Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I have done my homework - now need you help please

Started by rm15 , Mar 30 2017 01:10 AM

Malware Chrome

Please log in to reply

#16
rm15

Posted 30 March 2017 - 11:26 AM

Member

Topic Starter
Member
39 posts

ADDITION.TXT

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017

Ran by Raffi (30-03-2017 10:23:51)

Running from C:\Users\Raffi\Desktop\FIX

Windows 8.1 (Update) (X64) (2015-01-08 21:38:07)

Boot Mode: Normal

==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1372970940-966452781-916677827-500 - Administrator - Disabled)

Guest (S-1-5-21-1372970940-966452781-916677827-501 - Limited - Disabled)

Raffi (S-1-5-21-1372970940-966452781-916677827-1001 - Administrator - Enabled) => C:\Users\Raffi

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AV: Norton Security (Disabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Norton Security (Disabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}

FW: Norton Security (Disabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.8105 - Acer Incorporated)

Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.8108 - Acer Incorporated)

Adobe Acrobat DC (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-0C0F074E4100}) (Version: 15.023.20070 - Adobe Systems Incorporated)

Brother MFL-Pro Suite MFC-9560CDW (HKLM-x32\...\{979742CC-2CBB-49D8-9BEE-C2F7875F5393}) (Version: 1.1.5.0 - Brother Industries, Ltd.)

Chrome Remote Desktop Host (HKLM-x32\...\{0F4FB60A-EBD8-445B-8117-128E8351647E}) (Version: 56.0.2924.51 - Google Inc.)

Dolby Digital Plus Home Theater (HKLM\...\{7E3D8FA1-6092-469A-955B-68FC4A2C67CA}) (Version: 7.6.3.1 - Dolby Laboratories Inc)

Google Chrome (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)

Google Drive (HKLM-x32\...\{A1238426-ECDF-4639-BE2F-8D12A97AE23C}) (Version: 2.34.5075.1619 - Google, Inc.)

Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)

Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden

Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden

Intel® Chipset Device Software (x32 Version: 10.0.20 - Intel® Corporation) Hidden

Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1168 - Intel Corporation)

Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3643 - Intel Corporation)

Intel® Update Manager (HKLM-x32\...\{AD6B46F2-FE21-496F-BE90-BE19AABE353C}) (Version: 2.2.12 - Intel Corporation)

Mediatek RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.38.101 - MediatekWiFi)

Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.7.133.0 - Microsoft Corporation)

Microsoft Office Home and Student 2013 - en-us (HKLM\...\HomeStudentRetail - en-us) (Version: 15.0.4569.1506 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{d491dd9d-2eda-4d75-b504-1a201436e7fd}) (Version: 11.0.61030.0 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)

Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)

Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.8.0.6273 - Mozilla)

Mozilla Thunderbird 45.8.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.8.0 (x86 en-US)) (Version: 45.8.0 - Mozilla)

Nexus Ultimate 14.11 (HKLM-x32\...\Winstep Xtreme_is1) (Version: - )

Norton Security (HKLM-x32\...\NS) (Version: 22.9.1.12 - Symantec Corporation)

novaPDF 8 add-in for Microsoft Office (x64) (HKLM\...\{37AFBFC0-AE39-425B-97CB-A90319D39A4B}) (Version: 8.1.921 - Softland)

novaPDF 8 add-in for Microsoft Office (x86) (HKLM-x32\...\{056A3023-0724-49F0-82F8-88A1F0783D53}) (Version: 8.1.921 - Softland)

NVIDIA GeForce Experience 2.4.5.44 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.4.5.44 - NVIDIA Corporation)

NVIDIA Graphics Driver 347.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.52 - NVIDIA Corporation)

NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)

Office 15 Click-to-Run Licensing Component (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden

Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden

Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.322 - Qualcomm Atheros Communications)

Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.33 - Qualcomm Atheros)

Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.39059 - Realtek Semiconductor Corp.)

Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.32.508.2014 - Realtek)

Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7260 - Realtek Semiconductor Corp.)

SHIELD Streaming (Version: 4.1.2000 - NVIDIA Corporation) Hidden

SHIELD Wireless Controller Driver (Version: 2.4.5.44 - NVIDIA Corporation) Hidden

Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)

Software Update Wizard (Redistributable) 4.5 (HKLM-x32\...\Software Update Wizard (Redistributable)) (Version: 4.5 - PowerProgrammer)

Sonos Controller (HKLM-x32\...\{7BBA9BF8-05DF-47D8-8880-82A9B99505B9}) (Version: 35.3.39010 - Sonos, Inc.)

SplashID Safe 7.2.4 (HKLM-x32\...\SplashID Safe) (Version: 7.2.4 - SplashData)

Spotify (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\Spotify) (Version: 1.0.45.186.g3b5036d6 - Spotify AB)

StartIsBack+ (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\StartIsBack) (Version: 1.7 - startisback.com)

Unity Web Player (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\UnityWebPlayer) (Version: 5.3.7f1 - Unity Technologies ApS)

Yahoo Messenger (HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\yahoomessenger) (Version: 0.8.231 - Yahoo! Inc)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{61625667-893E-4707-B925-A82B528C00B9}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll (Google Inc.)

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InprocServer32 -> C:\Users\Raffi\AppData\Local\StartIsBack\StartIsBack64.dll (www.startisback.com)

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll (Google Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {04F89BF8-A7C9-4A27-9B5D-82822A832CEE} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)

Task: {1D882325-E362-471E-8C38-88B0B404D67E} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2017-03-16] (Symantec Corporation)

Task: {334FFF8E-2DDA-494C-B039-2EF768812EFD} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)

Task: {462F1A1C-745C-4F45-9516-625366142B64} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)

Task: {49694A82-66EA-4845-98CE-8D370A1178C3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1372970940-966452781-916677827-1001Core => C:\Users\Raffi\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-26] (Google Inc.)

Task: {4C46400E-6B73-445F-A45B-22F45477370E} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)

Task: {50796CE1-C0BA-46C5-9410-B421D9EBBA48} - System32\Tasks\Norton Security\Norton Security Error Processor => C:\Program Files (x86)\Norton Security\Engine\22.9.1.12\SymErr.exe [2017-02-20] (Symantec Corporation)

Task: {583233BC-7D8B-4F5A-BE0C-2444E46A9270} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTrayLauncher.exe [2014-06-12] (Acer Incorporated)

Task: {5F26B7FA-7914-412A-8CB9-4A5F49C77B90} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)

Task: {703F5D18-1821-4CF2-9D1E-4E5C6047B95C} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2015-12-09] (Microsoft)

Task: {7658A0C9-245B-4D1D-A967-7C35EEAACF5B} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-01-17] ()

Task: {8295A939-1F99-4CCD-B68F-C09FB8424C8E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)

Task: {83A782A7-5307-4CD9-BA8D-108D4AB0F882} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-01-17] ()

Task: {A18B2024-A522-4906-BBD1-11088AB13083} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe [2014-06-17] (Acer Incorporated)

Task: {ACEB3C48-6781-4D00-9F67-4F7DCB930D0A} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security\Engine\22.9.1.12\WSCStub.exe [2017-03-16] (Symantec Corporation)

Task: {BF12C8B9-F090-4923-8EC7-0E3A6DFE3DA0} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1372970940-966452781-916677827-1001UA => C:\Users\Raffi\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-26] (Google Inc.)

Task: {D47B4DDA-07A1-498F-B37B-BED508A70A9E} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)

Task: {D9383B6A-E1B9-43B7-A99F-50CBBA9ABB3C} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2013-12-17] (Microsoft Corporation)

Task: {E9431CCC-0887-4C9D-9E94-510A19CEB747} - System32\Tasks\DolbySelectorTask => C:\Program Files\Dolby Digital Plus\ddp.exe [2014-04-07] (Dolby Laboratories Inc.)

Task: {F7BE031D-4707-4938-9845-B69382C3994E} - System32\Tasks\Norton Security\Norton Security Error Analyzer => C:\Program Files (x86)\Norton Security\Engine\22.9.1.12\SymErr.exe [2017-02-20] (Symantec Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-02-11 01:26 - 2015-02-05 12:07 - 00117576 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll

2015-01-08 14:44 - 2013-10-31 18:13 - 00102568 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll

2015-01-08 14:44 - 2014-01-02 19:41 - 00621736 _____ () C:\Program Files\Microsoft Office 15\ClientX64\StreamServer.dll

2015-01-10 00:34 - 2010-03-15 16:18 - 00143360 _____ () C:\Windows\system32\BrSNMP64.dll

2015-01-08 14:44 - 2015-01-08 14:44 - 08878248 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll

2014-04-29 02:38 - 2014-04-29 02:38 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll

2014-04-29 02:35 - 2014-04-29 02:35 - 00086016 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll

2014-04-29 02:42 - 2014-04-29 02:42 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe

2014-04-07 16:13 - 2014-04-07 16:13 - 00052096 _____ () C:\Program Files\Dolby Digital Plus\Dolby.DDP.Controls_Desktop.dll

2014-10-05 15:49 - 2013-10-01 02:09 - 00078880 _____ () C:\Program Files\Realtek\Audio\HDA\FMAPP.exe

2015-06-20 12:35 - 2015-06-03 14:06 - 00011920 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll

2016-08-10 11:14 - 2016-08-10 11:14 - 40523480 _____ () C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\libcef.dll

2017-03-30 10:21 - 2017-03-30 10:21 - 00098816 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32api.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00110080 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pywintypes27.dll

2017-03-30 10:21 - 2017-03-30 10:21 - 00364544 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pythoncom27.dll

2017-03-30 10:21 - 2017-03-30 10:21 - 00320512 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32com.shell.shell.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00914432 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_hashlib.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 01176576 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._core_.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00806400 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._gdi_.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00816128 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._windows_.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 01067008 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._controls_.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00733184 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._misc_.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00682496 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pysqlite2._sqlite.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00088064 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_ctypes.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00686080 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\unicodedata.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00119808 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32file.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00108544 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32security.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00007168 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\hashobjs_ext.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00017920 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\thumbnails_ext.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00088064 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\usb_ext.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00012800 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\common.time34.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00018432 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32event.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00167936 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32gui.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00046080 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_socket.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 01303552 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_ssl.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00128512 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_elementtree.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00127488 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\pyexpat.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00038912 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32inet.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00036864 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_psutil_windows.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00524248 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\windows._lib_cacheinvalidation.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00011264 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32crypt.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00123392 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._wizard.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00077312 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._html2.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00027648 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_multiprocessing.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00020480 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\_yappi.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00035840 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32process.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00078848 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\wx._animate.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00024064 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32pipe.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00010240 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\select.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00025600 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32pdh.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00017408 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32profile.pyd

2017-03-30 10:21 - 2017-03-30 10:21 - 00022528 ____R () C:\Users\Raffi\AppData\Local\Temp\_MEI63802\win32ts.pyd

2015-01-19 19:28 - 2014-08-06 05:37 - 01203856 _____ () C:\Program Files (x86)\MediatekWiFi\Common\RaWLAPI.dll

2015-01-10 00:34 - 2009-02-27 17:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll

2015-05-16 11:06 - 2015-05-16 11:06 - 01086176 _____ () C:\Program Files (x86)\Winstep\wodTelnetDLX.dll

2014-02-19 18:51 - 2014-02-19 18:51 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1372970940-966452781-916677827-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Raffi\Google Drive\Pictures\Wallpaper\crane.jpg

DNS Servers: 192.168.1.1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139

FirewallRules: [{B188B65E-B72E-4555-840C-34429D355F2F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe

FirewallRules: [{0AA5D0D2-BC33-4E8C-888D-1EED19D16990}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe

FirewallRules: [{F716554D-E4E8-4A0A-9694-80554B556470}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe

FirewallRules: [{C6CD2C51-A721-4660-8A37-FD629E859D88}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe

FirewallRules: [{201AE150-878F-4338-8755-80C88655B4FA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe

FirewallRules: [{1E13F8D4-583E-410F-8CC5-4AFE101AB602}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe

FirewallRules: [{930F0CB2-8DA0-40F4-9F95-BC6E336944B5}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe

FirewallRules: [{229288E7-24C7-4D29-8636-07EB4AFD0FAD}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe

FirewallRules: [{8B00A3D6-DF9A-416B-8350-F956344D731B}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe

FirewallRules: [{F928E59D-9765-433D-A820-FB74B096F2A6}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe

FirewallRules: [{7BB9D122-7ACA-4425-8B63-0DAF2944BF68}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe

FirewallRules: [{9EB8953E-F465-4C2E-9273-0AE91AF8CD16}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe

FirewallRules: [{930D049A-6224-4AC9-92B6-5BFE22129649}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe

FirewallRules: [{F616F161-EC89-4589-A65C-0A7E2BFC1544}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe

FirewallRules: [{F73F7032-341D-4044-BE51-733937FCFEF8}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe

FirewallRules: [{E865D6C3-8477-4159-BC08-5C4AD326DAC5}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe

FirewallRules: [{0E233115-AC6F-4444-8EF4-371C6AAD9D65}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe

FirewallRules: [{F78ACAE2-B9FC-4A65-BE7A-7289C997A3A0}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\DMCDaemon.exe

FirewallRules: [{24A519D5-6761-4A7C-8374-444859970D00}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe

FirewallRules: [{E8328229-5221-48DD-A5D8-39AE9E3502EE}] => (Allow) C:\Program Files (x86)\Acer\abPhoto\WindowsUpnp.exe

FirewallRules: [{90305B45-C9D4-43B4-BC07-7925E41ACD4F}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{AE42C872-CB4B-4F03-A621-643BD928AE75}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{21D39A8F-A59E-4D6A-A6D6-A293A9231201}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{DB3D8D6D-0A7C-42FF-B5AA-F278E23F727B}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{0552F933-40DB-44E2-BA65-5821335934B4}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{C6DC71C5-2161-478C-907C-23C54515DDA1}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{D08D581B-33FA-48B2-9FF0-A355A214F7F3}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{192B5532-396C-4C15-8DA6-B44CCD8C4B9B}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{F49CB3E7-4DC1-4F88-9946-686EA6C4FB50}] => (Allow) C:\Program Files (x86)\Acer\AOP Framework\acer\ccd.exe

FirewallRules: [{006A19CA-4380-4508-966A-16F6CB3927BC}] => (Allow) C:\Program Files (x86)\Acer\AOP Framework\acer\ccd.exe

FirewallRules: [{1F10411B-4EE1-4134-8943-8FB08149917B}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\DMCDaemon.exe

FirewallRules: [{4A745678-DDA4-4FE0-B127-9FDF1E971BE5}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\DMCDaemon.exe

FirewallRules: [{97AC1BB8-4F7F-4C81-8F54-519B6C8CEECD}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\WindowsUpnp.exe

FirewallRules: [{1076EFEB-64EC-4225-959E-8377114EAC29}] => (Allow) C:\Program Files (x86)\Acer\abPhoto_\WindowsUpnp.exe

FirewallRules: [{0E0BD877-D3B2-4EA6-B6E2-B1C6892654C2}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe

FirewallRules: [{1325B03C-32EB-490A-9F5D-FCC97EFBD758}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe

FirewallRules: [{489E14CA-ED54-4E82-9F92-46D8B0904247}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe

FirewallRules: [{45B33415-69D3-4D51-8892-73071F58FE09}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe

FirewallRules: [{A227B059-FA48-4843-BB4C-F0D6D3A42122}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe

FirewallRules: [{1FFCE112-59BC-4698-AB88-EDFFC92BE777}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\DMCDaemon.exe

FirewallRules: [{61B5DEA2-5B27-41CE-A4B1-D3B5DD475E14}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe

FirewallRules: [{2762CC07-FC27-4607-ADEA-A4FB3A47F8CD}] => (Allow) C:\Program Files (x86)\Acer\abMedia_\WindowsUpnpMV.exe

FirewallRules: [{3029A865-F52B-471E-8415-DAE38A1F92AC}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{95AF1486-A659-489D-BEA0-D8F0A68B971A}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{5652F13E-8A22-4F6D-BA30-606017E67CDC}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{F5EC4F0C-CF60-45ED-8FC2-EEECE65C10BC}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{483059F3-068C-447D-B24F-B07D52EEDABB}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{316D3348-8ADE-4257-8FC1-0362717360E5}] => (Allow) C:\Program Files (x86)\Acer\abMedia\DMCDaemon.exe

FirewallRules: [{601CDE2C-74DC-4E58-99F5-44AD6888332A}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{07754E4A-9572-46A4-BD4E-C4B72586DBF1}] => (Allow) C:\Program Files (x86)\Acer\abMedia\WindowsUpnpMV.exe

FirewallRules: [{92749470-4858-40D2-9573-E533CD3B70F9}] => (Allow) C:\Program Files (x86)\Brother\Brmfl10e\FAXRX.exe

FirewallRules: [{5AED7FD1-2368-45EE-8A82-15B092F88DEE}] => (Allow) C:\Program Files (x86)\Brother\Brmfl10e\FAXRX.exe

FirewallRules: [{4BA70707-4253-436E-A246-060AF75E2D1A}] => (Allow) LPort=54925

FirewallRules: [{AFDB33D7-BEFD-40A6-AF9B-3E5A38EB61FC}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe

FirewallRules: [{2546105B-7ADA-4C12-81F4-D953DA7AC99A}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe

FirewallRules: [{E80F891B-D832-49E0-8EF3-52030AC55703}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe

FirewallRules: [{D9DF0246-A404-427C-8C71-9ADC585AF013}] => (Allow) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe

FirewallRules: [{1C05C853-4F6A-4A62-A052-21DEFC0CE7C7}] => (Allow) C:\Program Files (x86)\SplashData\SplashID Safe\SplashID Safe.exe

FirewallRules: [{BE5E43DB-5815-4488-B392-AAD360109F44}] => (Allow) C:\Program Files (x86)\Sonos\Sonos.exe

FirewallRules: [{57816D73-65F6-48A5-B421-BA974A02F65F}] => (Allow) C:\Program Files (x86)\Sonos\Sonos.exe

FirewallRules: [{046BCA07-40CC-46AD-9E41-0251002CE1B3}] => (Allow) C:\Program Files (x86)\MediatekWiFi\Common\RaMediaServer.exe

FirewallRules: [{181D72E1-6A7C-419F-B773-4B44A4DD8DAD}] => (Allow) C:\Program Files (x86)\MediatekWiFi\Common\RaMediaServer.exe

FirewallRules: [{EABC3EAE-466C-4AC8-BE82-E35A5B2D198C}] => (Allow) C:\Program Files (x86)\MediatekWiFi\Common\RaUI.exe

FirewallRules: [TCP Query User{1BB85E22-735D-4800-9126-CB7BD549D788}C:\program files (x86)\splashdata\splashid safe\splashid safe.exe] => (Allow) C:\program files (x86)\splashdata\splashid safe\splashid safe.exe

FirewallRules: [UDP Query User{27CB2F88-D5CA-4F20-A863-FFF013EA2FC5}C:\program files (x86)\splashdata\splashid safe\splashid safe.exe] => (Allow) C:\program files (x86)\splashdata\splashid safe\splashid safe.exe

FirewallRules: [TCP Query User{ADC25FBB-802D-4D3F-AFE9-0719CC217CE3}C:\users\raffi\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\raffi\appdata\roaming\spotify\spotify.exe

FirewallRules: [UDP Query User{3D3AB909-FE3E-4AD0-921E-6BF159EC9BE0}C:\users\raffi\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\raffi\appdata\roaming\spotify\spotify.exe

FirewallRules: [{92A12606-8828-4690-9EC4-E57C4F90798B}] => (Allow) C:\Games\World_of_Tanks\WoTLauncher.exe

FirewallRules: [{549CF028-7364-4B8C-9814-DD3B38755302}] => (Allow) C:\Games\World_of_Tanks\WorldofTanks.exe

FirewallRules: [{5FDB82EC-8AAB-44D0-8A92-A133850ED085}] => (Allow) C:\Program Files (x86)\Google\Chrome Remote Desktop\56.0.2924.51\remoting_host.exe

FirewallRules: [{6004DB50-87E8-4484-BF41-49E79DD2FD58}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

14-03-2017 18:20:37 Restore Operation

22-03-2017 05:57:39 Scheduled Checkpoint

28-03-2017 20:04:38 Norton_Power_Eraser_20170328200438338

30-03-2017 08:31:53 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:

==================

System errors:

=============

==================== Memory info ===========================

Processor: Intel® Core™ i7-4710HQ CPU @ 2.50GHz

Percentage of memory in use: 8%

Total physical RAM: 16307.27 MB

Available physical RAM: 14858.02 MB

Total Virtual: 18739.27 MB

Available Virtual: 17275.54 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:221.9 GB) (Free:166.38 GB) NTFS

Drive d: (DATA) (Fixed) (Total:931.51 GB) (Free:931.31 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (Size: 238.5 GB) (Disk ID: E0FF060F)

Partition: GPT.

========================================================

Disk: 1 (Size: 931.5 GB) (Disk ID: E0FF0617)

Partition: GPT.

==================== End of Addition.txt ============================

#17
rm15

Posted 30 March 2017 - 11:27 AM

Member

Topic Starter
Member
39 posts

Will test again and post if all is well. Did you see anything in the log file indicating that a virus was detected and removed??

#18
RKinner

Posted 30 March 2017 - 11:28 AM

Malware Expert

Expert
24,624 posts

OK. You didn't post the whole fixlog but I can see from the FRST logs that it ran.

#19
rm15

Posted 30 March 2017 - 11:29 AM

Member

Topic Starter
Member
39 posts

Sorry... here is the full fix log again!

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017

Ran by Raffi (30-03-2017 10:19:49) Run:1

Running from C:\Users\Raffi\Desktop\FIX

Loaded Profiles: Raffi (Available Profiles: Raffi)

Boot Mode: Normal

==============================================

fixlist content:

*****************

HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\Run: [61F2E14DF1D88F32A2319B97D9176FED7BD436A5._service_run] => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=service /prefetch:8

HKU\S-1-5-21-1372970940-966452781-916677827-1001\...\MountPoints2: {25758df2-ee32-11e5-82bb-206a8a9e3bd3} - "E:\windows\AutoRun.exe"

SearchScopes: HKU\S-1-5-21-1372970940-966452781-916677827-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

R2 WebUpdate4; C:\Windows\SysWOW64\WebUpdateSvc4.exe [262360 2008-09-15] (Data Perceptions / PowerProgrammer)

R2 Winstep Xtreme Service; C:\Program Files (x86)\Winstep\WsxService [X]

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File

CustomCLSID: HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Raffi\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File

ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Chrome Remote Desktop.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3" --app-id=gbchcmhmhahfdphkhkmpfmihenigjmpp

ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Google Keep - notes and lists.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3" --app-id=hmjkmjkepdijhoojdojkdfohbdgmmhki

ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\c99253a6a8da5785\Google Chrome.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"

ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\82aa784c932b6712\Google Chrome.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 1"

ShortcutWithArgument: C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4958c7c8cc71330d\Google Chrome.lnk -> C:\Users\Raffi\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default

EmptyTemp:

CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

*****************

HKU\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Windows\CurrentVersion\Run\\61F2E14DF1D88F32A2319B97D9176FED7BD436A5._service_run => value removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{25758df2-ee32-11e5-82bb-206a8a9e3bd3} => key removed successfully

HKCR\CLSID\{25758df2-ee32-11e5-82bb-206a8a9e3bd3} => key not found.

HKU\S-1-5-21-1372970940-966452781-916677827-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully

WebUpdate4 => Unable to stop service.

HKLM\System\CurrentControlSet\Services\WebUpdate4 => key removed successfully

WebUpdate4 => service removed successfully

Winstep Xtreme Service => Unable to stop service.

HKLM\System\CurrentControlSet\Services\Winstep Xtreme Service => key removed successfully

Winstep Xtreme Service => service removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448} => key removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E} => key removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A} => key removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9} => key removed successfully

HKU\S-1-5-21-1372970940-966452781-916677827-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key removed successfully

C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Chrome Remote Desktop.lnk => Shortcut argument removed successfully.

C:\Users\Raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome Apps\Google Keep - notes and lists.lnk => Shortcut argument removed successfully.

C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\c99253a6a8da5785\Google Chrome.lnk => Shortcut argument removed successfully.

C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\82aa784c932b6712\Google Chrome.lnk => Shortcut argument removed successfully.

C:\Users\Raffi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4958c7c8cc71330d\Google Chrome.lnk => Shortcut argument removed successfully.

========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========

Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.

========= End of CMD: =========

=========== EmptyTemp: ==========

BITS transfer queue => 0 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 187939851 B

Java, Flash, Steam htmlcache => 506 B

Windows/system/drivers => 4492585 B

Edge => 0 B

Chrome => 320054797 B

Firefox => 161795182 B

Opera => 0 B

Temp, IE cache, history, cookies, recent:

Default => 0 B

Users => 0 B

ProgramData => 0 B

Public => 0 B

systemprofile => 94707 B

systemprofile32 => 128 B

LocalService => 6376136 B

NetworkService => 139888 B

Raffi => 229558498 B

RecycleBin => 80434 B

EmptyTemp: => 868.4 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 10:20:17 ====

#20
rm15

Posted 30 March 2017 - 11:31 AM

Member

Topic Starter
Member
39 posts

Do you see any real risks that were identified and deleted.

#21
RKinner

Posted 30 March 2017 - 11:31 AM

Malware Expert

Expert
24,624 posts

You had some funny shortcuts which might have been the problem.

Let's run Rogue Killer to make sure there is nothing left:

Let's run Rogue Killer

http://www.adlice.co...iller/#download

Portable 64 bits <==Use this one

Download and Save.

Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe)

Start Scan

Will take about 20 minutes to complete.

Open Report

Export TXT (save it to your desktop as rk) Save

Do not let Rogue Killer remove anything until you hear from me. Leave Rogue Killer up (but minimized) so you won't have to rescan.

Open rk.txt and copy and paste it to your next Reply.

#22
rm15

Posted 30 March 2017 - 11:56 AM

Member

Topic Starter
Member
39 posts

On it

#23
rm15

Posted 30 March 2017 - 12:16 PM

Member

Topic Starter
Member
39 posts

RK.TXT

#24
rm15

Posted 30 March 2017 - 12:16 PM

Member

Topic Starter
Member
39 posts

Opps... again, RK.TXT

RogueKiller V12.10.2.0 (x64) [Mar 27 2017] (Free) by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : https://forum.adlice.com

Website : http://www.adlice.co...ad/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version

Started in : Normal mode

User : Raffi [Administrator]

Started from : C:\Users\Raffi\Desktop\RogueKillerX64.exe

Mode : Scan -- Date : 03/30/2017 11:01:49 (Duration : 00:11:04)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found

[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found

[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1372970940-966452781-916677827-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤

[PUM.HomePage][Chrome:Config] Profile 3 [SecurePrefs] : session.startup_urls [http://www.protopage.com/basturma]-> Found

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: TOSHIBA THNSNJ256G8NU +++++

--- User ---

[MBR] 0e9b1d77a22f14233d22634b0c42923b

[BSP] 9bdb9107c02f35c502358d1c4717aba7 : Empty|VT.Unknown MBR Code

Partition table:

0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB

1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 300 MB

2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1845248 | Size: 128 MB

3 - Basic data partition | Offset (sectors): 2107392 | Size: 227225 MB

4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 467464192 | Size: 15944 MB

User = LL1 ... OK

User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD10JPVX-22JC3T0 +++++

--- User ---

[MBR] d1a3471f87126fe541b906e08f2845ad

[BSP] 7d1e518d303a766dea9f1734ae7ceea5 : Empty|VT.Unknown MBR Code

Partition table:

0 - Basic data partition | Offset (sectors): 2048 | Size: 953868 MB

User = LL1 ... OK

User = LL2 ... OK

#25
rm15

Posted 30 March 2017 - 12:19 PM

Member

Topic Starter
Member
39 posts

A couple of things... RIGHT clocking on the scanner did not provide a "Start Scan" option, so I selected "run as administrator" and then ran it using the button in the program.

After it was done scanning, it launched the following page: http://www.adlice.com/remove-pum/basically instructing me how to remove PUM. I did not do anything it instructed. Just letting you know.

Waiting for you reply before doing anything else.

#26
RKinner

Posted 30 March 2017 - 12:31 PM

Malware Expert

Expert
24,624 posts

Go ahead and let RK remove everything it found.

#27
rm15

Posted 30 March 2017 - 12:50 PM

Member

Topic Starter
Member
39 posts

Done... looks like it removed everything.

I guess at this point just test and see if I have more issues? If so, I will report back later today or tomorrow when I've had a chance to really use the browser. But if there is anything else I should do, happy to do it.

#28
RKinner

Posted 30 March 2017 - 01:35 PM

Malware Expert

Expert
24,624 posts

It wouldn't hurt to run DISM & SFC to make sure nothing in Windows has been messed with:

Open an elevated command prompt:

http://www.eightforu...indows-8-a.html

If you open an elevated command prompt it will by default open in c:\Windows\system32

Once you have an elevated command prompt:

Type(with an Enter after each line):


 DISM  /Online  /Cleanup-Image  /RestoreHealth

(I use two spaces so you can be sure to see where one space goes.)

This will take a while to complete. Once the prompt returns:

Reboot. Open an elevated Command Prompt again and type (with an Enter after the line):


sfc  /scannow

This will also take a few minutes.

When it finishes it will say one of the following:

Windows did not find any integrity violations (a good thing)

Windows Resource Protection found corrupt files and repaired them (a good thing)

Windows Resource Protection found corrupt files but was unable to fix some (or all) of them (not a good thing)

type:

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \junk.txt

Hit Enter. Then type::

notepad  \junk.txt

Hit Enter.

Copy the text from notepad and paste it into a reply.

After you finish SFC, regardless of the result:

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

* System

4. Under 'Select type to list', select:

* Error

* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application. (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

#29
rm15

Posted 30 March 2017 - 01:38 PM

Member

Topic Starter
Member
39 posts

Sounds good. Have to take off now though so will do this tonight and report back. Thank you again!

#30
RKinner

Posted 30 March 2017 - 01:46 PM

Malware Expert

Expert
24,624 posts

No hurry.

Back to Virus, Spyware, Malware Removal · Next Unread Topic →

Also tagged with one or more of these keywords: Malware, Chrome

Security → Virus, Spyware, Malware Removal → Possible Malware infection - help request [Solved] Started by Maffu , 07 May 2023 malware, advapi and 1 more... 1 2 3 4	Hot 51 replies 12,613 views	DR M 26 Jun 2023
Security → Virus, Spyware, Malware Removal → Help getting started checking laptop for malware [Solved] Started by triedeverything , 12 Apr 2023 help, malware, spyware 1 2	Hot 19 replies 5,688 views	DR M 16 Apr 2023
Security → Virus, Spyware, Malware Removal → Checkmate Ransomware detection / removal? Started by JcTcom , 18 Aug 2022 Checkmate, Ransomware, Virus and 5 more...	0 replies 1,850 views	JcTcom 18 Aug 2022
Security → Virus, Spyware, Malware Removal → Getting a warning over & over but not getting it clean [Solved] Started by Phlegmbot , 28 Mar 2022 malware, spyware, redirect 1 2	Hot 21 replies 6,690 views	DR M 10 Apr 2022
Security → Virus, Spyware, Malware Removal → PC keeps hanging and restarting on its own [Closed] Started by lolx21341 , 29 Jan 2022 Hanging, Restarting, Virus and 2 more...	3 replies 3,587 views	DR M 03 Feb 2022