Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple unknown processes unable to kill them or open spybot or spywa


  • Please log in to reply

#1
r55741

r55741

    Member

  • Member
  • PipPip
  • 66 posts

Hello folks

i have a win 7 64 bit device that started displaying a lot of pop ups. tried running spybot and spyware blaster but I am unable to open them as well as other antimalware exe's.  I did run malwarebytes and that cleaned a lot of stuff but problems still persist

 

I am also unable to kill some processes.

 

here are my logs

 

from FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-11-2017
Ran by any (administrator) on ANY-PC (03-12-2017 12:46:00)
Running from C:\Users\any\Desktop
Loaded Profiles: any (Available Profiles: any)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\dwezmovsvc.exe1
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
() C:\Users\any\AppData\Local\pwoivba\pwoivba.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Reimage®) C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
(Reimage®) C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
() C:\Users\any\AppData\Local\pwoivba\tismvhl.exe
() C:\Users\any\AppData\Local\pwoivba\tismvhl.exe
() C:\Users\any\AppData\Local\pwoivba\tismvhl.exe
() C:\Users\any\AppData\Local\pwoivba\tismvhl.exe
() C:\Users\any\AppData\Local\pwoivba\tismvhl.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [698712 2013-02-21] (Alps Electric Co., Ltd.)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [113656 2013-01-23] (Intel Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4174464 2017-05-23] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [vmware-tray.exe] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [104128 2015-10-18] (VMware, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10024624 2017-11-08] (Piriform Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{0C6985E1-1667-415A-B8DB-5171049BFE5E}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{11269F51-7019-4C34-A30D-7BD50404B7AF}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{5812E880-62D4-4E47-BC5A-0AD777C8A9C7}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{5812E880-62D4-4E47-BC5A-0AD777C8A9C7}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{6E627F9B-B832-405D-B0AB-F2F42EDE8F7C}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8D60680D-1169-444D-8E2D-F1A706293515}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{971C1E7E-B445-4875-93E4-AD13EC7B7628}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{AB434DF6-B1AF-42A3-B960-0CE5545B86EF}: [NameServer] 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.dell.com
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_144\bin\ssv.dll [2017-10-05] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-10-05] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-26] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: h2cs3zsa.default
FF ProfilePath: C:\Users\any\AppData\Roaming\Mozilla\Firefox\Profiles\h2cs3zsa.default [2017-12-03]
FF Extension: (Adblock Plus) - C:\Users\any\AppData\Roaming\Mozilla\Firefox\Profiles\h2cs3zsa.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-12-03]
FF Extension: (Disable Media WMF NV12 format) - C:\Users\any\AppData\Roaming\Mozilla\Firefox\Profiles\h2cs3zsa.default\features\{ffa400d2-9eca-4c42-91ff-dda8aad4a55e}\[email protected] [2017-12-02] [Lagacy]
FF Plugin: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-10-05] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-10-05] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S4 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268704 2017-03-21] ()
R4 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [8602992 2017-09-11] (Reimage®)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1776864 2017-05-23] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2131760 2017-05-23] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233936 2017-05-23] (Safer-Networking Ltd.)
S4 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803440 2017-08-29] (TeamViewer GmbH)
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [12465856 2015-10-18] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3750304 2017-03-21] (Intel® Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [119680 2017-03-08] (Future Technology Devices International Ltd.)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193464 2017-12-02] (Malwarebytes)
S3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [46008 2017-12-03] (Malwarebytes)
R1 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2017-12-02] (Malwarebytes)
R3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw01.sys [11534096 2015-05-04] (Intel Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-12-03] ()
R3 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [200832 2017-11-22] (Oracle Corporation)
R1 VBoxNetLwf; C:\Windows\System32\DRIVERS\VBoxNetLwf.sys [211704 2017-11-22] (Oracle Corporation)
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [31936 2015-10-18] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [75512 2015-10-18] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [34520 2015-07-09] (VMware, Inc.)
S1 5ec7dc23dedda4bd1c85308a0d1b524a; \??\C:\Windows\system32\drivers\5ec7dc23dedda4bd1c85308a0d1b524a.sys [X]
R3 udiskMgr; system32\drivers\fjmpsw.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-03 12:45 - 2017-05-01 06:25 - 001458856 _____ (Sysinternals - www.sysinternals.com) C:\Users\any\Desktop\procexp64.exe
2017-12-03 12:41 - 2017-12-03 12:46 - 000010338 _____ C:\Users\any\Desktop\FRST.txt
2017-12-03 12:41 - 2017-12-03 12:46 - 000000000 ____D C:\FRST
2017-12-03 12:41 - 2017-12-03 12:41 - 002391552 _____ (Farbar) C:\Users\any\Desktop\FRST64.exe
2017-12-03 12:20 - 2017-12-03 12:20 - 000004266 _____ C:\Windows\System32\Tasks\ReimageUpdater
2017-12-03 12:20 - 2017-12-03 12:20 - 000000000 ____D C:\ProgramData\Reimage Protector
2017-12-03 12:20 - 2017-12-03 12:20 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
2017-12-03 12:20 - 2017-12-03 12:20 - 000000000 ____D C:\Program Files\Reimage
2017-12-03 12:19 - 2017-12-03 12:21 - 000000150 _____ C:\Windows\Reimage.ini
2017-12-03 12:19 - 2017-12-03 12:21 - 000000000 ____D C:\rei
2017-12-03 12:19 - 2017-12-03 12:19 - 000605424 _____ (Reimage) C:\Users\any\Downloads\ReimageRepair.exe
2017-12-03 12:09 - 2017-12-03 12:45 - 000003325 _____ C:\Users\any\Desktop\Processes.txt
2017-12-03 12:08 - 2017-12-03 12:09 - 000000674 _____ C:\Users\any\Desktop\processname.vbs
2017-12-03 12:06 - 2017-12-03 12:06 - 000532480 _____ (Trend Micro Incorporated) C:\Users\any\Downloads\cwshredder.exe
2017-12-03 12:02 - 2017-12-03 12:02 - 004291320 _____ (BrightFort LLC ) C:\Users\any\Downloads\spywareblastersetup55(2).exe
2017-12-03 12:02 - 2017-12-03 12:02 - 004291320 _____ (BrightFort LLC ) C:\Users\any\Downloads\spywareblastersetup55(1).exe
2017-12-03 12:01 - 2017-12-03 12:01 - 000000000 ____D C:\Users\any\AppData\Local\CrashDumps
2017-12-03 11:56 - 2017-12-03 11:56 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-12-03 11:56 - 2017-12-03 11:56 - 000000858 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-12-03 11:56 - 2017-12-03 11:56 - 000000000 ____D C:\ProgramData\RogueKiller
2017-12-03 11:56 - 2017-12-03 11:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-12-03 11:55 - 2017-12-03 11:56 - 000000000 ____D C:\Program Files\RogueKiller
2017-12-03 11:55 - 2017-12-03 11:55 - 036146872 _____ (Adlice Software ) C:\Users\any\Downloads\setup.exe
2017-12-03 11:25 - 2017-12-03 11:26 - 482629632 _____ C:\Users\any\Desktop\naugatx8620160902.iso
2017-12-03 11:17 - 2017-12-03 11:17 - 000030404 _____ C:\ProgramData\agent.uninstall.1512321414.bdinstall.bin
2017-12-03 00:07 - 2017-12-03 07:48 - 000000000 ____D C:\Users\any\Downloads\Android 4.0.1 Ice Cream Sandwich Virtual Machine
2017-12-03 00:06 - 2017-12-03 00:13 - 477644890 _____ C:\Users\any\Downloads\naugatx8620160902.iso.bz2
2017-12-02 23:45 - 2017-12-02 23:45 - 000000000 ____D C:\Users\any\Documents\Virtual Machines
2017-12-02 23:40 - 2017-12-03 11:53 - 000000000 ____D C:\Users\any\AppData\LocalLow\Mozilla
2017-12-02 23:40 - 2017-12-02 23:40 - 000000000 ____D C:\Users\any\AppData\Roaming\Mozilla
2017-12-02 23:39 - 2017-12-02 23:44 - 000000000 ____D C:\Users\any\AppData\Local\Mozilla
2017-12-02 23:39 - 2017-12-02 23:39 - 000311256 _____ (Mozilla) C:\Users\any\Downloads\Firefox Installer.exe
2017-12-02 23:39 - 2017-12-02 23:39 - 000000936 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-12-02 23:39 - 2017-12-02 23:39 - 000000924 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-12-02 23:39 - 2017-12-02 23:39 - 000000000 ____D C:\Program Files\Mozilla Firefox
2017-12-02 23:39 - 2017-12-02 23:39 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-12-02 23:35 - 2017-12-03 12:01 - 000000000 ____D C:\Users\any\AppData\Roaming\VMware
2017-12-02 23:35 - 2017-12-03 12:01 - 000000000 ____D C:\Users\any\AppData\Local\VMware
2017-12-02 23:28 - 2017-12-02 23:28 - 000142136 ____N C:\Windows\system32\Drivers\exkxadgk.sys
2017-12-02 23:23 - 2015-10-18 18:33 - 000066752 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmx86.sys
2017-12-02 23:23 - 2015-10-18 18:33 - 000031936 _____ (VMware, Inc.) C:\Windows\system32\Drivers\VMparport.sys
2017-12-02 23:23 - 2015-10-18 17:53 - 000075512 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vsock.sys
2017-12-02 23:23 - 2015-10-18 17:53 - 000068288 _____ (VMware, Inc.) C:\Windows\system32\vsocklib.dll
2017-12-02 23:23 - 2015-10-18 17:53 - 000064192 _____ (VMware, Inc.) C:\Windows\SysWOW64\vsocklib.dll
2017-12-02 23:21 - 2015-10-18 18:33 - 000934080 _____ (VMware, Inc.) C:\Windows\system32\vnetlib64.dll
2017-12-02 23:21 - 2015-10-18 18:33 - 000391872 _____ (VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
2017-12-02 23:21 - 2015-10-18 18:33 - 000358080 _____ (VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
2017-12-02 23:21 - 2015-10-18 18:11 - 000026816 _____ (VMware, Inc.) C:\Windows\system32\Drivers\vmnetuserif.sys
2017-12-02 23:21 - 2015-10-06 08:02 - 000057536 _____ (VMware, Inc.) C:\Windows\system32\Drivers\hcmon.sys
2017-12-02 23:19 - 2017-12-02 23:19 - 000001024 _____ C:\Windows\SysWOW64\%TMP%
2017-12-02 23:18 - 2017-12-02 23:18 - 000001203 _____ C:\Users\Public\Desktop\VMware Workstation Pro.lnk
2017-12-02 23:18 - 2017-12-02 23:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware
2017-12-02 23:18 - 2017-12-02 23:18 - 000000000 ____D C:\Program Files\Common Files\VMware
2017-12-02 23:15 - 2017-12-03 11:15 - 000000000 ____D C:\ProgramData\VMware
2017-12-02 23:15 - 2017-12-02 23:15 - 000000000 ____D C:\Users\Public\Documents\Shared Virtual Machines
2017-12-02 23:15 - 2017-12-02 23:15 - 000000000 ____D C:\Program Files (x86)\VMware
2017-12-02 22:57 - 2017-12-02 23:02 - 295212528 _____ (Emsisoft Ltd. ) C:\Users\any\Downloads\EmsisoftAntiMalwareSetup.exe
2017-12-02 22:55 - 2017-12-02 22:55 - 000048459 _____ C:\ProgramData\agent.1512276895.bdinstall.bin
2017-12-02 22:54 - 2017-12-03 11:17 - 000000000 ____D C:\Program Files\Bitdefender Agent
2017-12-02 22:54 - 2017-12-02 22:55 - 000000000 ____D C:\ProgramData\Bitdefender Agent
2017-12-02 22:53 - 2017-12-02 22:53 - 009932672 _____ C:\Users\any\Downloads\bitdefender_online.exe
2017-12-02 22:33 - 2017-12-02 22:33 - 000003872 _____ C:\Windows\System32\Tasks\CCleaner Update
2017-12-02 22:33 - 2017-12-02 22:33 - 000002782 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-12-02 22:33 - 2017-12-02 22:33 - 000000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-12-02 22:33 - 2017-12-02 22:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-12-02 22:33 - 2017-12-02 22:33 - 000000000 ____D C:\Program Files\CCleaner
2017-12-02 22:32 - 2017-12-02 22:32 - 010849904 _____ (Piriform Ltd) C:\Users\any\Downloads\ccsetup537.exe
2017-12-02 22:29 - 2017-12-02 22:29 - 004291320 _____ (BrightFort LLC ) C:\Users\any\Downloads\spywareblastersetup55.exe
2017-12-02 22:15 - 2017-12-02 22:15 - 000001395 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2017-12-02 22:15 - 2017-12-02 22:15 - 000001383 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2017-12-02 22:15 - 2017-12-02 22:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2017-12-02 22:14 - 2017-05-23 09:22 - 000032240 _____ (Safer-Networking Ltd.) C:\Windows\system32\sdnclean64.exe
2017-12-02 22:02 - 2017-12-02 22:02 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-02 22:02 - 2017-12-02 22:02 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-02 22:02 - 2017-12-02 22:02 - 000000000 ____D C:\ProgramData\MB3CoreBackup
2017-12-02 22:02 - 2017-11-01 08:54 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-12-02 21:57 - 2017-12-02 21:57 - 000000085 _____ C:\Windows\wininit.ini
2017-12-02 21:51 - 2017-12-03 11:15 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-12-02 21:51 - 2017-12-02 22:02 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2017-12-02 21:51 - 2017-12-02 22:02 - 000193464 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2017-12-02 21:51 - 2017-12-02 22:02 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-02 21:51 - 2017-12-02 21:51 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-02 20:54 - 2017-12-02 20:17 - 000001282 _____ C:\Windows\system32\Drivers\etc\hosts.20171202-205444.backup
2017-12-02 20:50 - 2017-12-03 11:18 - 000000000 ____D C:\Windows\pss
2017-12-02 20:47 - 2017-12-02 22:15 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-12-02 20:47 - 2017-12-02 22:15 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-12-02 20:34 - 2017-12-02 22:34 - 000000000 ____D C:\Windows\Minidump
2017-12-02 20:31 - 2017-12-02 20:31 - 015399836 ____T C:\Windows\SysWOW64\mfs3E1.tmp
2017-12-02 20:30 - 2017-12-02 20:31 - 000000000 ____T C:\Windows\SysWOW64\mfs7798.tmp
2017-12-02 20:25 - 2017-12-02 20:25 - 000000000 ____D C:\Users\any\AppData\Roaming\Macromedia
2017-12-02 20:21 - 2017-12-03 12:03 - 000000000 ____D C:\Users\any\AppData\Local\sceikdl
2017-12-02 20:21 - 2017-12-02 20:21 - 000000000 ____D C:\Users\any\AppData\Local\CEF
2017-12-02 20:19 - 2017-12-02 20:19 - 000018772 _____ C:\Users\any\Downloads\O-Demonoid_www.Demonoid.pw-O_VMware_Workstation_Pro_14_0_0_Build_6661328_License_Keys_[SadeemPC].TORRENT
2017-12-02 20:18 - 2017-12-03 11:19 - 000003614 _____ C:\Windows\System32\Tasks\bak6717741k6717741
2017-12-02 20:17 - 2017-12-03 12:43 - 000000000 ____D C:\Users\any\AppData\Local\pwoivba
2017-12-02 20:17 - 2017-12-03 11:52 - 000000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-12-02 20:17 - 2017-12-02 20:45 - 000000000 ____D C:\Users\any\AppData\Local\igfxmtc
2017-12-02 20:17 - 2017-12-02 20:18 - 000000020 _____ C:\Windows\b71133229
2017-12-02 20:17 - 2017-12-02 20:17 - 000797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-12-02 20:17 - 2017-12-02 20:17 - 000142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-12-02 20:17 - 2017-12-02 20:17 - 000003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-12-02 20:17 - 2017-12-02 20:17 - 000000000 ___HD C:\Program Files (x86)\automated
2017-12-02 20:17 - 2017-12-02 20:17 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-12-02 20:17 - 2017-12-02 20:17 - 000000000 ____D C:\Windows\system32\Macromed
2017-12-02 20:17 - 2017-12-02 20:17 - 000000000 ____D C:\Program Files (x86)\Textual
2017-12-02 20:17 - 2017-12-02 20:17 - 000000000 ____D C:\Program Files (x86)\jab
2017-12-02 20:16 - 2017-12-03 11:13 - 002884096 _____ (TOSHIBA CORPORATION) C:\Windows\system32\dwezmovsvc.exe1
2017-12-02 20:15 - 2017-12-02 20:15 - 000000000 ____D C:\Windows\SysWOW64\dsdvakp
2017-12-02 20:15 - 2017-12-02 20:15 - 000000000 ____D C:\Windows\system32\dsdvakp
2017-12-02 20:15 - 2017-12-02 20:15 - 000000000 ____D C:\Users\any\AppData\Roaming\et
2017-12-02 20:14 - 2017-12-02 20:16 - 000000000 ____D C:\Users\any\AppData\Roaming\AGData
2017-12-02 20:13 - 2017-12-02 20:20 - 000000000 ____D C:\Windows\SysWOW64\SSL
2017-12-02 19:59 - 2017-12-02 20:11 - 000000000 ____D C:\Users\any\Downloads\VMware Workstation Pro v12.0.1.3160714 + Serials [TechTools.NET]
2017-12-02 19:14 - 2017-12-02 19:20 - 462422016 _____ C:\Users\any\Desktop\android-x86-4.4-r5.iso
2017-12-02 01:40 - 2017-12-02 01:40 - 000011264 _____ (Aerate) C:\Windows\sixteenths.exe
2017-12-01 17:02 - 2017-12-01 17:03 - 000000000 ____D C:\Users\any\VirtualBox VMs
2017-12-01 16:25 - 2017-12-02 20:12 - 000000000 ____D C:\Users\any\.VirtualBox
2017-12-01 16:23 - 2017-12-01 16:23 - 000001076 _____ C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
2017-12-01 16:23 - 2017-12-01 16:23 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
2017-12-01 16:22 - 2017-12-01 16:22 - 000000000 ____D C:\Program Files\Oracle
2017-12-01 16:22 - 2017-11-22 17:23 - 000972192 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxDrv.sys
2017-12-01 16:22 - 2017-11-22 17:23 - 000157672 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2017-12-01 16:20 - 2017-12-01 16:39 - 000000000 ____D C:\Users\any\Desktop\android files
2017-12-01 16:18 - 2017-12-01 16:18 - 000000000 ___RD C:\Users\any\Documents\MEGA
2017-12-01 16:11 - 2017-12-01 16:11 - 000001048 _____ C:\Users\any\Desktop\MEGAsync.lnk
2017-12-01 16:11 - 2017-12-01 16:11 - 000000000 ____D C:\Windows\System32\Tasks\MEGA
2017-12-01 16:11 - 2017-12-01 16:11 - 000000000 ____D C:\Users\any\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MEGAsync
2017-12-01 16:11 - 2017-12-01 16:11 - 000000000 ____D C:\Users\any\AppData\Local\MEGAsync
2017-12-01 16:11 - 2017-12-01 16:11 - 000000000 ____D C:\Users\any\AppData\Local\Mega Limited
2017-12-01 16:10 - 2017-12-01 16:10 - 014976440 _____ (MEGA Limited) C:\Users\any\Downloads\MEGAsyncSetup.exe
2017-12-01 16:08 - 2017-12-01 16:10 - 115120984 _____ (Oracle Corporation) C:\Users\any\Downloads\VirtualBox-5.2.2-119230-Win.exe
2017-12-01 16:08 - 2017-12-01 16:09 - 019504049 _____ C:\Users\any\Downloads\Oracle_VM_VirtualBox_Extension_Pack-5.2.2-119230.vbox-extpack
2017-11-30 13:49 - 2017-11-30 13:49 - 000051617 _____ C:\Windows\uninstaller.dat
2017-11-22 17:23 - 2017-11-22 17:23 - 000211704 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxNetLwf.sys
2017-11-22 17:23 - 2017-11-22 17:23 - 000200832 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxNetAdp6.sys
2017-11-20 22:45 - 2017-10-17 20:34 - 000134376 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-11-20 22:45 - 2017-10-17 20:30 - 000605184 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-11-20 22:45 - 2017-10-15 16:04 - 000407392 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-11-20 22:45 - 2017-10-04 07:04 - 002023936 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2017-11-20 22:45 - 2017-10-04 07:04 - 001570304 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-11-20 22:45 - 2017-10-04 07:04 - 000670208 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-11-20 22:45 - 2017-10-04 07:04 - 000603648 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-11-20 22:45 - 2017-10-04 07:04 - 000370688 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-11-20 22:45 - 2017-10-04 07:04 - 000241664 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-11-20 22:45 - 2017-10-04 07:04 - 000181760 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-11-12 14:39 - 2017-11-12 14:39 - 000006807 _____ C:\Users\any\Desktop\NCSExpert Profiles - PFL.zip.pdf
2017-11-12 14:34 - 2017-11-12 14:34 - 000006807 _____ C:\Users\any\Downloads\NCSExpert Profiles - PFL.zip (5).pdf
2017-11-12 14:34 - 2017-11-12 14:34 - 000006807 _____ C:\Users\any\Downloads\NCSExpert Profiles - PFL.zip (3).pdf
2017-11-12 14:34 - 2017-11-12 14:34 - 000006807 _____ C:\Users\any\Downloads\NCSExpert Profiles - PFL.zip (2).pdf
2017-11-12 14:33 - 2017-11-12 14:33 - 000008376 _____ C:\Users\any\Desktop\attachment.htm
2017-11-12 14:33 - 2017-11-12 14:33 - 000006807 _____ C:\Users\any\Downloads\NCSExpert Profiles - PFl.zip.pdf
2017-11-12 14:33 - 2017-11-12 14:33 - 000006807 _____ C:\Users\any\Downloads\NCSExpert Profiles - PFL.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-03 12:45 - 2009-07-13 20:34 - 014155776 _____ C:\Windows\system32\config\HARDWARE
2017-12-03 11:23 - 2009-07-13 22:45 - 000021504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-12-03 11:23 - 2009-07-13 22:45 - 000021504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-12-03 11:21 - 2009-07-13 23:13 - 000803410 _____ C:\Windows\system32\PerfStringBackup.INI
2017-12-03 11:21 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\inf
2017-12-03 11:14 - 2009-07-13 23:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-03 11:12 - 2017-10-10 17:56 - 000000000 ____D C:\Users\any\AppData\Roaming\uTorrent
2017-12-02 23:41 - 2017-05-22 22:01 - 000000000 ____D C:\Program Files (x86)\Google
2017-12-02 23:27 - 2017-05-24 02:20 - 000000000 ____D C:\Windows\system32\appraiser
2017-12-02 23:18 - 2017-05-23 02:37 - 000799000 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2017-12-02 22:35 - 2017-05-27 10:03 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2017-12-02 22:34 - 2017-05-09 00:26 - 000000000 ____D C:\Windows\Panther
2017-12-02 20:54 - 2009-07-13 20:34 - 000451095 ____R C:\Windows\system32\Drivers\etc\hosts.20171202-213611.backup
2017-12-01 17:02 - 2017-05-08 19:32 - 000000000 ____D C:\Users\any
2017-11-12 14:37 - 2017-10-10 17:57 - 000000000 ____D C:\Users\any\Downloads\BMW

==================== Files in the root of some directories =======

2012-05-21 13:00 - 2012-05-21 13:00 - 000020984 _____ (Intel Corporation) C:\Users\any\AppData\Roaming\JomCap.dll

Some files in TEMP:
====================
2017-12-02 22:01 - 2017-12-02 22:01 - 000079552 _____ (Microsoft Corporation) C:\Users\any\AppData\Local\Temp\2828.tmp.exe
2017-12-02 22:01 - 2017-12-02 22:01 - 078346672 _____ (Malwarebytes                                                ) C:\Users\any\AppData\Local\Temp\54A4.tmp.exe
2017-12-02 22:13 - 2017-12-02 22:13 - 051725936 _____ (Safer-Networking Ltd.                                       ) C:\Users\any\AppData\Local\Temp\8F91.tmp.exe
2017-12-02 21:00 - 2017-12-02 21:00 - 007794352 _____ () C:\Users\any\AppData\Local\Temp\9C8C.tmp.exe
2017-12-03 11:56 - 2017-05-12 12:24 - 001732864 _____ (Microsoft Corporation) C:\Users\any\AppData\Local\Temp\dllnt_dump.dll
2017-12-03 12:19 - 2017-12-03 12:19 - 014280864 _____ (Reimage) C:\Users\any\AppData\Local\Temp\ReimagePackage.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\exkxadgk.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION

LastRegBack: 2017-12-01 17:38

==================== End of FRST.txt ============================

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
Ran by any (03-12-2017 12:46:29)
Running from C:\Users\any\Desktop
Windows 7 Professional Service Pack 1 (X64) (2017-05-09 01:32:40)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1477751146-2404892005-3129194611-500 - Administrator - Disabled)
any (S-1-5-21-1477751146-2404892005-3129194611-1000 - Administrator - Enabled) => C:\Users\any
Guest (S-1-5-21-1477751146-2404892005-3129194611-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-1477751146-2404892005-3129194611-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Spybot - Search and Destroy (Disabled - Out of date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM-x32\...\uTorrent) (Version: 2.2.1 - )
7-Zip 17.00 beta (HKLM-x32\...\7-Zip) (Version: 17.00 beta - Igor Pavlov)
AccelerometerP11 (HKLM-x32\...\{87434D51-51DB-4109-B68F-A829ECDCF380}) (Version: 2.00.10.34 - STMicroelectronics)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.213 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.37 - Piriform)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 8.1200.101.127 - ALPS ELECTRIC CO., LTD.)
Intel® Identity Protection Technology 1.2.27.0 (HKLM-x32\...\{F109D156-577D-101B-A622-CF4351943AA4}) (Version: 1.2.27.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.1.70.1205 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.1 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{03929cf1-3ae4-4765-b8b3-32b8e2e26a8d}) (Version: 19.60.0 - Intel Corporation)
Java 8 Update 144 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180144F0}) (Version: 8.0.1440.1 - Oracle Corporation)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
MegaDownloader 1.7 (HKLM\...\{C12C2297-65A4-4E64-9AE1-29F0D947FDA0}}_is1) (Version: 1.7 - AppsForMega.info)
MEGAsync (HKLM-x32\...\MEGAsync) (Version:  - Mega Limited)
Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{2C303EE0-A595-3543-A71A-931C7AC40EDE}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Mike's Easy BMW Tools (HKLM-x32\...\{CC94D767-0DEA-4D47-AD8F-641268491ACC}) (Version: 1.0 - Mike's Easy BMW Tools)
Mozilla Firefox 57.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.1 (x64 en-US)) (Version: 57.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 57.0.1 - Mozilla)
Oracle VM VirtualBox 5.2.2 (HKLM\...\{9F5D10F9-A372-4B1E-BEB3-001B47E0C325}) (Version: 5.2.2 - Oracle Corporation)
Reimage Repair (HKLM\...\Reimage Repair) (Version: 1.8.7.1 - Reimage) <==== ATTENTION
RogueKiller version 12.11.26.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.26.0 - Adlice Software)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.6.46 - Safer-Networking Ltd.)
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.83369 - TeamViewer)
VMware Workstation (HKLM\...\{4B855F64-CB51-4FC3-935F-5AF7D3372BDE}) (Version: 12.0.1 - VMware, Inc.)
WinDirStat 1.1.2 (HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\WinDirStat) (Version:  - )
WinRAR 5.11 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2017-04-29] (Igor Pavlov)
ContextMenuHandlers1-x32: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ContextMenuHandlers1-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2014-08-27] (Alexander Roshal)
ContextMenuHandlers1-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2014-08-27] (Alexander Roshal)
ContextMenuHandlers2: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ContextMenuHandlers2-x32: [VMDiskMenuHandler] -> {271DC252-6FE1-4D59-9053-E4CF50AB99DE} => C:\Program Files (x86)\VMware\VMware Workstation\vmdkShellExt.dll [2015-10-18] (VMware, Inc.)
ContextMenuHandlers2-x32: [VMDiskMenuHandler64] -> {E4D28EDC-8C0B-43EE-9E7D-C8A8682334DC} => C:\Program Files (x86)\VMware\VMware Workstation\x64\vmdkShellExt64.dll [2015-10-18] (VMware, Inc.)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2017-04-29] (Igor Pavlov)
ContextMenuHandlers4-x32: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll [2017-10-18] ()
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2015-06-01] (Intel Corporation)
ContextMenuHandlers6-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2017-04-29] (Igor Pavlov)
ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext64.dll [2014-08-27] (Alexander Roshal)
ContextMenuHandlers6-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files (x86)\WinRAR\rarext.dll [2014-08-27] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0086367F-BB9A-415E-87DC-BA5B73222C9B} - System32\Tasks\MEGA\MEGAsync Update Task S-1-5-21-1477751146-2404892005-3129194611-1000 => C:\Users\any\AppData\Local\MEGAsync\MEGAupdater.exe [2017-11-23] (Mega Limited)
Task: {47A8E4B6-8E42-4B68-8ED2-7D416F61EF40} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-11-08] (Piriform Ltd)
Task: {48EE0773-BFCF-498E-8F22-C544D7CA9F83} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-12-02] (Adobe Systems Incorporated)
Task: {80BBAC1F-2868-414E-93DB-BEB36485F43B} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-11-08] (Piriform Ltd)
Task: {8BF00725-A8E9-4BB9-B5D1-AD44C989B2B8} - System32\Tasks\bak6717741k6717741 => C:\Program Files (x86)\jab\jab.exe [2017-12-02] (glosses)
Task: {8E998258-3C5B-45B4-87AB-04F27E99AB68} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2017-09-11] (Reimage®) <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-12-02 22:02 - 2017-11-01 08:55 - 002299344 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2015-10-18 18:32 - 2015-10-18 18:32 - 012465856 _____ () C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
2017-10-18 15:51 - 2017-10-18 15:51 - 000598528 _____ () C:\Users\any\AppData\Local\MEGAsync\ShellExtX64.dll
2015-06-01 20:00 - 2015-06-01 20:00 - 000102912 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-12-02 22:14 - 2016-09-13 14:00 - 000109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2017-12-02 22:14 - 2016-09-13 14:00 - 000416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2017-12-02 22:14 - 2016-09-13 14:00 - 000167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2017-12-02 22:14 - 2017-05-12 11:36 - 000507464 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2015-10-18 18:32 - 2015-10-18 18:32 - 001301696 _____ () C:\Program Files (x86)\VMware\VMware Workstation\libxml2.dll
2015-10-18 18:32 - 2015-10-18 18:32 - 000191680 _____ () C:\Program Files (x86)\VMware\VMware Workstation\LIBEXPAT.dll
2015-10-18 18:32 - 2015-10-18 18:32 - 000388800 _____ () C:\Program Files (x86)\VMware\VMware Workstation\ssoClient.dll
2015-10-18 18:32 - 2015-10-18 18:32 - 000165056 _____ () C:\Program Files (x86)\VMware\VMware Workstation\nfc-types.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7865 more sites.

IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\...\123simsen.com -> www.123simsen.com

There are 7865 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:34 - 2017-12-02 21:55 - 000450713 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15463 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: 859d7d2e111c588668d48c8007e778f8 => 2
MSCONFIG\Services: EvtEng => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: MyWiFiDHCPDNS => 3
MSCONFIG\Services: ReimageRealTimeProtector => 2
MSCONFIG\Services: TeamViewer => 2
MSCONFIG\startupfolder: C:^Users^any^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MEGAsync.lnk => C:\Windows\pss\MEGAsync.lnk.Startup
MSCONFIG\startupreg: FreeFallProtection => C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
MSCONFIG\startupreg: panted => "C:\Program Files (x86)\Textual\aerate.exe"
MSCONFIG\startupreg: pantedpanted => "C:\Program Files (x86)\Purged\aerate.exe"
MSCONFIG\startupreg: pantedpenman => "C:\Program Files (x86)\disputing\brothers.exe"
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{71E2A3DF-E572-4959-BE36-E6B43D480438}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [TCP Query User{4877B1F7-4C92-49F3-821C-81F108CB7007}C:\rheingold\testergui\bin\release\istagui.exe] => (Block) C:\rheingold\testergui\bin\release\istagui.exe
FirewallRules: [UDP Query User{CBE15D90-B73A-4FFB-A4C4-F05DD5E83F40}C:\rheingold\testergui\bin\release\istagui.exe] => (Block) C:\rheingold\testergui\bin\release\istagui.exe
FirewallRules: [TCP Query User{7601579A-8FC1-430E-9654-18C6E547BB49}C:\rheingold\testergui\bin\release\istaoperation.exe] => (Allow) C:\rheingold\testergui\bin\release\istaoperation.exe
FirewallRules: [UDP Query User{60622DE9-CDD1-4980-A8BB-8936025BA888}C:\rheingold\testergui\bin\release\istaoperation.exe] => (Allow) C:\rheingold\testergui\bin\release\istaoperation.exe
FirewallRules: [{E5D18DE2-F227-4B3A-B4B5-CC4E15E396A8}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{7DF16D36-50CC-4CAF-8C29-1D2B9EDD97D3}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{F54E7D34-64F0-4834-8D08-353039244ACD}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{6CE7D632-5054-4F2C-A3A8-B738C854B622}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{D8E73AEA-B0A5-4796-8199-23F0F2C585A3}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{563C9EB5-64FD-428C-B761-0052812F1E92}] => (Allow) C:\Users\any\Downloads\utorrent_2.2.1.exe
FirewallRules: [{E24CDDD7-5FF1-443C-A3BD-83DE56B05CC0}] => (Allow) C:\Users\any\Downloads\utorrent_2.2.1.exe
FirewallRules: [{1EBD37EB-988F-4D50-8B0F-DE3F934D147E}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
FirewallRules: [{AE339FB7-D388-43DE-B043-1CF15722483B}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
FirewallRules: [{FC0D429A-F6F7-4CCE-AB61-3193FEED7DF0}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
FirewallRules: [{3865D951-9061-48F4-AB2D-BF821D47F8D4}] => (Allow) C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Microsoft Loopback Adapter
Description: Microsoft Loopback Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: msloop
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: 5ec7dc23dedda4bd1c85308a0d1b524a
Description: 5ec7dc23dedda4bd1c85308a0d1b524a
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: 5ec7dc23dedda4bd1c85308a0d1b524a
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Broadcom USH
Description: Broadcom USH
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Mass Storage Controller
Description: Mass Storage Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/03/2017 11:58:11 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\dwezmovsvc.exe for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Anti-malware remediation tool because of this error.

Program: Anti-malware remediation tool
File: C:\Windows\System32\dwezmovsvc.exe

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
    - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
    - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: C0000185
Disk type: 3

Error: (12/03/2017 11:58:11 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RogueKiller64.exe, version: 12.11.26.0, time stamp: 0x5a1bd51e
Faulting module name: RogueKiller64.exe, version: 12.11.26.0, time stamp: 0x5a1bd51e
Exception code: 0xc0000006
Fault offset: 0x0000000000a9a550
Faulting process id: 0x4c4
Faulting application start time: 0x01d36c5fff593881
Faulting application path: C:\Program Files\RogueKiller\RogueKiller64.exe
Faulting module path: C:\Program Files\RogueKiller\RogueKiller64.exe
Report Id: 866e7061-d853-11e7-9a91-9cb70ded215a

Error: (12/03/2017 11:57:08 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WINWORD.EXE version 12.0.4518.1014 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 16bc

Start Time: 01d36c6005a2e00a

Termination Time: 8

Application Path: C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE

Report Id: 4d7d43e1-d853-11e7-9a91-9cb70ded215a

Error: (12/03/2017 11:15:04 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/03/2017 02:43:41 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: A problem prevented Customer Experience Improvement Program data from being sent to Microsoft, (Error 80004005).

Error: (12/02/2017 11:29:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/02/2017 11:27:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZeroConfigService.exe, version: 19.60.0.0, time stamp: 0x58d16fa6
Faulting module name: ZeroConfigService.exe, version: 19.60.0.0, time stamp: 0x58d16fa6
Exception code: 0x40000015
Fault offset: 0x000000000022af96
Faulting process id: 0xa0c
Faulting application start time: 0x01d36becc1e0bc75
Faulting application path: C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
Faulting module path: C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
Report Id: a8b023ca-d7ea-11e7-a05a-005056c00008

Error: (12/02/2017 11:13:17 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddWin32ServiceFiles: Unable to back up image of service 859d7d2e111c588668d48c8007e778f8 since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (12/02/2017 11:13:17 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddWin32ServiceFiles: Unable to back up image of service 7b2f27f2e6d8e72991d40af939b3c86a since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (12/02/2017 10:54:35 PM) (Source: ESENT) (EventID: 490) (User: )
Description: taskhost (1656) WebCacheLocal: An attempt to open the file "C:\Users\any\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (12/03/2017 12:31:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2520M CPU @ 2.50GHz
Percentage of memory in use: 86%
Total physical RAM: 3977.02 MB
Available physical RAM: 546.76 MB
Total Virtual: 7952.21 MB
Available Virtual: 3342.33 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:65.45 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: CED96774)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

 

 


  • 0

Advertisements


#2
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
Hi r55741 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on GeeksToGo, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against GeeksToGo's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwa...t-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.
  • 0

#3
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

Hi Aura thank you for the response.

 

before you responded I did run awdcleaner which found and cleaned a bunch of stuff. but not everything as the system is still bugged down.

 

here is the requested mbar log.

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.12.04.01
  rootkit: v2017.10.14.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18697
any :: ANY-PC [administrator]

12/3/2017 8:43:11 PM
mbar-log-2017-12-03 (20-43-11).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 190042
Time elapsed: 16 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

 

 

and here is the log from adwcleaner

 

# AdwCleaner 7.0.5.0 - Logfile created on Sun Dec 03 20:52:03 2017
# Updated on 2017/29/11 by Malwarebytes
# Running on Windows 7 Professional (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

Deleted: 5ec7dc23dedda4bd1c85308a0d1b524a


***** [ Folders ] *****

Deleted: C:\Windows\System32\\SSL
Deleted: C:\Windows\SysWOW64\\SSL
Deleted: C:\Program Files\Reimage


***** [ Files ] *****

Deleted: C:\Users\any\Downloads\ReimageRepair.exe
Deleted: C:\Windows\Reimage.ini
Deleted: C:\Windows\Temp\reimage.log
Deleted: C:\Users\any\AppData\Local\Temp\reimage.log
Deleted: C:\Users\any\AppData\Local\Temp\ReimagePackage.exe


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\utop.it
Deleted: [Key] - HKLM\SOFTWARE\xs
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
Deleted: [Key] - HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Deleted: [Key] - HKCU\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.
Deleted: [Key] - HKLM\SOFTWARE\Reimage
Deleted: [Key] - HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Reimage
Deleted: [Key] - HKCU\Software\Reimage
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|AdsServiceGroup
Deleted: [Key] - HKU\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\SetupCompany
Deleted: [Key] - HKCU\Software\SetupCompany
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|AdsServiceGroup


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [3229 B] - [2017/12/3 20:50:57]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


  • 0

#4
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
AdwCleaner won't be able to do anything yet. Not until we remove the main infection (SmartService) and its drivers. Follow the instructions in the thread I linked above and we'll start from there :)
  • 0

#5
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

Im sorry which one is the thread?


Edited by r55741, 04 December 2017 - 04:10 PM.

  • 0

#6
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
Ah sorry, I didn't notice that you had ran MBAR like instructed, this is my mistake! Moving on!

Do you have a USB Flash Drive? If so, how big is it?

Also, launch FRST, and copy/paste the following inside the text area. Once done, click on the Fix button. A file called fixlog.txt should be created on your desktop. Attach it in your next reply.
Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
End::

  • 0

#7
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

Great !

 

The usb thumbdrive i have is 64gb

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
Ran by any (04-12-2017 18:57:13) Run:1
Running from C:\Users\any\Desktop
Loaded Profiles: any (Available Profiles: any)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


========= fltmc instances =========

Filter                Volume Name                              Altitude        Instance Name      Frame  VlStatus
--------------------  -------------------------------------  ------------  ---------------------  -----  --------
MBAMChameleon         \Device\Mup                             400900       MBAMChameleon            0    
MBAMChameleon         C:                                      400900       MBAMChameleon            0    
MBAMChameleon                                                 400900       MBAMChameleon            0    
MBAMChameleon         \Device\HarddiskVolumeShadowCopy1       400900       MBAMChameleon            0    
luafv                 C:                                      135000       luafv                    0    
FileInfo              \Device\Mup                              45000       FileInfo                 0    
FileInfo              C:                                       45000       FileInfo                 0    
FileInfo                                                       45000       FileInfo                 0    
FileInfo              \Device\HarddiskVolumeShadowCopy1        45000       FileInfo                 0    

========= End of CMD: =========


========= dir C:\Windows\system32\drivers =========

 Volume in drive C has no label.
 Volume Serial Number is A4D8-1988

 Directory of C:\Windows\system32\drivers

12/04/2017  03:47 PM    <DIR>          .
12/04/2017  03:47 PM    <DIR>          ..
07/13/2009  06:06 PM            68,096 1394bus.sys
11/20/2010  09:23 PM           229,888 1394ohci.sys
12/04/2017  03:47 PM           255,928 445775F3.sys
12/03/2017  08:42 PM           255,928 55E4E48E.sys
05/23/2012  09:22 AM            27,760 accelern.sys
11/20/2010  09:23 PM           334,208 acpi.sys
11/20/2010  09:23 PM            12,800 acpipmi.sys
07/13/2009  07:52 PM           491,088 adp94xx.sys
07/13/2009  07:52 PM           339,536 adpahci.sys
07/13/2009  07:52 PM           182,864 adpu320.sys
04/04/2017  08:53 AM           496,128 afd.sys
07/13/2009  06:10 PM            60,416 agilevpn.sys
07/13/2009  07:52 PM            61,008 AGP440.sys
07/13/2009  07:52 PM            15,440 aliide.sys
07/13/2009  07:52 PM            15,440 amdide.sys
07/13/2009  05:19 PM            64,512 amdk8.sys
07/13/2009  05:19 PM            60,928 amdppm.sys
03/11/2011  12:41 AM           107,904 amdsata.sys
07/13/2009  07:52 PM           194,128 amdsbs.sys
03/11/2011  12:41 AM            27,008 amdxata.sys
02/21/2013  01:10 PM           489,264 Apfiltr.sys
05/12/2017  11:54 AM            62,464 appid.sys
07/13/2009  07:52 PM            87,632 arc.sys
07/13/2009  07:52 PM            97,856 arcsas.sys
07/13/2009  06:10 PM            23,040 asyncmac.sys
07/13/2009  07:52 PM            24,128 atapi.sys
08/04/2013  08:25 PM           155,584 ataport.sys
06/10/2009  02:34 PM           270,848 b57nd60a.sys
07/13/2009  07:52 PM            28,240 battc.sys
07/13/2009  06:00 PM             6,656 beep.sys
07/13/2009  05:35 PM            45,056 blbdrive.sys
10/05/2016  08:54 AM            90,112 bowser.sys
06/10/2009  02:41 PM            18,432 BrFiltLo.sys
06/10/2009  02:41 PM             8,704 BrFiltUp.sys
07/13/2009  07:01 PM            95,232 bridge.sys
07/13/2009  07:19 PM           286,720 BrSerId.sys
06/10/2009  02:41 PM            47,104 BrSerWdm.sys
06/10/2009  02:41 PM            14,976 BrUsbMdm.sys
06/10/2009  02:41 PM            14,720 BrUsbSer.sys
07/13/2009  06:06 PM            41,984 bthenum.sys
07/13/2009  06:06 PM            72,192 bthmodem.sys
07/13/2009  06:07 PM           118,784 bthpan.sys
07/06/2012  02:07 PM           552,960 bthport.sys
04/27/2011  09:54 PM            80,384 BTHUSB.SYS
06/10/2009  02:34 PM           468,480 bxvbda.sys
07/13/2009  05:19 PM            92,160 cdfs.sys
11/20/2010  09:23 PM           147,456 cdrom.sys
07/13/2009  06:06 PM            45,568 circlass.sys
11/20/2010  09:24 PM           179,072 Classpnp.sys
07/13/2009  05:31 PM            17,664 CmBatt.sys
07/13/2009  07:52 PM            17,488 cmdide.sys
11/20/2016  08:07 AM           467,392 cng.sys
07/13/2009  07:52 PM            21,584 compbatt.sys
11/20/2010  09:23 PM            38,912 CompositeBus.sys
07/13/2009  07:47 PM            39,504 crashdmp.sys
07/13/2009  07:47 PM            24,144 crcdisk.sys
11/20/2010  09:24 PM           514,560 csc.sys
09/08/2016  08:55 AM           106,496 dfsc.sys
07/13/2009  05:37 PM            40,448 discache.sys
01/20/2016  06:51 PM            73,664 disk.sys
02/03/2014  08:35 PM            27,584 Diskdump.sys
11/20/2010  09:23 PM            71,168 dmvsc.sys
12/08/2015  12:54 PM           116,736 drmk.sys
12/08/2015  12:11 PM             5,632 drmkaud.sys
07/13/2009  07:47 PM            28,736 Dumpata.sys
07/13/2009  07:43 PM            55,128 dumpfve.sys
07/13/2009  05:38 PM            16,896 dxapi.sys
07/13/2009  05:38 PM            98,816 dxg.sys
04/07/2017  09:34 AM           986,856 dxgkrnl.sys
04/07/2017  09:34 AM           265,448 dxgmms1.sys
02/20/2013  09:14 PM           495,888 e1c62x64.sys
07/13/2009  07:47 PM           530,496 elxstor.sys
05/28/2017  10:34 AM    <DIR>          en-US
07/13/2009  05:31 PM             9,728 errdev.sys
12/02/2017  09:36 PM    <DIR>          etc
06/10/2009  02:34 PM         3,286,016 evbda.sys
03/10/2017  09:55 AM           195,584 exfat.sys
03/10/2017  09:55 AM           205,312 fastfat.sys
07/13/2009  06:00 PM            29,696 fdc.sys
07/13/2009  07:47 PM            70,224 fileinfo.sys
07/13/2009  05:25 PM            34,304 filetrace.sys
07/13/2009  06:00 PM            24,576 flpydisk.sys
11/20/2010  09:24 PM           289,664 fltMgr.sys
07/13/2009  07:47 PM            55,376 fsdepends.sys
03/01/2012  12:46 AM            23,408 fs_rec.sys
03/08/2017  09:06 AM           119,680 ftdibus.sys
04/13/2012  10:05 AM            85,384 ftser2k.sys
01/24/2013  12:01 AM           223,752 fvevol.sys
04/04/2017  09:34 AM           287,976 FWPKCLNT.SYS
07/13/2009  07:47 PM            65,088 GAGP30KX.SYS
06/10/2009  02:30 PM         3,440,660 gm.dls
06/10/2009  02:30 PM               646 gmreadme.txt
10/06/2015  08:02 AM            57,536 hcmon.sys
06/10/2009  02:31 PM            31,232 hcw85cir.sys
11/20/2010  09:23 PM           122,368 hdaudbus.sys
11/20/2010  09:23 PM           350,208 HdAudio.sys
01/23/2013  05:19 PM            57,376 HECIx64.sys
07/13/2009  05:31 PM            26,624 hidbatt.sys
07/13/2009  06:06 PM           100,864 hidbth.sys
07/02/2013  10:05 PM            76,800 hidclass.sys
07/13/2009  06:06 PM            46,592 hidir.sys
07/02/2013  10:05 PM            32,896 hidparse.sys
11/20/2010  09:23 PM            30,208 hidusb.sys
11/20/2010  09:23 PM            78,720 HpSAMD.sys
02/24/2015  09:18 PM           754,688 http.sys
11/20/2010  09:24 PM            14,720 hwpolicy.sys
07/13/2009  05:19 PM           105,472 i8042prt.sys
03/11/2011  12:41 AM           410,496 iaStorV.sys
06/01/2015  08:00 PM         5,384,176 igdkmd64.sys
07/13/2009  07:48 PM            44,112 iirsp.sys
07/13/2009  07:48 PM            16,960 intelide.sys
01/23/2013  05:19 PM             8,192 IntelMEFWVer.dll
07/13/2009  05:19 PM            62,464 intelppm.sys
11/20/2010  09:24 PM            82,944 ipfltdrv.sys
11/20/2010  09:23 PM            78,848 IPMIDrv.sys
07/13/2009  06:10 PM           116,224 ipnat.sys
07/13/2009  06:09 PM           120,320 irda.sys
07/13/2009  06:08 PM            17,920 irenum.sys
07/13/2009  07:48 PM            20,544 isapnp.sys
07/13/2009  07:48 PM            50,768 kbdclass.sys
11/20/2010  09:23 PM            33,280 kbdhid.sys
11/20/2010  09:24 PM           243,712 ks.sys
05/20/2017  10:28 PM            95,464 ksecdd.sys
05/20/2017  10:28 PM           154,856 ksecpkg.sys
07/13/2009  06:00 PM            20,992 ksthunk.sys
07/13/2009  06:08 PM            60,928 lltdio.sys
07/13/2009  06:09 PM             7,680 loop.sys
07/13/2009  07:48 PM           114,752 lsi_fc.sys
07/13/2009  07:48 PM           106,560 lsi_sas.sys
07/13/2009  07:48 PM            65,600 lsi_sas2.sys
07/13/2009  07:48 PM           115,776 lsi_scsi.sys
07/13/2009  05:26 PM           113,152 luafv.sys
11/01/2017  08:54 AM            77,432 mbae64.sys
12/04/2017  03:11 PM            46,008 mbam.sys
12/02/2017  10:02 PM           193,464 MbamChameleon.sys
12/02/2017  10:02 PM           253,880 mbamswissarmy.sys
07/13/2009  06:01 PM            22,016 mcd.sys
07/13/2009  07:48 PM            35,392 megasas.sys
07/13/2009  07:48 PM           284,736 MegaSR.sys
07/13/2009  06:10 PM            40,448 modem.sys
07/13/2009  05:38 PM            30,208 monitor.sys
07/13/2009  07:48 PM            49,216 mouclass.sys
07/13/2009  06:00 PM            31,232 mouhid.sys
05/07/2017  09:33 AM            94,440 mountmgr.sys
11/20/2010  09:23 PM           155,008 mpio.sys
07/13/2009  06:08 PM            77,312 mpsdrv.sys
09/08/2016  08:55 AM           142,336 mrxdav.sys
05/20/2017  09:48 PM           159,744 mrxsmb.sys
05/20/2017  09:48 PM           291,328 mrxsmb10.sys
05/20/2017  09:48 PM           129,536 mrxsmb20.sys
11/20/2010  09:23 PM            31,104 msahci.sys
11/20/2010  09:23 PM           140,672 msdsm.sys
07/13/2009  05:19 PM            26,112 msfs.sys
11/28/2012  04:56 PM                 3 MsftWdf_Kernel_01011_Inbox_Critical.Wdf
06/02/2012  08:57 AM                 3 MsftWdf_User_01_11_00_Inbox_Critical.Wdf
07/13/2009  06:06 PM             8,192 mshidkmdf.sys
07/13/2009  07:48 PM            15,424 msisadrv.sys
02/03/2014  08:35 PM           274,880 msiscsi.sys
07/13/2009  06:00 PM            11,136 mskssrv.sys
07/13/2009  06:00 PM             7,168 mspclock.sys
07/13/2009  06:00 PM             6,784 mspqm.sys
11/20/2010  09:24 PM           366,976 msrpc.sys
07/13/2009  07:48 PM            32,320 mssmbios.sys
07/13/2009  06:00 PM             8,064 mstee.sys
07/13/2009  06:02 PM            15,360 MTConfig.sys
07/13/2009  07:48 PM            60,496 mup.sys
10/12/2015  10:57 PM           950,720 ndis.sys
07/13/2009  06:08 PM            35,328 ndiscap.sys
07/13/2009  06:10 PM            24,064 ndistapi.sys
11/20/2010  09:24 PM            56,832 ndisuio.sys
11/20/2010  09:24 PM           164,352 ndiswan.sys
11/20/2010  09:24 PM            57,856 ndproxy.sys
07/13/2009  06:09 PM            44,544 netbios.sys
05/11/2016  08:58 AM           262,144 netbt.sys
04/04/2017  09:34 AM           377,576 netio.sys
05/04/2015  03:14 PM        11,534,096 NETwsw01.sys
07/13/2009  07:48 PM            51,264 nfrd960.sys
07/13/2009  05:19 PM            44,032 npfs.sys
07/13/2009  05:21 PM            24,576 nsiproxy.sys
01/11/2016  01:11 PM         1,684,416 ntfs.sys
07/13/2009  05:19 PM             6,144 null.sys
09/30/2010  01:00 PM            80,384 nusb3hub.sys
09/30/2010  01:00 PM           180,736 nusb3xhc.sys
03/11/2011  12:41 AM           148,352 nvraid.sys
03/11/2011  12:41 AM           166,272 nvstor.sys
07/13/2009  07:48 PM           122,960 NV_AGP.SYS
07/13/2009  06:07 PM           318,976 nwifi.sys
07/13/2009  06:06 PM            72,832 ohci1394.sys
11/20/2010  09:24 PM           131,584 pacer.sys
07/13/2009  06:00 PM            97,280 parport.sys
03/17/2012  01:58 AM            75,120 partmgr.sys
11/20/2010  09:23 PM           184,704 pci.sys
07/13/2009  07:45 PM            12,352 pciide.sys
07/13/2009  07:45 PM            48,720 pciidex.sys
07/13/2009  07:45 PM           220,752 pcmcia.sys
07/13/2009  07:45 PM            50,768 pcw.sys
06/14/2016  11:11 AM           663,552 PEAuth.sys
12/08/2015  12:12 PM           230,400 portcls.sys
07/13/2009  05:19 PM            60,416 processr.sys
07/13/2009  07:45 PM         1,524,816 ql2300.sys
07/13/2009  07:45 PM           128,592 ql40xx.sys
07/13/2009  06:09 PM            46,592 qwavedrv.sys
07/13/2009  06:10 PM            14,848 rasacd.sys
11/20/2010  09:24 PM           129,536 rasl2tp.sys
07/13/2009  06:10 PM            92,672 raspppoe.sys
11/20/2010  09:24 PM           111,104 raspptp.sys
07/13/2009  06:10 PM            83,968 rassstp.sys
11/20/2010  09:24 PM           309,248 rdbss.sys
07/13/2009  06:17 PM            24,064 rdpbus.sys
07/13/2009  06:16 PM             7,680 RDPCDD.sys
11/20/2010  09:25 PM           165,888 rdpdr.sys
07/13/2009  06:16 PM             7,680 RDPENCDD.sys
07/13/2009  06:16 PM             8,192 RDPREFMP.sys
07/16/2014  07:21 PM           212,480 rdpwd.sys
11/20/2010  09:24 PM           213,888 rdyboost.sys
07/13/2009  06:06 PM           158,720 rfcomm.sys
11/05/2015  03:53 AM           146,944 rmcast.sys
07/04/2012  02:26 PM            41,472 RNDISMP.sys
07/13/2009  06:10 PM            11,264 rootmdm.sys
07/13/2009  06:08 PM            76,800 rspndr.sys
11/20/2010  09:23 PM           103,808 sbp2port.sys
11/20/2010  09:24 PM            29,696 scfilter.sys
11/20/2010  09:24 PM           171,392 scsiport.sys
11/20/2010  09:23 PM           109,056 sdbus.sys
06/10/2009  02:37 PM            23,040 secdrv.sys
07/13/2009  06:00 PM            23,552 serenum.sys
07/13/2009  06:00 PM            94,208 serial.sys
07/13/2009  06:00 PM            26,624 sermouse.sys
07/13/2009  06:01 PM            14,336 sffdisk.sys
07/13/2009  06:01 PM            13,824 sffp_mmc.sys
11/20/2010  09:23 PM            14,336 sffp_sd.sys
07/13/2009  06:01 PM            16,896 sfloppy.sys
07/13/2009  07:45 PM            43,584 sisraid2.sys
07/13/2009  07:45 PM            80,464 sisraid4.sys
07/13/2009  06:09 PM            93,184 smb.sys
07/13/2009  06:00 PM            20,992 smclib.sys
07/13/2009  07:45 PM            19,008 spldr.sys
06/10/2009  02:48 PM           426,496 spsys.sys
04/05/2017  08:55 AM           460,800 srv.sys
04/05/2017  08:55 AM           405,504 srv2.sys
04/05/2017  08:55 AM           168,960 srvnet.sys
07/15/2011  08:31 PM            22,128 stdcfltn.sys
07/13/2009  07:45 PM            24,656 stexstor.sys
02/03/2014  08:35 PM           190,912 storport.sys
11/20/2010  09:23 PM            34,688 storvsc.sys
04/10/2015  09:19 PM            69,888 stream.sys
07/13/2009  07:45 PM            12,496 swenum.sys
07/13/2009  06:01 PM            29,184 tape.sys
04/04/2017  09:34 AM         1,895,656 tcpip.sys
07/07/2016  09:08 AM            46,080 tcpipreg.sys
11/20/2010  09:24 PM            26,624 tdi.sys
07/13/2009  06:16 PM            15,872 tdpipe.sys
02/16/2012  10:57 PM            23,552 tdtcp.sys
05/10/2017  08:52 AM           117,248 tdx.sys
11/20/2010  09:23 PM            63,360 termdd.sys
12/03/2017  11:56 AM            28,272 TrueSight.sys
07/16/2014  07:21 PM            39,936 tssecsrv.sys
11/20/2010  09:24 PM            59,392 TsUsbFlt.sys
11/20/2010  09:23 PM            31,232 TsUsbGD.sys
11/20/2010  09:24 PM           125,440 tunnel.sys
07/13/2009  07:45 PM            64,080 UAGP35.SYS
11/20/2010  09:23 PM           328,192 udfs.sys
07/13/2009  07:45 PM            64,592 ULIAGPKX.SYS
11/20/2010  09:23 PM            48,640 umbus.sys
05/23/2017  04:59 AM    <DIR>          UMDF
07/13/2009  06:06 PM             9,728 umpass.sys
02/11/2013  10:12 PM            19,968 usb8023.sys
11/20/2010  09:24 PM            32,896 USBCAMD2.sys
08/16/2016  02:40 PM            99,840 usbccgp.sys
07/12/2013  04:41 AM           100,864 usbcir.sys
08/16/2016  02:40 PM             7,808 usbd.sys
08/16/2016  02:40 PM            56,320 usbehci.sys
08/16/2016  02:40 PM           343,552 usbhub.sys
08/16/2016  02:40 PM            25,600 usbohci.sys
08/16/2016  02:40 PM           327,168 usbport.sys
07/13/2009  06:38 PM            25,088 usbprint.sys
11/20/2010  09:24 PM            31,744 usbrpm.sys
02/03/2016  12:07 PM            91,648 USBSTOR.SYS
08/16/2016  02:40 PM            30,720 usbuhci.sys
07/12/2013  04:41 AM           185,344 usbvideo.sys
11/22/2017  05:23 PM           972,192 VBoxDrv.sys
11/22/2017  05:23 PM           200,832 VBoxNetAdp6.sys
11/22/2017  05:23 PM           211,704 VBoxNetLwf.sys
11/22/2017  05:23 PM           157,672 VBoxUSBMon.sys
07/13/2009  07:45 PM            36,432 vdrvroot.sys
07/13/2009  05:38 PM            29,184 vga.sys
07/13/2009  05:38 PM            29,184 vgapnp.sys
11/20/2010  09:23 PM           215,936 vhdmp.sys
07/13/2009  07:45 PM            17,488 viaide.sys
07/13/2009  05:38 PM           129,024 videoprt.sys
11/20/2010  09:23 PM           199,552 vmbus.sys
11/20/2010  09:23 PM            21,760 VMBusHID.sys
10/18/2015  05:53 PM            90,816 vmci.sys
10/18/2015  06:11 PM            27,328 vmnet.sys
10/18/2015  06:11 PM            28,864 vmnetadapter.sys
10/18/2015  06:11 PM            48,832 vmnetbridge.sys
10/18/2015  06:11 PM            26,816 vmnetuserif.sys
10/18/2015  06:33 PM            31,936 VMparport.sys
11/20/2010  09:23 PM             6,656 vms3cap.sys
11/20/2010  09:23 PM            46,464 vmstorfl.sys
10/18/2015  06:33 PM            66,752 vmx86.sys
11/20/2010  09:23 PM            71,552 volmgr.sys
11/20/2010  09:24 PM           363,392 volmgrx.sys
11/20/2010  09:23 PM           295,808 volsnap.sys
07/13/2009  07:45 PM           161,872 vsmraid.sys
10/18/2015  05:53 PM            75,512 vsock.sys
07/13/2009  06:07 PM            24,576 vwifibus.sys
07/13/2009  06:07 PM            59,904 vwififlt.sys
07/13/2009  06:07 PM            17,920 vwifimp.sys
07/13/2009  06:02 PM            27,776 wacompen.sys
11/20/2010  09:24 PM            88,576 wanarp.sys
07/13/2009  05:37 PM            42,496 watchdog.sys
07/13/2009  07:45 PM            21,056 wd.sys
06/25/2013  04:55 PM           785,624 Wdf01000.sys
11/28/2012  04:56 PM            54,376 WdfLdr.sys
07/13/2009  06:09 PM            12,800 wfplwf.sys
07/13/2009  07:45 PM            22,096 wimmount.sys
11/20/2010  09:23 PM            52,096 winhv.sys
11/20/2010  09:23 PM            41,984 winusb.sys
07/13/2009  05:31 PM            14,336 wmiacpi.sys
07/13/2009  07:45 PM            16,464 wmilib.sys
07/13/2009  06:10 PM            21,504 ws2ifsl.sys
07/25/2012  08:26 PM            87,040 WUDFPf.sys
07/25/2012  08:26 PM           198,656 WUDFRd.sys
             321 File(s)     65,990,144 bytes
               5 Dir(s)  69,747,224,576 bytes free

========= End of CMD: =========


==== End of Fixlog 18:57:13 ====

Attached Files


Edited by r55741, 05 December 2017 - 01:12 PM.

  • 0

#8
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
Sorry for the delay. I'm active on two other forums and I only take logs here from time to time, so it isn't in my usual check-up routine :)

Hum... let's see if this fix goes through under a normal boot, as the service launching the SmartService driver doesn't seems present on your system.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


  • 0

#9
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

Sounds good

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
Ran by any (05-12-2017 21:05:51) Run:2
Running from C:\Users\any\Desktop
Loaded Profiles: any (Available Profiles: any)
Boot Mode: Normal
==============================================

fixlist content:
*****************
S1 5ec7dc23dedda4bd1c85308a0d1b524a; \??\C:\Windows\system32\drivers\5ec7dc23dedda4bd1c85308a0d1b524a.sys [X]
R3 udiskMgr; system32\drivers\fjmpsw.sys [X]

C:\Program Files (x86)\automated
C:\Program Files (x86)\Textual
C:\Program Files (x86)\jab
C:\Program Files (x86)\Purged
C:\Users\any\AppData\Local\CEF
C:\Users\any\AppData\Local\igfxmtc
C:\Users\any\AppData\Local\pwoivba
C:\Users\any\AppData\Local\sceikdl
C:\Users\any\AppData\Roaming\AGData
C:\Users\any\AppData\Roaming\et

C:\Windows\b71133229
C:\Windows\sixteenths.exe
C:\Windows\uninstaller.dat
C:\Windows\system32\dsdvakp
C:\Windows\System32\dwezmovsvc.exe
C:\Windows\system32\dwezmovsvc.exe1
C:\Windows\system32\Drivers\exk*.sys
C:\Windows\SysWOW64\dsdvakp
C:\Windows\SysWOW64\SSL
C:\Windows\SysWOW64\mfs3E1.tmp
C:\Windows\SysWOW64\mfs7798.tmp
*****************

5ec7dc23dedda4bd1c85308a0d1b524a => service not found.
HKLM\System\CurrentControlSet\Services\udiskMgr => key removed successfully
udiskMgr => service removed successfully
C:\Program Files (x86)\automated => moved successfully
C:\Program Files (x86)\Textual => moved successfully
C:\Program Files (x86)\jab => moved successfully
"C:\Program Files (x86)\Purged" => not found.
C:\Users\any\AppData\Local\CEF => moved successfully
C:\Users\any\AppData\Local\igfxmtc => moved successfully
C:\Users\any\AppData\Local\pwoivba => moved successfully
C:\Users\any\AppData\Local\sceikdl => moved successfully
C:\Users\any\AppData\Roaming\AGData => moved successfully
C:\Users\any\AppData\Roaming\et => moved successfully
C:\Windows\b71133229 => moved successfully
C:\Windows\sixteenths.exe => moved successfully
C:\Windows\uninstaller.dat => moved successfully
C:\Windows\system32\dsdvakp => moved successfully
C:\Windows\System32\dwezmovsvc.exe => moved successfully
C:\Windows\system32\dwezmovsvc.exe1 => moved successfully

=========== "C:\Windows\system32\Drivers\exk*.sys" ==========

not found

========= End -> "C:\Windows\system32\Drivers\exk*.sys" ========

C:\Windows\SysWOW64\dsdvakp => moved successfully
"C:\Windows\SysWOW64\SSL" => not found.
C:\Windows\SysWOW64\mfs3E1.tmp => moved successfully
C:\Windows\SysWOW64\mfs7798.tmp => moved successfully

==== End of Fixlog 21:06:10 ====


  • 0

#10
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
Now, let's see if you're able to install and launch a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

  • 0

Advertisements


#11
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/6/17
Scan Time: 9:56 AM
Log File: f81833b4-da9d-11e7-8c77-d4bed9314738.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3424
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: any-PC\any

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 241297
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 min, 20 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)


  • 0

#12
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
Looks good :) Now let's do a sweep with RogueKiller and AdwCleaner.

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

  • 0

#13
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

Cool

pc seems a lot faster allready

 

RogueKiller V12.11.27.0 (x64) [Dec  4 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : any [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 12/06/2017 20:32:09 (Duration : 00:21:42)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\IM -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\IM -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.dell.com -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.dell.com -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1477751146-2404892005-3129194611-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEKT-75PVMT0 +++++
--- User ---
[MBR] 85e69a5ae336077dad41465a593da9e4
[BSP] a080667e93553711a0c570aebb1affa4 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 


  • 0

#14
r55741

r55741

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts

# AdwCleaner 7.0.5.0 - Logfile created on Thu Dec 07 04:44:50 2017
# Updated on 2017/29/11 by Malwarebytes
# Running on Windows 7 Professional (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [3034 B] - [2017/12/3 20:52:3]
C:/AdwCleaner/AdwCleaner[S0].txt - [3229 B] - [2017/12/3 20:50:57]
C:/AdwCleaner/AdwCleaner[S1].txt - [1253 B] - [2017/12/7 4:43:31]


########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt ##########


  • 0

#15
Aura

Aura

    Special Ops

  • Malware Removal
  • 2,535 posts
That's good to know :) Now, run a new scan with FRST and provide me a fresh set of logs. I'll look for remnants.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP