524248 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\windows._lib_cacheinvalidation.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00011264 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32crypt.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00123392 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._wizard.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00077312 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._html2.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00027648 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_multiprocessing.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00020480 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_yappi.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00035840 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32process.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00078848 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._animate.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00024064 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32pipe.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00010240 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\select.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00025600 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32pdh.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00017408 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32profile.pyd
2017-03-30 10:21 - 2017-03-30 10:21 - 00022528 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32ts.pyd
2015-01-19 19:28 - 2014-08-06 05:37 - 01203856 _____ () C:\Program Files (x86)\MediatekWiFi\Common\RaWLAPI.dll
2015-01-10 00:34 - 2009-02-27 17:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2015-05-16 11:06 - 2015-05-16 11:06 - 01086176 _____ () C:\Program Files (x86)\Winstep\wodTelnetDLX.dll
2014-02-19 18:51 - 2014-02-19 18:51 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1372970940-966452781-916677827-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Raffi\Google Drive\Pictures\Wallpaper\crane.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{B188B65E-B72E-4555-840C-34429D355F2F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{0AA5D0D2-BC33-4E8C-888D-1EED19D16990}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{F716554D-E4E8-4A0A-9694-80554B556470}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{C6CD2C51-A721-4660-8A37-FD629E859D88}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{201AE150-878F-4338-8755-80C88655B4FA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{1E13F8D4-583E-410F-8CC5-4AFE101AB602}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{930F0CB2-8DA0-40F4-9F95-BC6E336944B5}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{229288E7-24C7-4D29-8636-07EB4AFD0FAD}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{8B00A3D6-DF9A-416B-8350-F956344D731B}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe
FirewallRules: [{F928E59D-9765-433D-A820-FB74B096F2A6}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe
FirewallRules: [{7BB9D122-7ACA-4425-8B63-0DAF2944BF68}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
FirewallRules: [{9EB8953E-F465-4C2E-9273-0AE91AF8CD16}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
FirewallRules: [{930D049A-6224-4AC9-92B6-5BFE22129649}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe
FirewallRules: [{F616F161-EC89-4589-A65C-0A7E2BFC1544}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe
FirewallRules: [{F73F7032-341D-4044-BE51-733937FCFEF8}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe
FirewallRules: [{E865D6C3-8477-4159-BC08-5C4AD326DAC5}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe
FirewallRules: [{0E233115-AC6F-4444-8EF4-371C6AAD9D65}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe
FirewallRules: [{F78ACAE2-B9FC-4A65-BE7A-7289C997A3A0}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe
FirewallRules: [{24A519D5-6761-4A7C-8374-444859970D00}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe
FirewallRules: [{E8328229-5221-48DD-A5D8-39AE9E3502EE}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe
FirewallRules: [{90305B45-C9D4-43B4-BC07-7925E41ACD4F}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{AE42C872-CB4B-4F03-A621-643BD928AE75}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{21D39A8F-A59E-4D6A-A6D6-A293A9231201}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{DB3D8D6D-0A7C-42FF-B5AA-F278E23F727B}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{0552F933-40DB-44E2-BA65-5821335934B4}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{C6DC71C5-2161-478C-907C-23C54515DDA1}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{D08D581B-33FA-48B2-9FF0-A355A214F7F3}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{192B5532-396C-4C15-8DA6-B44CCD8C4B9B}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{F49CB3E7-4DC1-4F88-9946-686EA6C4FB50}] => (Allow) C:\Program Files (x86)\Acer\AOP Framework\acer\ccd.exe
FirewallRules: [{006A19CA-4380-4508-966A-16F6CB3927BC}] => (Allow) C:\Program Files (x86)\Acer\AOP Framework\acer\ccd.exe
FirewallRules: [{1F10411B-4EE1-4134-8943-8FB08149917B}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\DMCDaemon.exe
FirewallRules: [{4A745678-DDA4-4FE0-B127-9FDF1E971BE5}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\DMCDaemon.exe
FirewallRules: [{97AC1BB8-4F7F-4C81-8F54-519B6C8CEECD}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\WindowsUpnp.exe
FirewallRules: [{1076EFEB-64EC-4225-959E-8377114EAC29}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\WindowsUpnp.exe
FirewallRules: [{0E0BD877-D3B2-4EA6-B6E2-B1C6892654C2}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe
FirewallRules: [{1325B03C-32EB-490A-9F5D-FCC97EFBD758}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe
FirewallRules: [{489E14CA-ED54-4E82-9F92-46D8B0904247}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe
FirewallRules: [{45B33415-69D3-4D51-8892-73071F58FE09}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe
FirewallRules: [{A227B059-FA48-4843-BB4C-F0D6D3A42122}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe
FirewallRules: [{1FFCE112-59BC-4698-AB88-EDFFC92BE777}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe
FirewallRules: [{61B5DEA2-5B27-41CE-A4B1-D3B5DD475E14}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe
FirewallRules: [{2762CC07-FC27-4607-ADEA-A4FB3A47F8CD}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe
FirewallRules: [{3029A865-F52B-471E-8415-DAE38A1F92AC}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{95AF1486-A659-489D-BEA0-D8F0A68B971A}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{5652F13E-8A22-4F6D-BA30-606017E67CDC}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{F5EC4F0C-CF60-45ED-8FC2-EEECE65C10BC}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{483059F3-068C-447D-B24F-B07D52EEDABB}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{316D3348-8ADE-4257-8FC1-0362717360E5}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe
FirewallRules: [{601CDE2C-74DC-4E58-99F5-44AD6888332A}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{07754E4A-9572-46A4-BD4E-C4B72586DBF1}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe
FirewallRules: [{92749470-4858-40D2-9573-E533CD3B70F9}] => (Allow) C:\Program Files (x86)\Brother\Brmfl10e\FAXRX.exe
FirewallRules: [{5AED7FD1-2368-45EE-8A82-15B092F88DEE}] => (Allow) C:\Program Files (x86)\Brother\Brmfl10e\FAXRX.exe
FirewallRules: [{4BA70707-4253-436E-A246-060AF75E2D1A}] => (Allow) LPort=54925
FirewallRules: [{AFDB33D7-BEFD-40A6-AF9B-3E5A38EB61FC}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{2546105B-7ADA-4C12-81F4-D953DA7AC99A}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{E80F891B-D832-49E0-8EF3-52030AC55703}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{D9DF0246-A404-427C-8C71-9ADC585AF013}] => (Allow) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe
FirewallRules: [{1C05C853-4F6A-4A62-A052-21DEFC0CE7C7}] => (Allow) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe
FirewallRules: [{BE5E43DB-5815-4488-B392-AAD360109F44}] => (Allow) C:\Program Files (x86)\Sonos\Sonos.exe
FirewallRules: [{57816D73-65F6-48A5-B421-BA974A02F65F}] => (Allow) C:\Program Files (x86)\Sonos\Sonos.exe
FirewallRules: [{046BCA07-40CC-46AD-9E41-0251002CE1B3}] => (Allow) C:\Program Files (x86)\MediatekWiFi\Common\RaMediaServer.exe
FirewallRules: [{181D72E1-6A7C-419F-B773-4B44A4DD8DAD}] => (Allow) C:\Program Files (x86)\MediatekWiFi\Common\RaMediaServer.exe
FirewallRules: [{EABC3EAE-466C-4AC8-BE82-E35A5B2D198C}] => (Allow) C:\Program Files (x86)\MediatekWiFi\Common\RaUI.exe
FirewallRules: [TCP Query User{1BB85E22-735D-4800-9126-CB7BD549D788}C:\program files (x86)\splashdata\splashid safe\splashid safe.exe] => (Allow) C:\program files (x86)\splashdata\splashid safe\splashid safe.exe
FirewallRules: [UDP Query User{27CB2F88-D5CA-4F20-A863-FFF013EA2FC5}C:\program files (x86)\splashdata\splashid safe\splashid safe.exe] => (Allow) C:\program files (x86)\splashdata\splashid safe\splashid safe.exe
FirewallRules: [TCP Query User{ADC25FBB-802D-4D3F-AFE9-0719CC217CE3}C:\users\raffi\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\raffi\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{3D3AB909-FE3E-4AD0-921E-6BF159EC9BE0}C:\users\raffi\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\raffi\appdata\roaming\spotify\spotify.exe
FirewallRules: [{92A12606-8828-4690-9EC4-E57C4F90798B}] => (Allow) C:\Games\World_of_Tanks\WoTLauncher.exe
FirewallRules: [{549CF028-7364-4B8C-9814-DD3B38755302}] => (Allow) C:\Games\World_of_Tanks\WorldofTanks.exe
FirewallRules: [{5FDB82EC-8AAB-44D0-8A92-A133850ED085}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop\56.0.2924.51\remoting_host.exe
FirewallRules: [{6004DB50-87E8-4484-BF41-49E79DD2FD58}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
14-03-2017 18:20:37 Restore Operation
22-03-2017 05:57:39 Scheduled Checkpoint
28-03-2017 20:04:38 Norton_Power_Eraser_20170328200438338
30-03-2017 08:31:53 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
 
System errors:
=============
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4710HQ CPU @ 2.50GHz
Percentage of memory in use: 8%
Total physical RAM: 16307.27 MB
Available physical RAM: 14858.02 MB
Total Virtual: 18739.27 MB
Available Virtual: 17275.54 MB
 
==================== Drives ================================
 
Drive c: (Acer) (Fixed) (Total:221.9 GB) (Free:166.38 GB) NTFS
Drive d: (DATA) (Fixed) (Total:931.51 GB) (Free:931.31 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: E0FF060F)
 
Partition: GPT.
 
========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: E0FF0617)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

  • 0

Advertisements


#17
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Will test again and post if all is well.  Did you see anything in the log file indicating that a virus was detected and removed??


  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,894 posts
  • MVP

OK.  You didn't post the whole fixlog but I can see from the FRST logs that it ran.  


  • 0

#19
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Sorry... here is the full fix log again!

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Raffi (30-03-2017 10:19:49) Run:1
Running from C:\Users\Raffi\Desktop\FIX
Loaded Profiles: Raffi (Available Profiles: Raffi)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\Run: [61F2E14DF1D88F32A2319B97D9176FED7BD436A5._service_run] => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=service /prefetch:8
HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\MountPoints2: {25758df2-ee32-11e5-82bb-206a8a9e3bd3} - "E:\windows\AutoRun.exe" 
SearchScopes: HKU\S-1-5-21-1372970940-966452781-916677827-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
R2 WebUpdate4; C:\Windows\SysWOW64\WebUpdateSvc4.exe [262360 2008-09-15] (Data Perceptions / PowerProgrammer)
R2 Winstep Xtreme Service; C:\Program Files (x86)\Winstep\WsxService [X]
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Chrome Remote Desktop.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory="Profile 3" --app-id=gbchcmhmhahfdphkhkmpfmihenigjmpp
ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Google Keep - notes and lists.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory="Profile 3" --app-id=hmjkmjkepdijhoojdojkdfohbdgmmhki
ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\c99253a6a8da5785\Google Chrome.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"
ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\82aa784c932b6712\Google Chrome.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 1"
ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4958c7c8cc71330d\Google Chrome.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default
EmptyTemp:
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
*****************
 
HKU\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Windows\CurrentVersion\Run\\61F2E14DF1D88F32A2319B97D9176FED7BD436A5._service_run => value removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{25758df2-ee32-11e5-82bb-206a8a9e3bd3} => key removed successfully
HKCR\CLSID\{25758df2-ee32-11e5-82bb-206a8a9e3bd3} => key not found. 
HKU\S-1-5-21-1372970940-966452781-916677827-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
WebUpdate4 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\WebUpdate4 => key removed successfully
WebUpdate4 => service removed successfully
Winstep Xtreme Service => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Winstep Xtreme Service => key removed successfully
Winstep Xtreme Service => service removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448} => key removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E} => key removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A} => key removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9} => key removed successfully
HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key removed successfully
C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Chrome Remote Desktop.lnk => Shortcut argument removed successfully.
C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Google Keep - notes and lists.lnk => Shortcut argument removed successfully.
C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\c99253a6a8da5785\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\82aa784c932b6712\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4958c7c8cc71330d\Google Chrome.lnk => Shortcut argument removed successfully.
 
========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========
 
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 187939851 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 4492585 B
Edge => 0 B
Chrome => 320054797 B
Firefox => 161795182 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 94707 B
systemprofile32 => 128 B
LocalService => 6376136 B
NetworkService => 139888 B
Raffi => 229558498 B
 
RecycleBin => 80434 B
EmptyTemp: => 868.4 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:20:17 ====

  • 0

#20
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Do you see any real risks that were identified and deleted. 


  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,894 posts
  • MVP

You had some funny shortcuts which might have been the problem.

 

Let's run Rogue Killer to make sure there is nothing left:

 

 Let's run Rogue Killer

 
 
Portable 64 bits  <==Use this one
 
Download and Save.
 
 
 
Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe)
 
Start Scan
Start Scan
 
Will take about 20 minutes to complete.
 
Open Report
Export TXT (save it to your desktop as rk) Save
 
Do not let Rogue Killer remove anything until you hear from me.  Leave Rogue Killer up (but minimized) so you won't have to rescan.
 
Open rk.txt and copy and paste it to your next Reply. 

  • 0

#22
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

On it


  • 0

#23
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

RK.TXT


  • 0

#24
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Opps... again, RK.TXT

 

 

 

RogueKiller V12.10.2.0 (x64) [Mar 27 2017] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Raffi [Administrator]
Started from : C:\Users\Raffi\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 03/30/2017 11:01:49 (Duration : 00:11:04)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Chrome:Config] Profile 3 [SecurePrefs] : session.startup_urls [http://www.protopage.com/basturma]-> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA THNSNJ256G8NU +++++
--- User ---
[MBR] 0e9b1d77a22f14233d22634b0c42923b
[BSP] 9bdb9107c02f35c502358d1c4717aba7 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1845248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2107392 | Size: 227225 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 467464192 | Size: 15944 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD10JPVX-22JC3T0 +++++
--- User ---
[MBR] d1a3471f87126fe541b906e08f2845ad
[BSP] 7d1e518d303a766dea9f1734ae7ceea5 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 953868 MB
User = LL1 ... OK
User = LL2 ... OK

  • 0

#25
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

A couple of things... RIGHT clocking on the scanner did not provide a "Start Scan" option, so I selected "run as administrator" and then ran it using the button in the program.

 

After it was done scanning, it launched the following page: http://www.adlice.com/remove-pum/basically instructing me how to remove PUM. I did not do anything it instructed.  Just letting you know. 

 

Waiting for you reply before doing anything else.  


  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,894 posts
  • MVP

Go ahead and let RK remove everything it found.


  • 0

#27
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Done... looks like it removed everything.  

 

I guess at this point just test and see if I have more issues?  If so, I will report back :) later today or tomorrow when I've had a chance to really use the browser.  But if there is anything else I should do, happy to do it. 


  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,894 posts
  • MVP

It wouldn't hurt to run DISM & SFC to make sure nothing in Windows has been messed with:

 

Open an elevated command prompt:
 
 
 
If you open an elevated command prompt it will by default open in c:\Windows\system32
 
Once you have an elevated command prompt:
 
Type(with an Enter after each line):
 DISM  /Online  /Cleanup-Image  /RestoreHealth
 
 (I use two spaces so you can be sure to see where one space goes.)
This will take a while to complete.  Once the prompt returns:
 
Reboot.  Open an elevated Command Prompt again and type (with an Enter after the line):
sfc  /scannow
 
 
 
This will also take a few minutes.  
 
When it finishes it will say one of the following:
 
Windows did not find any integrity violations (a good thing)
Windows Resource Protection found corrupt files and repaired them (a good thing)
Windows Resource Protection found corrupt files but was unable to fix some (or all) of them (not a good thing)
 
 type:
 
findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \junk.txt 
 
Hit Enter.  Then type::
 
 
notepad  \junk.txt 
 
Hit Enter. 
 
 Copy the text from notepad and paste it into a reply.
 
 
After you finish SFC, regardless of the result:
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

  • 0

#29
rm15

rm15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts

Sounds good.  Have to take off now though so will do this tonight and report back.  Thank you again!


  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,894 posts
  • MVP

No hurry.


  • 0






Similar Topics


Also tagged with one or more of these keywords: Malware, Chrome

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP