javelineou Posted August 8, 2016 ID:1055144 Share Posted August 8, 2016 So, about few weeks ago my computer got adware called DNS Unlocker ( its popular ) then my friend told me to remove it by malwarebytes, so i downloaded it. After try to scan and remove it, the DNS Unlocker was gone from my computer. So i was trusted malwarebytes because it is useful and work. And about three or four days ago, i didnt download anything from internet but my computer was infected again by adware. I dont know what is the name of the adware but it is always appear when i starting my browser and it goes to " thrafilebe-us.ru " ( i know its russian adware because the last is 'ru' ) i have set my default setting on chrome ( i use chrome ) to start with google but its useless because the adware still appear everytime i start my browser. i have tried remove it by malwarebytes free, antisoft free, panda antivirus free and its all useless. So please, can anyone help me please ? I seriously hate this adware because it is often show p*rn sites, so please help my computer ;) Link to post Share on other sites More sharing options...
kevinf80 Posted August 8, 2016 ID:1055208 Share Posted August 8, 2016 Hello javelineou and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files:http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download RKill from here: http://www.bleepingcomputer.com/download/rkill/ There are three buttons to choose from with different names on, select the first one and save it to your desktop. Double-click on the Rkill desktop icon to run the tool. If using Vista or Windows 7/8/10, right-click on it and Run As Administrator. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply. If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time. If the tool does not run from any of the links provided, please let me know. Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the scan is complete, click Apply Actions. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… If Malwarebytes is not installed follow these instructions first: Download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Launch Malwarebytes Anti-Malware A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program. Click Finish. Follow the instructions above.... Next, Download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your next reply.... Thank you, Kevin Link to post Share on other sites More sharing options...
javelineou Posted August 9, 2016 Author ID:1055302 Share Posted August 9, 2016 Thank you so much kevin for replying, i hope your advice make my pc work properly again. First, Im not too good at english, but i know what you mean. Second, my MBAM trial has been expired, i dont know if its affects to the scan or not. Third, on the rkill.log i got Rkill.txt so ill mention it on the reply, i dont know it is useful or not. Rkill 2.8.4 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/ Copyright 2008-2016 BleepingComputer.com More Information about Rkill can be found at this link:http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 08/09/2016 02:59:26 PM in x86 mode. Windows Version: Windows 7 Ultimate Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\Users\user\AppData\Roaming\HPRewriter2\HPWriterSrv2.exe (PID: 1804) [UP-HEUR] 1 proccess terminated! Possibly Patched Files. * C:\Windows\system32\winlogon.exe Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * No issues found. Searching for Missing Digital Signatures: * C:\Windows\System32\user32.dll : 812.032 : 11/20/2010 03:21 AM : cf97d64d7ec169c53c93b0a192218b29 [NoSig] +-> C:\Windows\KJ\Pirate\P\SysWOW64P\user32.dll : 833.024 : 11/20/2010 03:08 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl] +-> C:\Windows\KJ\Pirate\P\x64P\user32.dll : 1.008.128 : 11/20/2010 04:27 AM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl] +-> C:\Windows\KJ\Pirate\P\x86P\user32.dll : 811.520 : 11/20/2010 03:21 AM : f1dd3acaee5e6b4bbc69bc6df75cef66 [Pos Repl] +-> C:\Windows\KJ\Pirate\T\SysWOW64T\user32.dll : 833.024 : 11/20/2010 03:08 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl] +-> C:\Windows\KJ\Pirate\T\x64T\user32.dll : 1.008.640 : 01/16/2011 07:01 AM : 0b864e15a0badff0e7bb8b59009fddcf [Pos Repl] +-> C:\Windows\KJ\Pirate\T\x86T\user32.dll : 812.032 : 11/20/2010 03:21 AM : cf97d64d7ec169c53c93b0a192218b29 [Pos Repl] +-> C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll : 811.520 : 11/21/2010 04:29 AM : f1dd3acaee5e6b4bbc69bc6df75cef66 [Pos Repl] * C:\Windows\System32\winlogon.exe : 285.696 : 11/20/2010 03:17 AM : c3eb9ea34ebe459f13f3f890f56ce72a [NoSig] +-> C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe : 286.720 : 11/21/2010 04:29 AM : 6d13e1406f50c66e2a95d97f22c47560 [Pos Repl] Checking HOSTS File: * No issues found. Program finished at: 08/09/2016 03:00:40 PM Execution time: 0 hours(s), 1 minute(s), and 14 seconds(s) ( green text is rkill.txt ) Fourth, this is the text file from MBAM ( the orange color ) Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 09/08/2016 Scan Time: 15:25 Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.02.16.06 Rootkit Database: v2016.05.27.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: user Scan Type: Threat Scan Result: Completed Objects Scanned: 344125 Time Elapsed: 28 min, 44 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Fifth, this is the FRST.txt ( purple text ) Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-08-2016 Ran by user (administrator) on USER-PC (09-08-2016 16:27:15) Running from C:\Users\user\Desktop Loaded Profiles: user & UpdatusUser (Available Profiles: user & UpdatusUser) Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States) Internet Explorer Version 8 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Google Inc.) C:\Program Files\Google\Update\1.3.31.5\GoogleCrashHandler.exe () C:\Users\user\Downloads\Garena Plus\ggdllhost.exe () C:\Users\user\Downloads\Garena Plus\ggdllhost.exe (Smadsoft) C:\Program Files\SMADAV\SMΔRTP.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (ERJOIWFIM) C:\Users\user\AppData\Roaming\HPRewriter2\HPWriterSrv2.exe (Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe (Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Policies\Explorer: [TaskbarNoNotification] 0 HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Policies\Explorer: [HideSCAHealth] 0 ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [94208 2006-02-28] (Apple Computer, Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4 Tcpip\..\Interfaces\{18D9B629-713A-47D4-A18A-8D9C82BAB74E}: [DhcpNameServer] 61.247.0.133 61.247.0.130 202.73.99.4 202.73.99.2 Tcpip\..\Interfaces\{1AD66B58-C5F3-4679-9A69-C29A8E477959}: [NameServer] 8.8.8.8,8.8.4.4 Tcpip\..\Interfaces\{3DC0582F-6C7A-4268-976B-A873CA74E5B2}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{53677DC8-B7FF-46A4-A35E-55F560BEEF83}: [NameServer] 8.8.8.8,8.8.4.4 Tcpip\..\Interfaces\{53677DC8-B7FF-46A4-A35E-55F560BEEF83}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{CEFB7252-4B6E-455B-960D-2E1B627E574A}: [NameServer] 8.8.8.8,8.8.4.4 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://plasa.msn.com/?ocid=iehp SearchScopes: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE SearchScopes: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE SearchScopes: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000 -> {1b31c9d2-7135-442b-bb93-7c002172adc6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated) BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation) Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation) StartMenuInternet: IEXPLORE.EXE - iexplore.exe FireFox: ======== FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\u52asnkz.default-1469286427057 FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-03-03] () FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-08] (Google) FF Plugin: @innorix.com/innogmp -> C:\Program Files\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX) FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation) FF Plugin: @t.garena.com/garenatalk -> C:\Users\user\Downloads\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File] FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @innorix.com/innogmp -> C:\Program Files\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\user\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @talk.google.com/O1DPlugin -> C:\Users\user\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-04-28] (Unity Technologies ApS) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: anvisoft.com/AdblockPlugin -> C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll [No File] FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1001: @innorix.com/innogmp -> C:\Program Files\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll [2010-10-07] (Coupons, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll [2010-10-07] (Coupons, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npwachk.dll [2011-03-23] (Nullsoft, Inc.) FF Plugin ProgramFiles/Appdata: C:\Users\user\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google) FF Plugin ProgramFiles/Appdata: C:\Users\user\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google) Chrome: ======= CHR HomePage: Default -> hxxp://www.google.com/ CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxps://www.google.com/" CHR Plugin: (Widevine Content Decryption Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll => No File CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\14.0.0.145\pepflashplayer.dll => No File CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\52.0.2743.116\ppGoogleNaClPluginChrome.dll => No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\52.0.2743.116\pdf.dll => No File CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll (Coupons, Inc.) CHR Plugin: (Winamp Application Detector) - C:\Program Files\Mozilla Firefox\plugins\npwachk.dll (Nullsoft, Inc.) CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Users\user\AppData\Local\Google\Chrome\Application\plugins\npMozCouponPrinter.dll => No File CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) CHR Plugin: (Innorix File Transfer Solution) - C:\Program Files\INNORIX\npinnogmp.dll (INNORIX) CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation) CHR Plugin: (Unity Player) - C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll => No File CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-30] CHR Extension: (Google Dokumen Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2007-02-15] CHR Extension: (http://ask.fm/) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodkangnoihaogpgakjfdkepoljfcfbc [2016-01-15] CHR Extension: (https://plus.google.com/u/0/) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jginlfhgcfmfhaabnekdaemhegpebfip [2016-01-15] CHR Extension: (Сияние) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jidbpkjafbnohlnbflllphpkfmojpdac [2016-08-07] CHR Extension: (Pembayaran Toko Web Chrome) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2007-02-15] CHR Extension: (https://www.google.com/) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\okkolgldfknecfjnhhglfopimelbaceh [2016-01-15] CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-09] CHR HKLM\...\Chrome\Extension: [lhmiofmipcpmhgihiecmpiekcacigpgb] - C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\chrome.crx <not found> CHR HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ajcmdlkeklfmbjffnlofgfkjcnpfckab] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\user\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2014-08-18] Opera: ======= OPR StartupUrls: "hxxp://www.mystartsearch.com/?type=hp&ts=1428909754&from=wpc&uid=ST3160815SV_5RX63JTHXXXX5RX63JTH" ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S4 Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [229376 2006-02-28] (Apple Computer, Inc.) [File not signed] S4 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2007-02-17] (Macrovision Europe Ltd.) [File not signed] R2 HPWriter Service; C:\Users\user\AppData\Roaming\HPRewriter2\HPWriterSrv2.exe [4156416 2016-08-06] (ERJOIWFIM) [File not signed] S4 Innosvcd; C:\Windows\system32\innosvcd.exe [193144 2013-04-04] (INNORIX) R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20472 2012-09-12] (Microsoft Corporation) R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [287824 2012-09-12] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation) S2 4622402a; "C:\Windows\system32\rundll32.exe" "c:\Program Files\CutterModule\CutterModule.dll",serv ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 ISODrive; C:\Program Files\UltraISO\drivers\ISODrive.sys [82320 2009-02-10] (EZB Systems, Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-09] (Malwarebytes) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation) R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation) R1 MpKsla6464b06; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE469132-F30B-4743-8AAE-AC119B41ECBB}\MpKsla6464b06.sys [39168 2016-08-09] (Microsoft Corporation) S3 ndiscm; C:\Windows\System32\DRIVERS\NetMotCM.sys [15360 2004-09-30] (Motorola Inc.) R3 RD9700; C:\Windows\System32\DRIVERS\RD9700.sys [16512 2012-01-04] (Corechip Semiconductor, Inc. Co Ltd.) R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [23040 2014-11-05] (The OpenVPN Project) R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}; C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl [87536 2010-03-13] (CyberLink Corp.) S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X] R3 gkernel; \??\C:\Users\user\AppData\Local\Temp\gkernel.sys [X] S4 InCDFs; system32\drivers\InCDFs.sys [X] S1 InCDPass; system32\drivers\InCDPass.sys [X] S1 InCDRm; system32\drivers\InCDRm.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] S3 xspirit; \??\C:\Windows\xspirit.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-03-31 11:23 - 2020-03-31 11:26 - 00524288 ___SH C:\Users\UpdatusUser\NTUSER.DAT{9a36c4d3-7306-11ea-a391-00508dc8f0a3}.TMContainer00000000000000000002.regtrans-ms 2020-03-31 11:23 - 2020-03-31 11:26 - 00524288 ___SH C:\Users\UpdatusUser\NTUSER.DAT{9a36c4d3-7306-11ea-a391-00508dc8f0a3}.TMContainer00000000000000000001.regtrans-ms 2020-03-31 11:23 - 2020-03-31 11:26 - 00065536 ___SH C:\Users\UpdatusUser\NTUSER.DAT{9a36c4d3-7306-11ea-a391-00508dc8f0a3}.TM.blf 2016-08-09 16:27 - 2016-08-09 16:27 - 00016226 _____ C:\Users\user\Desktop\FRST.txt 2016-08-09 16:26 - 2016-08-09 16:27 - 00000000 ____D C:\FRST 2016-08-09 16:25 - 2016-08-09 16:26 - 01743872 _____ (Farbar) C:\Users\user\Desktop\FRST.exe 2016-08-09 15:22 - 2016-08-09 16:02 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2016-08-09 15:06 - 2016-08-09 15:06 - 00001064 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2016-08-09 15:06 - 2016-08-09 15:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2016-08-09 15:05 - 2016-08-09 15:06 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware 2016-08-09 15:05 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2016-08-09 15:05 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys 2016-08-09 15:05 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2016-08-09 14:59 - 2016-08-09 15:00 - 00005008 _____ C:\Users\user\Desktop\Rkill.txt 2016-08-09 14:46 - 2016-08-09 14:46 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.com 2016-08-09 14:32 - 2016-04-11 03:55 - 13347841 _____ C:\Users\user\Desktop\XIGNCODE.rar 2016-08-09 14:32 - 2015-11-26 05:57 - 05331464 _____ C:\Users\user\Desktop\[Pricelist] Kios Pasar Modern @Intermoda BSD City.pdf 2016-08-09 14:32 - 2015-01-26 00:54 - 00000364 _____ C:\Users\user\Desktop\pos.dat 2016-08-09 14:32 - 2014-12-27 01:17 - 01307106 _____ C:\Users\user\Desktop\Survey Remover V3.02 Updated.zip 2016-08-09 14:32 - 2014-05-26 14:54 - 01070624 _____ (Unity Technologies ApS) C:\Users\user\Desktop\UnityWebPlayer.exe 2016-08-09 14:31 - 2015-11-04 20:44 - 1272583000 _____ C:\Users\user\Desktop\PointBlank_GarenaPlus_Install_1026.exe 2016-08-09 14:30 - 2016-08-07 18:55 - 22851472 _____ (Malwarebytes ) C:\Users\user\Desktop\mbam-setup-2.2.1.1043.exe 2016-08-09 14:30 - 2016-03-05 20:03 - 77267144 _____ C:\Users\user\Desktop\Garena+_Install_id (1).exe 2016-08-09 14:30 - 2015-11-04 20:37 - 77494272 _____ C:\Users\user\Desktop\Garena+_Install_id.exe 2016-08-09 14:30 - 2015-11-04 19:40 - 02739648 _____ C:\Users\user\Desktop\pbidInstaller.exe 2016-08-09 14:30 - 2014-08-18 21:30 - 00895120 _____ (Google Inc.) C:\Users\user\Desktop\googledrivesync.exe 2016-08-09 14:30 - 2014-07-19 21:22 - 00895120 _____ (Google Inc.) C:\Users\user\Desktop\GoogleVoiceAndVideoSetup.exe 2016-08-09 14:30 - 2014-05-27 10:48 - 07760696 _____ (INNORIX) C:\Users\user\Desktop\InnoGMP_Win.exe 2016-08-09 14:30 - 2014-03-26 21:37 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup (3).exe 2016-08-09 14:30 - 2014-03-26 21:37 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup (2).exe 2016-08-09 14:30 - 2014-03-26 21:35 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup (1).exe 2016-08-09 14:30 - 2014-03-26 21:34 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup.exe 2016-08-09 14:29 - 2016-08-09 14:32 - 00000000 ____D C:\Users\user\Desktop\Garena Plus 2016-08-09 14:29 - 2016-08-07 20:49 - 39269240 _____ (Anvisoft) C:\Users\user\Desktop\asdsetup.exe 2016-08-09 14:29 - 2016-01-15 14:44 - 00927824 _____ (Google Inc.) C:\Users\user\Desktop\ChromeSetup(1).exe 2016-08-09 14:29 - 2014-12-23 18:46 - 00880784 _____ (Google Inc.) C:\Users\user\Desktop\ChromeSetup.exe 2016-08-07 21:36 - 2016-08-07 21:36 - 00000047 _____ C:\Users\user\Desktop\blahblah.txt 2016-08-07 20:54 - 2016-08-08 22:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anvisoft 2016-08-07 20:54 - 2016-08-07 20:54 - 00000000 ____D C:\ProgramData\boost_interprocess 2016-08-07 20:51 - 2016-08-07 20:51 - 00000000 ____D C:\ProgramData\Anvisoft 2016-08-07 20:51 - 2016-08-07 20:51 - 00000000 ____D C:\Program Files\Anvisoft 2016-08-07 20:48 - 2016-08-07 20:49 - 39269240 _____ (Anvisoft) C:\Users\user\Downloads\asdsetup.exe 2016-08-07 18:54 - 2016-08-07 18:55 - 22851472 _____ (Malwarebytes ) C:\Users\user\Downloads\mbam-setup-2.2.1.1043.exe 2016-08-07 17:31 - 2016-08-07 17:31 - 00003584 _____ C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2016-08-06 20:06 - 2016-08-06 20:06 - 00000000 ____D C:\Users\user\AppData\Local\GMap.NET 2016-08-06 19:00 - 2016-08-07 00:03 - 00000000 ____D C:\Users\user\AppData\Roaming\HPRewriter2 2016-08-06 19:00 - 2016-08-06 19:33 - 00000000 ____D C:\Users\user\AppData\Roaming\Seviler2DGame 2016-08-06 19:00 - 2016-08-06 19:00 - 00002056 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk 2016-08-06 19:00 - 2016-08-06 19:00 - 00002054 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk 2016-08-06 19:00 - 2016-08-06 19:00 - 00002026 _____ C:\Users\Public\Desktop\Моzillа Firеfох.lnk 2016-08-06 19:00 - 2016-08-06 19:00 - 00002024 _____ C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk 2016-07-24 17:25 - 2016-07-24 17:26 - 00045125 _____ C:\ProgramData\1469355928.2132.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 00042049 _____ C:\ProgramData\1469355928.3948.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 00004431 _____ C:\ProgramData\1469355928.172.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 00002928 _____ C:\ProgramData\1469355928.3196.bin 2016-07-24 17:25 - 2016-07-24 17:25 - 00037915 _____ C:\ProgramData\1469355918.bdinstall.bin 2016-07-24 01:13 - 2016-07-24 01:13 - 00000000 ____D C:\ProgramData\Malwarebytes 2016-07-24 00:45 - 2016-07-24 00:45 - 00225330 _____ C:\ProgramData\1469295588.bdinstall.bin 2016-07-24 00:44 - 2009-07-14 22:27 - 01461992 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01009.dll 2016-07-24 00:30 - 2016-07-24 00:32 - 00000494 _____ C:\ProgramData\1469294993.2720.bin 2016-07-24 00:30 - 2016-07-24 00:30 - 00002049 _____ C:\ProgramData\1469294993.1704.bin 2016-07-24 00:29 - 2016-07-24 00:32 - 00040831 _____ C:\ProgramData\1469294993.2684.bin 2016-07-24 00:21 - 2016-07-24 00:21 - 00045499 _____ C:\ProgramData\1469294336.bdinstall.bin 2016-07-24 00:18 - 2016-07-24 00:40 - 00000000 ____D C:\Users\user\AppData\Roaming\QuickScan 2016-07-23 21:25 - 2016-08-07 19:19 - 00000000 ____D C:\Users\user\AppData\Roaming\dpkfjdig 2016-07-23 14:16 - 2016-07-24 15:56 - 00000000 ____D C:\Users\user\AppData\Roaming\jiycgqxf 2016-07-22 20:02 - 2016-07-24 15:56 - 00000000 ____D C:\Users\user\AppData\Roaming\hhodtwis 2016-07-19 14:18 - 2016-07-24 01:01 - 00000000 ____D C:\Users\user\AppData\Roaming\{14AA2211-31F8-4F67-5ACE-68B5861C958B} ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-03-31 11:26 - 2007-02-17 04:42 - 00000000 ____D C:\Users\user 2020-03-31 11:19 - 2007-02-17 04:42 - 00262144 ___SH C:\Users\user\ntuser.dat.LOG2 2016-08-09 16:24 - 2014-07-06 13:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2016-08-09 16:22 - 2007-02-17 04:45 - 00001018 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000UA.job 2016-08-09 16:21 - 2016-01-25 22:32 - 00000266 _____ C:\Windows\Tasks\UpdateTask.job 2016-08-09 16:20 - 2014-03-26 21:38 - 00001000 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2016-08-09 16:01 - 2014-03-26 21:38 - 00000996 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2016-08-09 16:00 - 2009-07-14 11:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-08-09 15:59 - 2009-07-14 11:34 - 00020832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2016-08-09 15:59 - 2009-07-14 11:34 - 00020832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2016-08-09 14:33 - 2016-03-05 20:05 - 00000000 ____D C:\Users\user\Downloads\Garena Plus 2016-08-08 22:46 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\inf 2016-08-08 22:40 - 2007-02-17 04:44 - 00000000 ____D C:\Program Files\WinRAR 2016-08-08 20:49 - 2010-11-21 04:01 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI 2016-08-08 17:22 - 2007-02-17 04:45 - 00000966 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000Core.job 2016-08-07 19:34 - 2007-02-17 04:56 - 00000000 ____D C:\Windows\PCHEALTH 2016-08-07 19:19 - 2016-07-02 17:50 - 00000000 ____D C:\Users\user\AppData\Roaming\msndgfdl 2016-08-07 19:19 - 2016-06-30 18:42 - 00000000 ____D C:\Users\user\AppData\Roaming\obehoaiy 2016-08-07 19:19 - 2016-06-23 15:06 - 00000000 ____D C:\Users\user\AppData\Roaming\odnnnvxe 2016-08-07 19:19 - 2016-06-19 18:22 - 00000000 ____D C:\Users\user\AppData\Roaming\drnjcmry 2016-08-07 19:19 - 2016-06-16 18:48 - 00000000 ____D C:\Users\user\AppData\Roaming\pndmagmv 2016-08-07 19:19 - 2016-06-11 00:13 - 00000000 ____D C:\Users\user\AppData\Roaming\dppfzonn 2016-08-07 19:19 - 2016-06-10 10:37 - 00000000 ____D C:\Users\user\AppData\Roaming\eglqkdrp 2016-08-07 19:19 - 2016-06-10 09:50 - 00000000 ____D C:\Users\user\AppData\Roaming\qrtrmnhp 2016-08-07 19:19 - 2016-06-07 12:11 - 00000000 ____D C:\Users\user\AppData\Roaming\mwcrnxvh 2016-08-07 19:19 - 2016-05-09 23:53 - 00000000 ____D C:\Users\user\AppData\Roaming\pznjzsar 2016-08-07 19:19 - 2016-05-07 11:09 - 00000000 ____D C:\Users\user\AppData\Roaming\pgiatadc 2016-08-07 19:19 - 2016-04-30 01:32 - 00000000 ____D C:\Users\user\AppData\Roaming\paymitiw 2016-08-07 19:19 - 2016-03-23 11:58 - 00000000 ____D C:\Users\user\AppData\Roaming\qqyudiyn 2016-08-07 19:19 - 2016-02-05 15:19 - 00000000 ____D C:\Users\user\AppData\Roaming\ejwptvtf 2016-08-07 19:19 - 2016-02-04 23:37 - 00000000 ____D C:\Users\user\AppData\Roaming\pqbgjbag 2016-08-07 19:19 - 2016-01-30 06:55 - 00000000 ____D C:\Users\user\AppData\Roaming\exablnnj 2016-08-07 19:19 - 2016-01-25 22:31 - 00000000 ____D C:\Users\user\AppData\Roaming\njsldbzk 2016-08-07 19:19 - 2016-01-08 15:39 - 00000000 ____D C:\Users\user\AppData\Roaming\ogsoakrf 2016-08-07 19:19 - 2015-12-08 23:10 - 00000000 ____D C:\Users\user\AppData\Roaming\ngxrzvvi 2016-08-07 19:19 - 2015-09-04 18:46 - 00000000 ____D C:\Users\user\AppData\Roaming\nkstybpw 2016-08-07 19:19 - 2015-03-18 08:14 - 00000000 ____D C:\Users\user\AppData\Roaming\fdlsmwyb 2016-08-07 19:19 - 2015-01-29 18:26 - 00000000 ____D C:\Users\user\AppData\Roaming\dtilzwxx 2016-08-07 19:19 - 2015-01-25 23:47 - 00000000 ____D C:\Users\user\AppData\Roaming\sctkfjqk 2016-08-07 19:19 - 2015-01-24 17:21 - 00000000 ____D C:\Users\user\AppData\Roaming\qqkbtsfc 2016-08-07 19:19 - 2007-02-15 07:49 - 00000000 ____D C:\Users\user\AppData\Roaming\phmxjpvs 2016-08-07 19:19 - 2007-02-15 00:20 - 00000000 ____D C:\Users\user\AppData\Roaming\psuoarzq 2016-08-07 19:19 - 2007-02-15 00:05 - 00000000 ____D C:\Users\user\AppData\Roaming\mwnekhqu 2016-08-07 17:45 - 2007-02-15 00:09 - 00000000 ____D C:\Users\user\Documents\~Tristan 2016-08-07 17:14 - 2007-02-17 05:02 - 00000000 __SHD C:\[Smad-Cage] 2016-08-07 16:23 - 2007-02-17 05:02 - 00000000 ____D C:\Program Files\SMADAV 2016-08-06 19:11 - 2015-12-26 08:21 - 00002412 _____ C:\Users\user\Desktop\Chromium.lnk 2016-08-05 16:20 - 2014-12-23 16:49 - 00000000 ____D C:\Program Files\Opera 2016-07-28 17:19 - 2007-02-17 05:02 - 00000000 ____D C:\Users\UpdatusUser 2016-07-28 02:25 - 2014-03-25 11:17 - 00406184 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe 2016-07-24 17:34 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\system32\NDF 2016-07-24 16:19 - 2009-07-14 11:46 - 00001503 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk 2016-07-24 16:19 - 2009-07-14 11:42 - 00001318 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk 2016-07-24 16:19 - 2009-07-14 11:42 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk 2016-07-24 16:19 - 2009-07-14 11:42 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk 2016-07-24 16:19 - 2007-02-17 05:40 - 00001083 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:37 - 00001169 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Stock Photos CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:35 - 00001349 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit 2.lnk 2016-07-24 16:19 - 2007-02-17 05:34 - 00001138 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Device Central CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:30 - 00001045 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:06 - 00002105 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk 2016-07-24 16:19 - 2007-02-17 04:48 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk 2016-07-24 16:19 - 2007-02-17 04:35 - 00001333 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk 2016-07-24 16:19 - 2007-02-17 04:35 - 00001314 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk 2016-07-24 16:17 - 2016-03-05 20:20 - 00000987 _____ C:\Users\Public\Desktop\PointBlank Garena.lnk 2016-07-24 16:17 - 2016-03-05 20:06 - 00000909 _____ C:\Users\Public\Desktop\Garena+.lnk 2016-07-24 16:17 - 2014-03-26 21:41 - 00002164 _____ C:\Users\Public\Desktop\Google Earth.lnk 2016-07-24 16:17 - 2014-03-25 11:38 - 00001053 _____ C:\Users\Public\Desktop\HP Photo Creations.lnk 2016-07-24 16:17 - 2014-03-25 11:37 - 00002230 _____ C:\Users\Public\Desktop\HP Deskjet 1050 J410 series.lnk 2016-07-24 16:17 - 2014-03-25 11:37 - 00001188 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 1050 J410 series.lnk 2016-07-24 16:17 - 2014-03-25 11:37 - 00001183 _____ C:\Users\Public\Desktop\HP Deskjet 1050 J410 series Scan.lnk 2016-07-24 16:17 - 2007-02-17 05:22 - 00002652 _____ C:\Users\Public\Desktop\Nero StartSmart.lnk 2016-07-24 16:17 - 2007-02-17 05:05 - 00001229 _____ C:\Users\Public\Desktop\Media Player Classic.lnk 2016-07-24 16:17 - 2007-02-17 05:04 - 00001793 _____ C:\Users\Public\Desktop\Winamp.lnk 2016-07-24 16:17 - 2007-02-17 04:51 - 00002061 _____ C:\Users\Public\Desktop\CyberLink PowerDVD 10.lnk 2016-07-24 16:17 - 2007-02-17 04:48 - 00001983 _____ C:\Users\Public\Desktop\Adobe Reader X.lnk 2016-07-24 16:17 - 2007-02-17 04:47 - 00001065 _____ C:\Users\Public\Desktop\GOM Player.lnk 2016-07-24 16:16 - 2009-07-14 11:46 - 00001282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk 2016-07-24 16:16 - 2009-07-14 11:37 - 00001266 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk 2016-07-24 16:15 - 2016-06-16 18:50 - 00001095 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\LINE.lnk 2016-07-24 16:15 - 2016-06-16 18:50 - 00001093 _____ C:\Users\user\Desktop\LINE.lnk 2016-07-24 16:15 - 2007-02-17 05:41 - 00001083 _____ C:\Users\user\Desktop\Adobe Photoshop CS3.lnk 2016-07-24 16:15 - 2007-02-17 05:13 - 00002105 _____ C:\Users\user\Desktop\Microsoft Security Essentials.lnk 2016-07-24 16:15 - 2007-02-17 04:47 - 00001095 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk 2016-07-24 16:14 - 2014-06-19 15:40 - 00000258 __RSH C:\ProgramData\ntuser.pol 2016-07-24 16:11 - 2009-07-14 11:52 - 00000000 ____D C:\Windows\Offline Web Pages 2016-07-24 15:57 - 2014-06-06 10:32 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games 2016-07-24 15:56 - 2016-07-09 22:00 - 00000000 ____D C:\Users\user\AppData\Roaming\jszaqsdn 2016-07-24 15:56 - 2016-07-09 11:22 - 00000000 ____D C:\Users\user\AppData\Roaming\iysqhvos 2016-07-24 15:56 - 2016-06-28 18:53 - 00000000 ____D C:\Users\user\AppData\Roaming\tudychlo 2016-07-24 15:56 - 2016-06-25 13:18 - 00000000 ____D C:\Users\user\AppData\Roaming\mczxjfww 2016-07-24 15:56 - 2016-06-23 18:58 - 00000000 ____D C:\Users\user\AppData\Roaming\llgmebag 2016-07-24 15:56 - 2016-06-21 14:14 - 00000000 ____D C:\Users\user\AppData\Roaming\kwmkvswy 2016-07-24 15:56 - 2016-06-20 16:09 - 00000000 ____D C:\Users\user\AppData\Roaming\lyfntkze 2016-07-24 15:56 - 2016-06-20 03:26 - 00000000 ____D C:\Users\user\AppData\Roaming\khitfriy 2016-07-24 15:56 - 2016-06-14 23:50 - 00000000 ____D C:\Users\user\AppData\Roaming\hifmqnmr 2016-07-24 15:56 - 2016-06-13 22:10 - 00000000 ____D C:\Users\user\AppData\Roaming\weoxfgff 2016-07-24 15:56 - 2016-06-13 00:33 - 00000000 ____D C:\Users\user\AppData\Roaming\wizfnskg 2016-07-24 15:56 - 2016-06-11 14:20 - 00000000 ____D C:\Users\user\AppData\Roaming\wfzwertg 2016-07-24 15:56 - 2016-06-08 22:11 - 00000000 ____D C:\Users\user\AppData\Roaming\kyjriprf 2016-07-24 15:56 - 2016-06-08 19:02 - 00000000 ____D C:\Users\user\AppData\Roaming\wpfbosnz 2016-07-24 15:56 - 2016-06-07 22:22 - 00000000 ____D C:\Users\user\AppData\Roaming\vzsfmmuy 2016-07-24 15:56 - 2016-06-05 17:37 - 00000000 ____D C:\Users\user\AppData\Roaming\zeclmbcn 2016-07-24 15:56 - 2016-05-21 12:30 - 00000000 ____D C:\Users\user\AppData\Roaming\jqcscksz 2016-07-24 15:56 - 2016-05-20 18:12 - 00000000 ____D C:\Users\user\AppData\Roaming\jmcseecw 2016-07-24 15:56 - 2016-05-19 21:55 - 00000000 ____D C:\Users\user\AppData\Roaming\rfwxotjv 2016-07-24 15:56 - 2016-05-18 11:49 - 00000000 ____D C:\Users\user\AppData\Roaming\yeemeyrz 2016-07-24 15:56 - 2016-05-14 16:56 - 00000000 ____D C:\Users\user\AppData\Roaming\ukiwnkwh 2016-07-24 15:56 - 2016-05-13 18:47 - 00000000 ____D C:\Users\user\AppData\Roaming\smxnbqwz 2016-07-24 15:56 - 2016-05-13 00:14 - 00000000 ____D C:\Users\user\AppData\Roaming\hyaknpgr 2016-07-24 15:56 - 2016-05-09 21:31 - 00000000 ____D C:\Users\user\AppData\Roaming\rqwlagzv 2016-07-24 15:56 - 2016-05-09 15:22 - 00000000 ____D C:\Users\user\AppData\Roaming\khcqwzex 2016-07-24 15:56 - 2016-05-08 12:57 - 00000000 ____D C:\Users\user\AppData\Roaming\wvcylmez 2016-07-24 15:56 - 2016-05-05 09:33 - 00000000 ____D C:\Users\user\AppData\Roaming\tpxxfkez 2016-07-24 15:56 - 2016-05-01 12:55 - 00000000 ____D C:\Users\user\AppData\Roaming\jpcbosga 2016-07-24 15:56 - 2016-04-30 12:11 - 00000000 ____D C:\Users\user\AppData\Roaming\jxmzyuhg 2016-07-24 15:56 - 2016-04-29 12:41 - 00000000 ____D C:\Users\user\AppData\Roaming\rvbtmcpd 2016-07-24 15:56 - 2016-04-29 07:35 - 00000000 ____D C:\Users\user\AppData\Roaming\uncyukvx 2016-07-24 15:56 - 2016-04-27 14:47 - 00000000 ____D C:\Users\user\AppData\Roaming\utqwaabt 2016-07-24 15:56 - 2016-04-26 13:20 - 00000000 ____D C:\Users\user\AppData\Roaming\khohcbcf 2016-07-24 15:56 - 2016-04-16 17:23 - 00000000 ____D C:\Users\user\AppData\Roaming\ydmzxymn 2016-07-24 15:56 - 2016-04-16 13:51 - 00000000 ____D C:\Users\user\AppData\Roaming\tmmgvyaw 2016-07-24 15:56 - 2016-03-05 23:28 - 00000000 ____D C:\Users\user\AppData\Roaming\zhxudnfs 2016-07-24 15:56 - 2016-02-28 10:14 - 00000000 ____D C:\Users\user\AppData\Roaming\hhvyilre 2016-07-24 15:56 - 2016-02-16 22:21 - 00000000 ____D C:\Users\user\AppData\Roaming\rylwivpy 2016-07-24 15:56 - 2016-02-03 21:29 - 00000000 ____D C:\Users\user\AppData\Roaming\lckxgbnl 2016-07-24 15:56 - 2016-01-19 07:14 - 00000000 ____D C:\Users\user\AppData\Roaming\zufgqdjd 2016-07-24 15:56 - 2016-01-18 15:20 - 00000000 ____D C:\Users\user\AppData\Roaming\wiqhcopk 2016-07-24 15:56 - 2016-01-17 23:51 - 00000000 ____D C:\Users\user\AppData\Roaming\yriyuyqe 2016-07-24 15:56 - 2016-01-09 17:48 - 00000000 ____D C:\Users\user\AppData\Roaming\xhdacobf 2016-07-24 15:56 - 2016-01-03 17:43 - 00000000 ____D C:\Users\user\AppData\Roaming\xmymnwcq 2016-07-24 15:56 - 2015-12-21 13:13 - 00000000 ____D C:\Users\user\AppData\Roaming\jvjryrdj 2016-07-24 15:56 - 2015-12-12 18:25 - 00000000 ____D C:\Users\user\AppData\Roaming\yjbjsldi 2016-07-24 15:56 - 2015-12-12 16:18 - 00000000 ____D C:\Users\user\AppData\Roaming\vhexrplv 2016-07-24 15:56 - 2015-12-09 22:49 - 00000000 ____D C:\Users\user\AppData\Roaming\wtokpfxb 2016-07-24 15:56 - 2015-12-08 18:01 - 00000000 ____D C:\Users\user\AppData\Roaming\kykzebmk 2016-07-24 15:56 - 2015-11-02 14:48 - 00000000 ____D C:\Users\user\AppData\Roaming\ywztptwt 2016-07-24 15:56 - 2015-06-01 21:29 - 00000000 ____D C:\Users\user\AppData\Roaming\rukatgqq 2016-07-24 15:56 - 2015-05-12 01:43 - 00000000 ____D C:\Users\user\AppData\Roaming\vilkvkey 2016-07-24 15:56 - 2015-03-13 13:44 - 00000000 ____D C:\Users\user\AppData\Roaming\ymxuurqw 2016-07-24 15:56 - 2015-02-12 05:35 - 00000000 ____D C:\Users\user\AppData\Roaming\uzaivaga 2016-07-24 15:56 - 2015-02-11 15:30 - 00000000 ____D C:\Users\user\AppData\Roaming\sfuajixl 2016-07-24 15:56 - 2007-02-15 22:04 - 00000000 ____D C:\Users\user\AppData\Roaming\gsetnxvb 2016-07-24 15:56 - 2007-02-15 00:21 - 00000000 ____D C:\Users\user\AppData\Roaming\gieqhyep 2016-07-24 15:56 - 2007-02-15 00:02 - 00000000 ____D C:\Users\user\AppData\Roaming\uhozzgjt 2016-07-24 15:11 - 2016-02-28 21:16 - 00000000 ____D C:\Users\user\AppData\Roaming\dbzduqyv 2016-07-24 01:58 - 2016-06-24 13:05 - 00000000 ____D C:\Users\user\AppData\Roaming\bxixwxep 2016-07-24 01:58 - 2016-05-06 11:56 - 00000000 ____D C:\Users\user\AppData\Roaming\cjgastms 2016-07-24 01:58 - 2016-04-24 23:09 - 00000000 ____D C:\Users\user\AppData\Roaming\buigcvgm 2016-07-24 01:53 - 2016-06-11 22:22 - 00000000 ____D C:\Users\user\AppData\Roaming\bsefpbza 2016-07-24 01:53 - 2015-05-05 05:33 - 00000000 ____D C:\Users\user\AppData\Roaming\bhiecivx 2016-07-24 01:48 - 2016-06-15 22:56 - 00000000 ____D C:\Users\user\AppData\Roaming\awcjfxtm 2016-07-24 01:48 - 2015-04-28 17:47 - 00000000 ____D C:\Users\user\AppData\Roaming\afwjzugr 2016-07-24 01:43 - 2016-02-26 20:03 - 00000000 ____D C:\ProgramData\80549ce9 2016-07-24 00:22 - 2007-02-17 05:06 - 00002127 _____ C:\Windows\epplauncher.mif 2016-07-22 20:19 - 2015-01-23 22:01 - 00000327 _____ C:\Users\user\AppData\Roaming\WB.CFG ==================== Files in the root of some directories ======= 2007-02-15 00:05 - 2007-02-15 00:05 - 6420480 _____ () C:\Program Files\GUT41AE.tmp 2015-02-12 10:20 - 2015-02-12 10:20 - 6103040 _____ () C:\Program Files\GUT7069.tmp 2007-02-15 00:08 - 2007-02-15 00:08 - 0000000 _____ () C:\Program Files\GUTD588.tmp 2015-05-22 00:31 - 2007-02-15 00:11 - 0000024 _____ () C:\Users\user\AppData\Roaming\appdataFr25.bin 2015-04-28 15:38 - 2015-05-22 00:26 - 0000020 _____ () C:\Users\user\AppData\Roaming\appdataFr3.bin 2014-12-23 21:41 - 2014-12-23 21:41 - 0138056 _____ () C:\Users\user\AppData\Roaming\PnkBstrK.sys 2015-01-23 22:01 - 2016-07-22 20:19 - 0000327 _____ () C:\Users\user\AppData\Roaming\WB.CFG 2016-08-07 17:31 - 2016-08-07 17:31 - 0003584 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2014-08-23 18:28 - 2014-08-23 18:28 - 0000000 _____ () C:\Users\user\AppData\Local\{021E2386-759F-43C7-93D9-3D5BF70A0319} 2014-02-19 15:02 - 2014-02-19 15:02 - 0000000 _____ () C:\Users\user\AppData\Local\{5C8F489D-835A-451E-AAFA-E6B0E4953A05} 2014-05-29 13:35 - 2014-05-29 13:36 - 0000000 _____ () C:\Users\user\AppData\Local\{A76B11C5-E75C-4DE6-AA0C-DD6FC1E47834} 2016-07-24 00:21 - 2016-07-24 00:21 - 0045499 _____ () C:\ProgramData\1469294336.bdinstall.bin 2016-07-24 00:30 - 2016-07-24 00:30 - 0002049 _____ () C:\ProgramData\1469294993.1704.bin 2016-07-24 00:29 - 2016-07-24 00:32 - 0040831 _____ () C:\ProgramData\1469294993.2684.bin 2016-07-24 00:30 - 2016-07-24 00:32 - 0000494 _____ () C:\ProgramData\1469294993.2720.bin 2016-07-24 00:45 - 2016-07-24 00:45 - 0225330 _____ () C:\ProgramData\1469295588.bdinstall.bin 2016-07-24 17:25 - 2016-07-24 17:25 - 0037915 _____ () C:\ProgramData\1469355918.bdinstall.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0004431 _____ () C:\ProgramData\1469355928.172.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0045125 _____ () C:\ProgramData\1469355928.2132.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0002928 _____ () C:\ProgramData\1469355928.3196.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0042049 _____ () C:\ProgramData\1469355928.3948.bin Some files in TEMP: ==================== C:\Users\user\AppData\Local\Temp\c8eb790646128f34aa04a36111aca8cf.dll C:\Users\user\AppData\Local\Temp\d45bf640ca3c263b5d4928241c7a8e35.dll C:\Users\user\AppData\Local\Temp\eauninstall.exe C:\Users\user\AppData\Local\Temp\ggspawn1556635582.dll C:\Users\user\AppData\Local\Temp\ggspawn770000468.dll C:\Users\user\AppData\Local\Temp\openvpn.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1003_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1004_11.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1005.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1006.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1007.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1008_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1009.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1010.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1011.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1012.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1013_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1014.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1015_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1016_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1017.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1018.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1019.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1020.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1021.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1022.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1023.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1024.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1025_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1026.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1027.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1028.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1029.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1030.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1031.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1032.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1033.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1034.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1035.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1036.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1037.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1038_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1039.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1040.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1041.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1042.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1043.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1044.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1045.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1046.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1047.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1048.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1049_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1050.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1051.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1052_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1053.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1054.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1055.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1056.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1057.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1058.exe C:\Users\user\AppData\Local\Temp\tapinstall.exe ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe [2010-11-21 04:29] - [2010-11-20 03:17] - 0285696 ____A (Microsoft Corporation) C3EB9EA34EBE459F13F3F890F56CE72A C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll [2010-11-21 04:29] - [2010-11-20 03:21] - 0812032 ____A (Microsoft Corporation) CF97D64D7EC169C53C93B0A192218B29 C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-08-06 08:13 ==================== End of FRST.txt ============================ Sixth, and it is all i can give to you. Thank you so much kevin for helping me, im waiting on your next reply ;) Link to post Share on other sites More sharing options...
kevinf80 Posted August 9, 2016 ID:1055316 Share Posted August 9, 2016 Run FRST one more time: Type the following in the edit box after "Search:". winlogon.exe Click Search button and post the log (Search.txt) it makes to your reply. Next, Run FRST one more time: Type the following in the edit box after "Search:". User32.dll Click Search button and post the log (Search.txt) it makes to your reply. Post those two produced logs in your reply.... Link to post Share on other sites More sharing options...
javelineou Posted August 9, 2016 Author ID:1055321 Share Posted August 9, 2016 9 minutes ago, kevinf80 said: search.txt ( winlogon ) Farbar Recovery Scan Tool (x86) Version: 09-08-2016 Ran by user (2016-08-09 18:24:53) Running from C:\Users\user\Desktop Boot Mode: Normal ================== Search Files: "User32.dll" ============= C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll [2010-11-21 04:29][2010-11-21 04:29] 0811520 ____A (Microsoft Corporation) F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 [File is digitally signed] C:\Windows\System32\user32.dll [2010-11-21 04:29][2010-11-20 03:21] 0812032 ____A (Microsoft Corporation) CF97D64D7EC169C53C93B0A192218B29 [File not signed] C:\Windows\KJ\Pirate\T\x86T\user32.dll [2007-02-17 05:08][2010-11-20 03:21] 0812032 ____A (Microsoft Corporation) CF97D64D7EC169C53C93B0A192218B29 [File not signed] C:\Windows\KJ\Pirate\T\x64T\user32.dll [2007-02-17 05:08][2011-01-16 07:01] 1008640 ____A (Microsoft Corporation) 0B864E15A0BADFF0E7BB8B59009FDDCF [File not signed] C:\Windows\KJ\Pirate\T\SysWOW64T\user32.dll [2007-02-17 05:08][2010-11-20 03:08] 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 [File not signed] C:\Windows\KJ\Pirate\P\x86P\user32.dll [2007-02-17 05:08][2010-11-20 03:21] 0811520 ____A (Microsoft Corporation) F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 [File is digitally signed] C:\Windows\KJ\Pirate\P\x64P\user32.dll [2007-02-17 05:08][2010-11-20 04:27] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B [File not signed] C:\Windows\KJ\Pirate\P\SysWOW64P\user32.dll [2007-02-17 05:08][2010-11-20 03:08] 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 [File not signed] ====== End of Search ====== search.txt ( user32 ) Farbar Recovery Scan Tool (x86) Version: 09-08-2016 Ran by user (2016-08-09 18:22:19) Running from C:\Users\user\Desktop Boot Mode: Normal ================== Search Files: "winlogon.exe" ============= C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe [2010-11-21 04:29][2010-11-21 04:29] 0286720 ____N (Microsoft Corporation) 6D13E1406F50C66E2A95D97F22C47560 [File is digitally signed] C:\Windows\System32\winlogon.exe [2010-11-21 04:29][2010-11-20 03:17] 0285696 ____A (Microsoft Corporation) C3EB9EA34EBE459F13F3F890F56CE72A [File not signed] C:\Program Files\Malwarebytes Anti-Malware\Chameleon\Windows\winlogon.exe [2016-08-09 15:06][2016-03-10 14:07] 0960480 ____A (MalwareBytes) F86A4139730504047F52CCFB8C47E9F5 [File is digitally signed] ====== End of Search ====== Link to post Share on other sites More sharing options...
javelineou Posted August 9, 2016 Author ID:1055323 Share Posted August 9, 2016 oops im sorry, but i think i just reversed the text. the first one must be the winlogon and the second text must be the user32. im sorry Link to post Share on other sites More sharing options...
kevinf80 Posted August 9, 2016 ID:1055375 Share Posted August 9, 2016 You never posted the secondary log from FRST "Addition.txt" I need to see that log.. Logs are saved here: C:\FRST\Logs Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055532 Share Posted August 10, 2016 Addition_09-08-2016_16-30-07.txt Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-08-2016 Ran by user (2016-08-09 16:28:42) Running from C:\Users\user\Desktop Microsoft Windows 7 Ultimate Service Pack 1 (X86) (2007-02-16 21:40:57) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-3897908082-2070258231-4265155790-500 - Administrator - Disabled) Guest (S-1-5-21-3897908082-2070258231-4265155790-501 - Limited - Disabled) UpdatusUser (S-1-5-21-3897908082-2070258231-4265155790-1001 - Limited - Enabled) => C:\Users\UpdatusUser user (S-1-5-21-3897908082-2070258231-4265155790-1000 - Administrator - Enabled) => C:\Users\user ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Microsoft Security Essentials (Enabled - Up to date) {B140BF4E-23BB-4198-90AB-A51A4C60A69C} AS: Microsoft Security Essentials (Enabled - Up to date) {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe AIR (HKLM\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated) Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.7.700.169 - Adobe Systems Incorporated) Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated) Adobe Photoshop CS3 (HKLM\...\Adobe_719d6f144d0c086a0dfa7ff76bb9ac1) (Version: 10.0 - Adobe Systems Incorporated) Adobe Reader X (10.1.0) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.0 - Adobe Systems Incorporated) Chromium (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Chromium) (Version: 46.0.2470.0 - Chromium) Counter-Strike 1.6 (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Counter-Strike 1.6) (Version: - ) File Association Helper (HKLM\...\{8975E3CB-A762-4B14-BD62-A3972A098E82}) (Version: 1.2.225.65451 - WinZip Computing International, LLC) Foxtab (HKLM\...\Foxtab) (Version: - Foxtab) <==== ATTENTION Garena - PointBlank ID (HKLM\...\PBID) (Version: - Garena Online Pte Ltd.) Garena+ (HKLM\...\im) (Version: 2011 - Garena Online Pte Ltd.) GOM Player (HKLM\...\GOM Player) (Version: 2.1.28.5039 - Gretech Corporation) Google Chrome (HKLM\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.) Google Drive (HKLM\...\{709316AD-161C-4D5C-9AE7-0B3A822DA271}) (Version: 1.30.2170.0459 - Google, Inc.) Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google) Google Talk Plugin (HKLM\...\{F9B579C2-D854-300A-BE62-A09EB9D722E4}) (Version: 5.41.3.0 - Google) Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden HP Deskjet 1050 J410 series Basic Device Software (HKLM\...\{226837D8-0BF8-4CBE-BAB2-8F07E2C2B4DD}) (Version: 22.50.231.0 - Hewlett-Packard Co.) HP Deskjet 1050 J410 series Help (HKLM\...\{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}) (Version: 140.0.66.66 - Hewlett Packard) HP Deskjet 1050 J410 series Product Improvement Study (HKLM\...\{7414C891-720D-4E86-85E5-C3AA898DA9EC}) (Version: 22.50.231.0 - Hewlett-Packard Co.) HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.3781 - HP Photo Creations Powered by RocketLife) HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard) HPRewriter2 (HKLM\...\HPRewriter2) (Version: - ) K-Lite Codec Pack 7.1.0 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 7.1.0 - ) LINE (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\LINE) (Version: 4.8.0.1097 - LINE Corporation) Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes) Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation) Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.1.522.0 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Mozilla Firefox 47.0 (x86 en-US) (HKLM\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 47.0.0.5999 - Mozilla) MSXML4 Parser (HKLM\...\{01501EBA-EC35-4F9F-8889-3BE346E5DA13}) (Version: 1.0.0 - Microsoft Game Studios) Need for Speed™ Carbon (HKLM\...\{259C0ABB-A3B2-4D70-008F-BF7EE491B70B}) (Version: - ) Nero 7 Premium (HKLM\...\{4781569D-5404-1F26-4B2B-6DF444441031}) (Version: 7.00.0087 - Nero AG) NVIDIA Graphics Driver 307.74 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.74 - NVIDIA Corporation) NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation) Opera Stable 39.0.2256.48 (HKLM\...\Opera 39.0.2256.48) (Version: 39.0.2256.48 - Opera Software) PDF Settings (Version: 1.0 - Adobe Systems Incorporated) Hidden Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6828 - Realtek Semiconductor Corp.) Search Provided by Yahoo (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\YahooProvidedSearch) (Version: - ) <==== ATTENTION SMADAV version 9.6.1 (HKLM\...\{8B9FA5FF-3E61-4658-B0DA-E6DDB46D6BAD}_is1) (Version: 9.6.1 - SmadSoft) UltraISO Premium V9.35 (HKLM\...\UltraISO_is1) (Version: - ) Unity Web Player (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\UnityWebPlayer) (Version: - Unity Technologies ApS) Winamp (HKLM\...\Winamp) (Version: 5.61 - Nullsoft, Inc) Winamp Detector Plug-in (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc) Windows Driver Package - ASIX (AX88772) Net (06/10/2009 3.12.3.2) (HKLM\...\3720AB563DCFC005C5FB669FF957E87941CF80E6) (Version: 06/10/2009 3.12.3.2 - ASIX) WinRAR 4.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{1aad99ea-ee10-5c3a-8174-84c63a67adde}\InprocServer32 -> C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\user\AppData\Local\Chromium\Application\46.0.2470.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Google Talk Plugin\googletalkax.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\UpdatusUser\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\user\AppData\Local\Chromium\Application\46.0.2470.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Google Talk Plugin\o1dax.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {07E93579-5FEA-4718-A3BB-5C4B5EBB481A} - System32\Tasks\Garena+ Plugin Host Service => C:\Users\user\Downloads\Garena Plus\ggdllhost.exe [2016-02-22] () Task: {0E26943A-E58D-4D36-9ED9-191631BCCFF7} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe Task: {16D4A03B-6672-436D-922E-D1BDE06336B6} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000Core => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2015-09-04] (Google Inc.) Task: {189F871F-7689-4B16-BC34-7EA1AC36071C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2007-02-15] (Google Inc.) Task: {1A69E56C-C44D-4B29-9A13-8D1C0282506A} - System32\Tasks\UpdateTask => C:\Users\user\AppData\Local\{804AB~1\UNINST~1.EXE Task: {1C1E0E67-A92A-4705-B5BE-3F8DF7077DEE} - System32\Tasks\{730A0B80-DE7E-4936-9138-9D4E43D39543} => pcalua.exe -a "C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe" Task: {1CD82678-09D3-4DE7-987D-516F812E5DBA} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-03] (Adobe Systems Incorporated) Task: {2290A225-5460-4BD0-9B6B-BBCC737CCAF4} - \{CA13FAB3-5290-0682-FAF4-587B10AA7A33} -> No File <==== ATTENTION Task: {27F89AFD-62F3-4A46-A5A5-66D8D7E1574F} - System32\Tasks\smadav => C:\Program Files\Smadav\SMΔRTP.exe [2014-01-21] (Smadsoft) Task: {2ABAF70E-261F-40D0-A37B-171C14AF678F} - \Superclean -> No File <==== ATTENTION Task: {32471D25-BE59-490D-8A8C-2461921F46C7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2007-02-15] (Google Inc.) Task: {37CE6EA3-8CFD-4B23-A5E5-747AD27D33BD} - System32\Tasks\HPCustParticipation HP Deskjet 1050 J410 series => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.) Task: {3B25E983-9659-4E18-931C-60CCC01B98ED} - \Foxtab -> No File <==== ATTENTION Task: {4784428D-4A1E-4F89-AB5A-CB63F613A353} - System32\Tasks\{889C5A91-D264-4550-95DA-196724F7C8A4} => pcalua.exe -a "C:\Program Files\SaverExtEnsiion\Vr4g4Bn5Im26F4.exe" -c /s /n /i:"ExecuteCommands;UninstallCommands" "" Task: {4E3DC8E8-8ADB-458D-B424-2341DB69A79B} - System32\Tasks\Opera scheduled Autoupdate 1419328534 => C:\Program Files\Opera\launcher.exe [2016-08-03] (Opera Software) Task: {4F59613F-0625-44F5-9617-34AE48DE87A7} - \{6154B54B-F7CE-82CD-9B38-E9FC1188F970} -> No File <==== ATTENTION Task: {62443B58-82F0-4E28-BF23-B0CF11003B2F} - \Super Optimizer Schedule -> No File <==== ATTENTION Task: {933777CA-154F-46E3-88AE-8D8110E51AB8} - System32\Tasks\{7095882C-55D6-48B6-830A-B40748EB391E} => pcalua.exe -a "C:\Program Files\SalePlus\MHYQf5xAfdtoPP.exe" -c /s /n /i:"ExecuteCommands;UninstallCommands" "" Task: {B43DC576-11B7-433E-B995-4612E9879C47} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000UA => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2015-09-04] (Google Inc.) Task: {B652DE0D-87F6-4397-B81C-63796FA72B37} - System32\Tasks\{37495DE7-5931-4CAE-A82A-E4C275C0BED8} => Chrome.exe hxxp://ui.skype.com/ui/0/6.14.0.104/id/abandoninstall?source=lightinstaller&page=tsInstall Task: {CAFAEC6E-0724-4CF4-A6D8-090931C5D98B} - \userCentrifugallyKingwoodV2 -> No File <==== ATTENTION Task: {DB6E221A-5F52-4883-8697-B89D8ADDF082} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe [2006-04-21] () (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000Core.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000UA.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\user\AppData\Local\{804AB~1\UNINST~1.EXE ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) Shortcut: C:\Users\user\AppData\Local\Microsoft\Windows\GameExplorer\{6C95E218-B32A-4955-88CA-65FCA3BE5F25}\SupportTasks\1\Support.lnk -> hxxp://support.ea.com/ Shortcut: C:\Users\user\AppData\Local\Microsoft\Windows\GameExplorer\{6C95E218-B32A-4955-88CA-65FCA3BE5F25}\SupportTasks\0\More Games from Microsoft.lnk -> hxxp://www.ea.com/nfs/carbon/us/home.jsp/ ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-quic ==================== Loaded Modules (Whitelisted) ============== 2007-02-17 05:02 - 2013-01-03 15:38 - 00079800 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll 2016-02-22 18:24 - 2016-02-22 18:24 - 00174632 _____ () C:\Users\user\Downloads\Garena Plus\ggdllhost.exe 2016-02-24 18:15 - 2016-03-30 14:33 - 03310632 _____ () C:\Users\user\Downloads\Garena Plus\ggspawn.dll 2016-08-09 14:56 - 2016-08-03 07:24 - 01771336 _____ () C:\Program Files\Google\Chrome\Application\52.0.2743.116\libglesv2.dll 2016-08-09 14:56 - 2016-08-03 07:23 - 00094024 _____ () C:\Program Files\Google\Chrome\Application\52.0.2743.116\libegl.dll 2016-08-09 14:56 - 2016-08-03 06:54 - 17602240 _____ () C:\Program Files\Google\Chrome\Application\52.0.2743.116\PepperFlash\pepflashplayer.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-14 09:04 - 2009-06-11 04:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 8.8.8.8 - 8.8.4.4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: AdobeARMservice => 2 MSCONFIG\Services: Bonjour Service => 2 MSCONFIG\Services: FLEXnet Licensing Service => 3 MSCONFIG\Services: gupdate => 2 MSCONFIG\Services: gupdatem => 3 MSCONFIG\Services: Innosvcd => 2 MSCONFIG\Services: MozillaMaintenance => 3 MSCONFIG\startupfolder: C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: BDRegion => C:\Program Files\Cyberlink\Shared files\brs.exe MSCONFIG\startupreg: BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} => "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" MSCONFIG\startupreg: FAHConsole => C:\Program Files\File Association Helper\FAHConsole.exe MSCONFIG\startupreg: Google Update => "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c MSCONFIG\startupreg: GoogleDriveSync => "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" MSCONFIG\startupreg: HP Software Update => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe MSCONFIG\startupreg: Microsoft Default Manager => "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume MSCONFIG\startupreg: MSC => "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey MSCONFIG\startupreg: NeroFilterCheck => C:\Windows\system32\NeroCheck.exe MSCONFIG\startupreg: RemoteControl10 => "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe" MSCONFIG\startupreg: RTHDVCPL => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s MSCONFIG\startupreg: SoftonicAssistant => "C:\Users\user\AppData\Local\SoftonicAssistant\SoftonicAssistant.exe" MSCONFIG\startupreg: Super Optimizer => C:\Program Files\Super Optimizer\SupOptLauncher.exe MSCONFIG\startupreg: WinampAgent => "C:\Program Files\Winamp\winampa.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{AF55DF36-3B3A-4195-8EC7-93CBC3064418}] => (Allow) C:\Program Files\CyberLink\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe FirewallRules: [{7FB1DA94-24AC-49C8-9BB4-25F1440F5EB5}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe FirewallRules: [{C4E7657D-D846-431A-B375-DF72F21C43D4}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe FirewallRules: [TCP Query User{B75F92AB-5253-4440-9654-94F45745A5FD}C:\program files\winamp\winamp.exe] => (Allow) C:\program files\winamp\winamp.exe FirewallRules: [UDP Query User{32B99E46-7CA4-4D35-B7EC-73B5E40E177A}C:\program files\winamp\winamp.exe] => (Allow) C:\program files\winamp\winamp.exe FirewallRules: [{B5EBD52A-8A6C-495C-8914-45C0D8B7BB49}] => (Allow) C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\USBSetup.exe FirewallRules: [{84844E85-F746-4836-9F8B-2DD4DC6BBFF7}] => (Allow) C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\USBSetup.exe FirewallRules: [{CDE097F3-B5C0-47CF-8440-9B34E38C38FC}] => (Allow) C:\Gemscool\PointBlank\PointBlank.exe FirewallRules: [{63FE68A2-2AEF-4A9D-B30D-D8E5F745C104}] => (Allow) C:\Gemscool\PointBlank\PointBlank.exe FirewallRules: [{219D2E55-3CA6-4E0A-AAFD-9EB3D5D8438C}] => (Allow) C:\Windows\System32\innogmp.exe FirewallRules: [{057FE20A-96B0-4751-B20B-11B4921E3A22}] => (Allow) C:\Windows\System32\innogmp.exe FirewallRules: [{58BC5D0F-05D4-4393-8AC2-4F3D8B5B6AE8}] => (Allow) C:\Windows\System32\innosvcd.exe FirewallRules: [{AFE59780-6795-4CA7-93E1-D36C420077A1}] => (Allow) C:\Windows\System32\innosvcd.exe FirewallRules: [TCP Query User{BA77D0C4-8BA4-42D5-888D-071A3EFA81A1}C:\program files\microsoft games\rise of nations\nations.exe] => (Block) C:\program files\microsoft games\rise of nations\nations.exe FirewallRules: [UDP Query User{ADF314B4-57CB-4C37-A8B2-C4FBCF5D8195}C:\program files\microsoft games\rise of nations\nations.exe] => (Block) C:\program files\microsoft games\rise of nations\nations.exe FirewallRules: [{5BAC8B25-CAEA-44CA-AC62-BCCB1A4454EE}] => (Allow) C:\Users\user\LINE\Line.exe FirewallRules: [{8E037D6B-A56A-49DC-AC85-49C97F23D196}] => (Allow) C:\Users\user\LINE\Line.exe FirewallRules: [TCP Query User{ACF23A73-DF3A-4A9C-88B4-1F2434E975EE}E:\easysetupassistant\wr842n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr842n\easysetupassistant.exe FirewallRules: [UDP Query User{6DC0004E-BF93-439A-9AC5-358BE88AAF78}E:\easysetupassistant\wr842n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr842n\easysetupassistant.exe FirewallRules: [TCP Query User{3BDA6D35-A246-40EF-9DBD-3A68E0DE01B8}E:\easysetupassistant\wr841n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr841n\easysetupassistant.exe FirewallRules: [UDP Query User{5CB6CF52-D25A-492C-B1DE-4228A01866FE}E:\easysetupassistant\wr841n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr841n\easysetupassistant.exe FirewallRules: [{49B543D8-97BE-4320-841D-3B84E06D9A7B}] => (Allow) C:\Windows\System32\PnkBstrA.exe FirewallRules: [{43209761-FBEB-45A9-94E8-1C177053DE33}] => (Allow) C:\Windows\System32\PnkBstrA.exe FirewallRules: [{189DCB94-AA42-4442-BB16-8219FA1D0CC6}] => (Allow) C:\Windows\System32\PnkBstrB.exe FirewallRules: [{CB910983-84C6-4797-B31C-184E11836320}] => (Allow) C:\Windows\System32\PnkBstrB.exe FirewallRules: [TCP Query User{33FB15B6-FE57-4E5C-88B7-40AC1C133776}C:\users\user\line\line.exe] => (Allow) C:\users\user\line\line.exe FirewallRules: [UDP Query User{6F6AA9AA-4E2B-49DE-9C0B-95422BB078C8}C:\users\user\line\line.exe] => (Allow) C:\users\user\line\line.exe FirewallRules: [{AB130FB7-6DF0-4F95-8354-EA486AECD18F}] => (Allow) C:\Users\user\Downloads\pbidInstaller.exe FirewallRules: [{3C77BF32-775D-4F97-AC00-88C4589F710B}] => (Allow) C:\Users\user\Downloads\pbidInstaller.exe FirewallRules: [{2BAB82FB-D3EC-4C36-A74B-AEB2443AE04E}] => (Allow) C:\Windows\system32\rundll32.exe FirewallRules: [{01735BC0-0E8A-490A-B7DA-907629A919AC}] => (Allow) C:\Program Files\Garena Plus\ggdllhost.exe FirewallRules: [TCP Query User{8B76514A-9257-4DEA-B24A-15B398F44CDE}C:\program files\garena plus\garenamessenger.exe] => (Block) C:\program files\garena plus\garenamessenger.exe FirewallRules: [UDP Query User{384E1056-A49F-4794-B992-C994FC63F05E}C:\program files\garena plus\garenamessenger.exe] => (Block) C:\program files\garena plus\garenamessenger.exe FirewallRules: [{14963CF9-3B1A-4CBC-BD62-FC79185AEB6B}] => (Allow) C:\Program Files\GarenaPBID\gamedata\Apps\PBID\PointBlank.exe FirewallRules: [{BB9D7551-A836-477C-8240-9BAB8D28C62B}] => (Allow) C:\Program Files\GarenaPBID\gamedata\Apps\PBID\PointBlank.exe FirewallRules: [TCP Query User{D1076D46-7E84-44B9-A77D-39211AF00693}C:\program files\winamp\winamp.exe] => (Block) C:\program files\winamp\winamp.exe FirewallRules: [UDP Query User{3A4AA64A-E86C-418B-BE31-DCD17C182CEF}C:\program files\winamp\winamp.exe] => (Block) C:\program files\winamp\winamp.exe FirewallRules: [TCP Query User{ABAE53C1-E284-426E-9D54-95BA45E962BA}C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe] => (Allow) C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe FirewallRules: [UDP Query User{9560033A-3E3F-40CE-882F-2AB0D60A7578}C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe] => (Allow) C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe FirewallRules: [TCP Query User{A3FC8368-32A4-4704-BCC6-E738D707DCC1}C:\program files\counter-strike 1.6\hl.exe] => (Block) C:\program files\counter-strike 1.6\hl.exe FirewallRules: [UDP Query User{1BC205D3-E569-40FB-B391-5D435DBE7423}C:\program files\counter-strike 1.6\hl.exe] => (Block) C:\program files\counter-strike 1.6\hl.exe FirewallRules: [{3716CDE8-4C40-4103-AEFC-83908367A28B}] => (Allow) C:\Users\user\AppData\Local\Chromium\Application\chrome.exe FirewallRules: [TCP Query User{0352C2C4-F36F-4961-B2E4-FFFE3C05E413}C:\program files\novalogic\delta force xtreme\dfx.exe] => (Block) C:\program files\novalogic\delta force xtreme\dfx.exe FirewallRules: [UDP Query User{AC0ACF9C-D4AA-4E4A-B848-7E96534DF905}C:\program files\novalogic\delta force xtreme\dfx.exe] => (Block) C:\program files\novalogic\delta force xtreme\dfx.exe FirewallRules: [{85C224FA-F8A8-4775-81F3-5A083E26182B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{D0223D83-91F4-40EC-84FE-2637BE3AB8C3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{32785A94-E0CB-4062-B53B-B08A5708E786}] => (Allow) C:\GarenaDownload\Games\pbid\pbidInstaller.exe FirewallRules: [{759A500F-3DF2-466D-8BFA-AFDADE9E6819}] => (Allow) C:\GarenaDownload\Games\pbid\pbidInstaller.exe FirewallRules: [TCP Query User{7D2F11DA-C6AA-43B2-A96E-A70225FD0986}C:\users\user\downloads\garena plus\garenamessenger.exe] => (Allow) C:\users\user\downloads\garena plus\garenamessenger.exe FirewallRules: [UDP Query User{8DC531C2-84B6-42C9-A51A-96AE56201C02}C:\users\user\downloads\garena plus\garenamessenger.exe] => (Allow) C:\users\user\downloads\garena plus\garenamessenger.exe FirewallRules: [{936B575F-183B-4B0C-B39A-5D218BB00D6E}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LINE.exe FirewallRules: [{E2F4FCAC-10F2-4254-860B-A08502ED41F8}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LINE.exe FirewallRules: [{76FCD2F5-A9EA-4A22-BD9D-07FBEA1D3A66}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LineUpdater.exe FirewallRules: [{947B6388-796E-4183-A363-17B08C488DF9}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LineUpdater.exe FirewallRules: [{8EBB87C4-EDBD-46BE-BA30-BFD0F7751003}] => (Allow) %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe FirewallRules: [{85531843-DBB2-45B0-82D4-7FF335F85BA1}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Restore Points ========================= 05-08-2016 16:24:07 Windows Update 07-08-2016 16:23:42 Microsoft Antimalware Checkpoint 07-08-2016 20:52:59 Device Driver Package Install: Anvisoft Network Service 09-08-2016 14:34:44 Windows Update 09-08-2016 15:41:34 Microsoft Antimalware Checkpoint ==================== Faulty Device Manager Devices ============= Name: MpKsl0194d930 Description: MpKsl0194d930 Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1} Manufacturer: Service: MpKsl0194d930 Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: Teredo Tunneling Pseudo-Interface Description: Microsoft Teredo Tunneling Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. ==================== Event log errors: ========================= Application errors: ================== Error: (08/09/2016 04:02:23 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/09/2016 02:20:50 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/07/2016 07:36:54 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/07/2016 05:16:31 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winamp.exe, version: 5.6.1.3133, time stamp: 0x4d88ec8b Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b96e Exception code: 0xc0000005 Fault offset: 0x00032239 Faulting process id: 0xb3c Faulting application start time: 0xwinamp.exe0 Faulting application path: winamp.exe1 Faulting module path: winamp.exe2 Report Id: winamp.exe3 Error: (08/07/2016 04:23:39 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {fd5d3c35-1572-49d1-9948-57eab037a8cf} Error: (08/07/2016 04:22:05 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/07/2016 10:18:23 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/06/2016 08:46:08 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: PokemonGo.RocketAPI.Console.exe, version: 3.6.0.0, time stamp: 0x57a08479 Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b8f0 Exception code: 0xe0434352 Fault offset: 0x0000b760 Faulting process id: 0xb04 Faulting application start time: 0xPokemonGo.RocketAPI.Console.exe0 Faulting application path: PokemonGo.RocketAPI.Console.exe1 Faulting module path: PokemonGo.RocketAPI.Console.exe2 Report Id: PokemonGo.RocketAPI.Console.exe3 Error: (08/06/2016 08:46:08 PM) (Source: .NET Runtime) (EventID: 1026) (User: ) Description: Application: PokemonGo.RocketAPI.Console.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.FileNotFoundException Stack: at PokemonGo.RocketAPI.Console.Program.Main(System.String[]) Error: (08/06/2016 08:45:59 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: PokemonGo.RocketAPI.Console.exe, version: 3.6.0.0, time stamp: 0x57a08479 Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b8f0 Exception code: 0xe0434352 Fault offset: 0x0000b760 Faulting process id: 0x1014 Faulting application start time: 0xPokemonGo.RocketAPI.Console.exe0 Faulting application path: PokemonGo.RocketAPI.Console.exe1 Faulting module path: PokemonGo.RocketAPI.Console.exe2 Report Id: PokemonGo.RocketAPI.Console.exe3 System errors: ============= Error: (08/09/2016 04:01:31 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: InCDPass InCDRm Error: (08/09/2016 04:01:26 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the CutterModule service to connect. Error: (08/09/2016 02:59:33 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The HPWriter Service service terminated unexpectedly. It has done this 1 time(s). Error: (08/09/2016 02:19:56 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: InCDPass InCDRm Error: (08/09/2016 02:19:54 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the CutterModule service to connect. Error: (08/07/2016 07:36:07 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: InCDPass InCDRm Error: (08/07/2016 07:35:54 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the CutterModule service to connect. Error: (08/07/2016 04:45:37 PM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service. Error: (08/07/2016 04:24:00 PM) (Source: Disk) (EventID: 11) (User: ) Description: The driver detected a controller error on \Device\Harddisk1\DR1. Error: (08/07/2016 04:24:00 PM) (Source: Disk) (EventID: 11) (User: ) Description: The driver detected a controller error on \Device\Harddisk1\DR1. CodeIntegrity: =================================== Date: 2016-08-09 16:16:59.503 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 16:00:51.281 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 15:59:01.342 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 14:59:18.198 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 14:41:38.923 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 14:28:29.435 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 14:19:19.328 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-08 23:05:49.572 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-08 22:54:30.237 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-08 22:48:55.462 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz Percentage of memory in use: 84% Total physical RAM: 1023.3 MB Available physical RAM: 156.51 MB Total Virtual: 6023.3 MB Available Virtual: 4760.99 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:68.26 GB) (Free:26.13 GB) NTFS Drive d: (DATA) (Fixed) (Total:80.69 GB) (Free:80.45 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 2D6D77B5) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=68.3 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=80.7 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055535 Share Posted August 10, 2016 Thanks for those logs, continue as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial.... Right click on Zemana Antimalware and select "Run as Administrator" From the GUI select "Settings" In the new window Select 1. Updates, when complete Select 2. Real Time Protection. In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon. In the new window select "Scan" When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab The action complete window will open, from there select the "Back" tab. That will take you back to the home screen... On that screen select the "Reports" tab. (Looks like 3 chimneys) On that screen select and highlite the scan details line, then select "Open Report" Copy and paste that log to your reply... Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Sophos Free Virus Removal Tool and save it to your desktop. Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs.... Let me see those logs, also give an update on any remaining issues or concerns.... Thank you, Kevin.... Fixlist.txt Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055558 Share Posted August 10, 2016 This is bad situation kevin, after the adwcleaner ask me to restart my pc then i said okay, my computer didnt work till now. After the screen starting computer, the screen is black and not showing the dekstop. I tried ctrl+alt+del but its useless. Now what should i do ? Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055561 Share Posted August 10, 2016 Can you boot to safe mode? Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055567 Share Posted August 10, 2016 15 minutes ago, kevinf80 said: Can you boot to safe mode? I tried twice. First, i choose start normally. It was blank. Second, i choose start with safe mode, it was blank too.. Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055568 Share Posted August 10, 2016 Please download Farbar Recovery Scan Tool from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bitNote: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you.To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you may get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055591 Share Posted August 10, 2016 Is this the only way ? Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055601 Share Posted August 10, 2016 Ill try this link's step http://visihow.com/Repair_Windows_7_Black_Screen_of_Death If its work ill inform you Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055602 Share Posted August 10, 2016 Ok, let me know the outcome.. Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055603 Share Posted August 10, 2016 Ok its show again, finally. Lets get to work, what now ? Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055604 Share Posted August 10, 2016 I need to see the logs from reply 9. Also how did you make the fix, if you`ve used system restore or last known good configuration your system maybe back to infected status.. Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055605 Share Posted August 10, 2016 i did the last known good configuration. idk what its gonna be but i think that was the fastest way to get back to work, wasnt that ? Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055607 Share Posted August 10, 2016 im about going to download adwcleaner. soon, should i restart my pc again or what ? Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055610 Share Posted August 10, 2016 Yes LKGC is the way to go as you`ve got your system running again, the only issue is possible re-infection..... lets run FRST and see what the logs show: Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs.... Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055612 Share Posted August 10, 2016 okay this is weird, but after the adwcleaner done, i was checking the elements which i want to keep. and then the zemana windows appear to the top and said that there was an another suspicious files or programs i dont know but it said that i need to repair it and apply it. so i was apply it and the browser ( chrome ) was shut down. and i was opened the chrome again and yes, the adware was gone. but im still not sure if its absolutely gone or still on my pc but didnt appear. i was opened mozilla too and the adware was gone too. so, what do you think i need to do now ? should i continue the progress or i post the fixlog.txt or the report from the zemana ? let me post the fixlog.txt fixlog.txt ( green ) Fix result of Farbar Recovery Scan Tool (x86) Version: 09-08-2016 01 Ran by user (2016-08-10 14:50:09) Run:1 Running from C:\Users\user\Desktop Loaded Profiles: user & UpdatusUser (Available Profiles: user & UpdatusUser) Boot Mode: Normal ============================================== fixlist content: ***************** Start CreateRestorePoint: CloseProcesses: Replace: C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe C:\Windows\System32\winlogon.exe Replace: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll C:\Windows\System32\user32.dll ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION Tcpip\..\Interfaces\{18D9B629-713A-47D4-A18A-8D9C82BAB74E}: [DhcpNameServer] 61.247.0.133 61.247.0.130 202.73.99.4 202.73.99.2 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X] R3 gkernel; \??\C:\Users\user\AppData\Local\Temp\gkernel.sys [X] S4 InCDFs; system32\drivers\InCDFs.sys [X] S1 InCDPass; system32\drivers\InCDPass.sys [X] S1 InCDRm; system32\drivers\InCDRm.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] S3 xspirit; \??\C:\Windows\xspirit.sys [X] 2016-07-23 21:25 - 2016-08-07 19:19 - 00000000 ____D C:\Users\user\AppData\Roaming\dpkfjdig 2016-07-23 14:16 - 2016-07-24 15:56 - 00000000 ____D C:\Users\user\AppData\Roaming\jiycgqxf 2016-07-22 20:02 - 2016-07-24 15:56 - 00000000 ____D C:\Users\user\AppData\Roaming\hhodtwis 2016-07-19 14:18 - 2016-07-24 01:01 - 00000000 ____D C:\Users\user\AppData\Roaming\{14AA2211-31F8-4F67-5ACE-68B5861C958B} 2016-08-07 19:19 - 2016-07-02 17:50 - 00000000 ____D C:\Users\user\AppData\Roaming\msndgfdl 2016-08-07 19:19 - 2016-06-30 18:42 - 00000000 ____D C:\Users\user\AppData\Roaming\obehoaiy 2016-08-07 19:19 - 2016-06-23 15:06 - 00000000 ____D C:\Users\user\AppData\Roaming\odnnnvxe 2016-08-07 19:19 - 2016-06-19 18:22 - 00000000 ____D C:\Users\user\AppData\Roaming\drnjcmry 2016-08-07 19:19 - 2016-06-16 18:48 - 00000000 ____D C:\Users\user\AppData\Roaming\pndmagmv 2016-08-07 19:19 - 2016-06-11 00:13 - 00000000 ____D C:\Users\user\AppData\Roaming\dppfzonn 2016-08-07 19:19 - 2016-06-10 10:37 - 00000000 ____D C:\Users\user\AppData\Roaming\eglqkdrp 2016-08-07 19:19 - 2016-06-10 09:50 - 00000000 ____D C:\Users\user\AppData\Roaming\qrtrmnhp 2016-08-07 19:19 - 2016-06-07 12:11 - 00000000 ____D C:\Users\user\AppData\Roaming\mwcrnxvh 2016-08-07 19:19 - 2016-05-09 23:53 - 00000000 ____D C:\Users\user\AppData\Roaming\pznjzsar 2016-08-07 19:19 - 2016-05-07 11:09 - 00000000 ____D C:\Users\user\AppData\Roaming\pgiatadc 2016-08-07 19:19 - 2016-04-30 01:32 - 00000000 ____D C:\Users\user\AppData\Roaming\paymitiw 2016-08-07 19:19 - 2016-03-23 11:58 - 00000000 ____D C:\Users\user\AppData\Roaming\qqyudiyn 2016-08-07 19:19 - 2016-02-05 15:19 - 00000000 ____D C:\Users\user\AppData\Roaming\ejwptvtf 2016-08-07 19:19 - 2016-02-04 23:37 - 00000000 ____D C:\Users\user\AppData\Roaming\pqbgjbag 2016-08-07 19:19 - 2016-01-30 06:55 - 00000000 ____D C:\Users\user\AppData\Roaming\exablnnj 2016-08-07 19:19 - 2016-01-25 22:31 - 00000000 ____D C:\Users\user\AppData\Roaming\njsldbzk 2016-08-07 19:19 - 2016-01-08 15:39 - 00000000 ____D C:\Users\user\AppData\Roaming\ogsoakrf 2016-08-07 19:19 - 2015-12-08 23:10 - 00000000 ____D C:\Users\user\AppData\Roaming\ngxrzvvi 2016-08-07 19:19 - 2015-09-04 18:46 - 00000000 ____D C:\Users\user\AppData\Roaming\nkstybpw 2016-08-07 19:19 - 2015-03-18 08:14 - 00000000 ____D C:\Users\user\AppData\Roaming\fdlsmwyb 2016-08-07 19:19 - 2015-01-29 18:26 - 00000000 ____D C:\Users\user\AppData\Roaming\dtilzwxx 2016-08-07 19:19 - 2015-01-25 23:47 - 00000000 ____D C:\Users\user\AppData\Roaming\sctkfjqk 2016-08-07 19:19 - 2015-01-24 17:21 - 00000000 ____D C:\Users\user\AppData\Roaming\qqkbtsfc 2016-08-07 19:19 - 2007-02-15 07:49 - 00000000 ____D C:\Users\user\AppData\Roaming\phmxjpvs 2016-08-07 19:19 - 2007-02-15 00:20 - 00000000 ____D C:\Users\user\AppData\Roaming\psuoarzq 2016-08-07 19:19 - 2007-02-15 00:05 - 00000000 ____D C:\Users\user\AppData\Roaming\mwnekhqu 2016-07-24 15:56 - 2016-07-09 22:00 - 00000000 ____D C:\Users\user\AppData\Roaming\jszaqsdn 2016-07-24 15:56 - 2016-07-09 11:22 - 00000000 ____D C:\Users\user\AppData\Roaming\iysqhvos 2016-07-24 15:56 - 2016-06-28 18:53 - 00000000 ____D C:\Users\user\AppData\Roaming\tudychlo 2016-07-24 15:56 - 2016-06-25 13:18 - 00000000 ____D C:\Users\user\AppData\Roaming\mczxjfww 2016-07-24 15:56 - 2016-06-23 18:58 - 00000000 ____D C:\Users\user\AppData\Roaming\llgmebag 2016-07-24 15:56 - 2016-06-21 14:14 - 00000000 ____D C:\Users\user\AppData\Roaming\kwmkvswy 2016-07-24 15:56 - 2016-06-20 16:09 - 00000000 ____D C:\Users\user\AppData\Roaming\lyfntkze 2016-07-24 15:56 - 2016-06-20 03:26 - 00000000 ____D C:\Users\user\AppData\Roaming\khitfriy 2016-07-24 15:56 - 2016-06-14 23:50 - 00000000 ____D C:\Users\user\AppData\Roaming\hifmqnmr 2016-07-24 15:56 - 2016-06-13 22:10 - 00000000 ____D C:\Users\user\AppData\Roaming\weoxfgff 2016-07-24 15:56 - 2016-06-13 00:33 - 00000000 ____D C:\Users\user\AppData\Roaming\wizfnskg 2016-07-24 15:56 - 2016-06-11 14:20 - 00000000 ____D C:\Users\user\AppData\Roaming\wfzwertg 2016-07-24 15:56 - 2016-06-08 22:11 - 00000000 ____D C:\Users\user\AppData\Roaming\kyjriprf 2016-07-24 15:56 - 2016-06-08 19:02 - 00000000 ____D C:\Users\user\AppData\Roaming\wpfbosnz 2016-07-24 15:56 - 2016-06-07 22:22 - 00000000 ____D C:\Users\user\AppData\Roaming\vzsfmmuy 2016-07-24 15:56 - 2016-06-05 17:37 - 00000000 ____D C:\Users\user\AppData\Roaming\zeclmbcn 2016-07-24 15:56 - 2016-05-21 12:30 - 00000000 ____D C:\Users\user\AppData\Roaming\jqcscksz 2016-07-24 15:56 - 2016-05-20 18:12 - 00000000 ____D C:\Users\user\AppData\Roaming\jmcseecw 2016-07-24 15:56 - 2016-05-19 21:55 - 00000000 ____D C:\Users\user\AppData\Roaming\rfwxotjv 2016-07-24 15:56 - 2016-05-18 11:49 - 00000000 ____D C:\Users\user\AppData\Roaming\yeemeyrz 2016-07-24 15:56 - 2016-05-14 16:56 - 00000000 ____D C:\Users\user\AppData\Roaming\ukiwnkwh 2016-07-24 15:56 - 2016-05-13 18:47 - 00000000 ____D C:\Users\user\AppData\Roaming\smxnbqwz 2016-07-24 15:56 - 2016-05-13 00:14 - 00000000 ____D C:\Users\user\AppData\Roaming\hyaknpgr 2016-07-24 15:56 - 2016-05-09 21:31 - 00000000 ____D C:\Users\user\AppData\Roaming\rqwlagzv 2016-07-24 15:56 - 2016-05-09 15:22 - 00000000 ____D C:\Users\user\AppData\Roaming\khcqwzex 2016-07-24 15:56 - 2016-05-08 12:57 - 00000000 ____D C:\Users\user\AppData\Roaming\wvcylmez 2016-07-24 15:56 - 2016-05-05 09:33 - 00000000 ____D C:\Users\user\AppData\Roaming\tpxxfkez 2016-07-24 15:56 - 2016-05-01 12:55 - 00000000 ____D C:\Users\user\AppData\Roaming\jpcbosga 2016-07-24 15:56 - 2016-04-30 12:11 - 00000000 ____D C:\Users\user\AppData\Roaming\jxmzyuhg 2016-07-24 15:56 - 2016-04-29 12:41 - 00000000 ____D C:\Users\user\AppData\Roaming\rvbtmcpd 2016-07-24 15:56 - 2016-04-29 07:35 - 00000000 ____D C:\Users\user\AppData\Roaming\uncyukvx 2016-07-24 15:56 - 2016-04-27 14:47 - 00000000 ____D C:\Users\user\AppData\Roaming\utqwaabt 2016-07-24 15:56 - 2016-04-26 13:20 - 00000000 ____D C:\Users\user\AppData\Roaming\khohcbcf 2016-07-24 15:56 - 2016-04-16 17:23 - 00000000 ____D C:\Users\user\AppData\Roaming\ydmzxymn 2016-07-24 15:56 - 2016-04-16 13:51 - 00000000 ____D C:\Users\user\AppData\Roaming\tmmgvyaw 2016-07-24 15:56 - 2016-03-05 23:28 - 00000000 ____D C:\Users\user\AppData\Roaming\zhxudnfs 2016-07-24 15:56 - 2016-02-28 10:14 - 00000000 ____D C:\Users\user\AppData\Roaming\hhvyilre 2016-07-24 15:56 - 2016-02-16 22:21 - 00000000 ____D C:\Users\user\AppData\Roaming\rylwivpy 2016-07-24 15:56 - 2016-02-03 21:29 - 00000000 ____D C:\Users\user\AppData\Roaming\lckxgbnl 2016-07-24 15:56 - 2016-01-19 07:14 - 00000000 ____D C:\Users\user\AppData\Roaming\zufgqdjd 2016-07-24 15:56 - 2016-01-18 15:20 - 00000000 ____D C:\Users\user\AppData\Roaming\wiqhcopk 2016-07-24 15:56 - 2016-01-17 23:51 - 00000000 ____D C:\Users\user\AppData\Roaming\yriyuyqe 2016-07-24 15:56 - 2016-01-09 17:48 - 00000000 ____D C:\Users\user\AppData\Roaming\xhdacobf 2016-07-24 15:56 - 2016-01-03 17:43 - 00000000 ____D C:\Users\user\AppData\Roaming\xmymnwcq 2016-07-24 15:56 - 2015-12-21 13:13 - 00000000 ____D C:\Users\user\AppData\Roaming\jvjryrdj 2016-07-24 15:56 - 2015-12-12 18:25 - 00000000 ____D C:\Users\user\AppData\Roaming\yjbjsldi 2016-07-24 15:56 - 2015-12-12 16:18 - 00000000 ____D C:\Users\user\AppData\Roaming\vhexrplv 2016-07-24 15:56 - 2015-12-09 22:49 - 00000000 ____D C:\Users\user\AppData\Roaming\wtokpfxb 2016-07-24 15:56 - 2015-12-08 18:01 - 00000000 ____D C:\Users\user\AppData\Roaming\kykzebmk 2016-07-24 15:56 - 2015-11-02 14:48 - 00000000 ____D C:\Users\user\AppData\Roaming\ywztptwt 2016-07-24 15:56 - 2015-06-01 21:29 - 00000000 ____D C:\Users\user\AppData\Roaming\rukatgqq 2016-07-24 15:56 - 2015-05-12 01:43 - 00000000 ____D C:\Users\user\AppData\Roaming\vilkvkey 2016-07-24 15:56 - 2015-03-13 13:44 - 00000000 ____D C:\Users\user\AppData\Roaming\ymxuurqw 2016-07-24 15:56 - 2015-02-12 05:35 - 00000000 ____D C:\Users\user\AppData\Roaming\uzaivaga 2016-07-24 15:56 - 2015-02-11 15:30 - 00000000 ____D C:\Users\user\AppData\Roaming\sfuajixl 2016-07-24 15:56 - 2007-02-15 22:04 - 00000000 ____D C:\Users\user\AppData\Roaming\gsetnxvb 2016-07-24 15:56 - 2007-02-15 00:21 - 00000000 ____D C:\Users\user\AppData\Roaming\gieqhyep 2016-07-24 15:56 - 2007-02-15 00:02 - 00000000 ____D C:\Users\user\AppData\Roaming\uhozzgjt 2016-07-24 15:11 - 2016-02-28 21:16 - 00000000 ____D C:\Users\user\AppData\Roaming\dbzduqyv 2016-07-24 01:58 - 2016-06-24 13:05 - 00000000 ____D C:\Users\user\AppData\Roaming\bxixwxep 2016-07-24 01:58 - 2016-05-06 11:56 - 00000000 ____D C:\Users\user\AppData\Roaming\cjgastms 2016-07-24 01:58 - 2016-04-24 23:09 - 00000000 ____D C:\Users\user\AppData\Roaming\buigcvgm 2016-07-24 01:53 - 2016-06-11 22:22 - 00000000 ____D C:\Users\user\AppData\Roaming\bsefpbza 2016-07-24 01:53 - 2015-05-05 05:33 - 00000000 ____D C:\Users\user\AppData\Roaming\bhiecivx 2016-07-24 01:48 - 2016-06-15 22:56 - 00000000 ____D C:\Users\user\AppData\Roaming\awcjfxtm 2016-07-24 01:48 - 2015-04-28 17:47 - 00000000 ____D C:\Users\user\AppData\Roaming\afwjzugr 2016-07-24 01:43 - 2016-02-26 20:03 - 00000000 ____D C:\ProgramData\80549ce9 2007-02-15 00:05 - 2007-02-15 00:05 - 6420480 _____ () C:\Program Files\GUT41AE.tmp 2015-02-12 10:20 - 2015-02-12 10:20 - 6103040 _____ () C:\Program Files\GUT7069.tmp 2007-02-15 00:08 - 2007-02-15 00:08 - 0000000 _____ () C:\Program Files\GUTD588.tmp Task: {1A69E56C-C44D-4B29-9A13-8D1C0282506A} - System32\Tasks\UpdateTask => C:\Users\user\AppData\Local\{804AB~1\UNINST~1.EXE C:\Users\user\AppData\Local\{804AB~1 Task: {2290A225-5460-4BD0-9B6B-BBCC737CCAF4} - \{CA13FAB3-5290-0682-FAF4-587B10AA7A33} -> No File <==== ATTENTION Task: {2ABAF70E-261F-40D0-A37B-171C14AF678F} - \Superclean -> No File <==== ATTENTION Task: {3B25E983-9659-4E18-931C-60CCC01B98ED} - \Foxtab -> No File <==== ATTENTION Task: {4F59613F-0625-44F5-9617-34AE48DE87A7} - \{6154B54B-F7CE-82CD-9B38-E9FC1188F970} -> No File <==== ATTENTION Task: {62443B58-82F0-4E28-BF23-B0CF11003B2F} - \Super Optimizer Schedule -> No File <==== ATTENTION Task: {CAFAEC6E-0724-4CF4-A6D8-090931C5D98B} - \userCentrifugallyKingwoodV2 -> No File <==== ATTENTION Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\user\AppData\Local\{804AB~1\UNINST~1.EXE CMD: ipconfig /flushdns Hosts: EmptyTemp: end ***************** Restore point was successfully created. Processes closed successfully. C:\Windows\System32\winlogon.exe => moved successfully C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe copied successfully to C:\Windows\System32\winlogon.exe C:\Windows\System32\user32.dll => moved successfully C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll copied successfully to C:\Windows\System32\user32.dll "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully. HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. "HKLM\SOFTWARE\Policies\Google" => key removed successfully. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{18D9B629-713A-47D4-A18A-8D9C82BAB74E}\\DhcpNameServer => value removed successfully. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully. EagleXNt => service removed successfully. gkernel => Unable to stop service. gkernel => service removed successfully. InCDFs => service removed successfully. InCDPass => service removed successfully. InCDRm => service removed successfully. VGPU => service removed successfully. xhunter1 => service removed successfully. xspirit => service removed successfully. C:\Users\user\AppData\Roaming\dpkfjdig => moved successfully C:\Users\user\AppData\Roaming\jiycgqxf => moved successfully C:\Users\user\AppData\Roaming\hhodtwis => moved successfully C:\Users\user\AppData\Roaming\{14AA2211-31F8-4F67-5ACE-68B5861C958B} => moved successfully C:\Users\user\AppData\Roaming\msndgfdl => moved successfully C:\Users\user\AppData\Roaming\obehoaiy => moved successfully C:\Users\user\AppData\Roaming\odnnnvxe => moved successfully C:\Users\user\AppData\Roaming\drnjcmry => moved successfully C:\Users\user\AppData\Roaming\pndmagmv => moved successfully C:\Users\user\AppData\Roaming\dppfzonn => moved successfully C:\Users\user\AppData\Roaming\eglqkdrp => moved successfully C:\Users\user\AppData\Roaming\qrtrmnhp => moved successfully C:\Users\user\AppData\Roaming\mwcrnxvh => moved successfully C:\Users\user\AppData\Roaming\pznjzsar => moved successfully C:\Users\user\AppData\Roaming\pgiatadc => moved successfully C:\Users\user\AppData\Roaming\paymitiw => moved successfully C:\Users\user\AppData\Roaming\qqyudiyn => moved successfully C:\Users\user\AppData\Roaming\ejwptvtf => moved successfully C:\Users\user\AppData\Roaming\pqbgjbag => moved successfully C:\Users\user\AppData\Roaming\exablnnj => moved successfully C:\Users\user\AppData\Roaming\njsldbzk => moved successfully C:\Users\user\AppData\Roaming\ogsoakrf => moved successfully C:\Users\user\AppData\Roaming\ngxrzvvi => moved successfully C:\Users\user\AppData\Roaming\nkstybpw => moved successfully C:\Users\user\AppData\Roaming\fdlsmwyb => moved successfully C:\Users\user\AppData\Roaming\dtilzwxx => moved successfully C:\Users\user\AppData\Roaming\sctkfjqk => moved successfully C:\Users\user\AppData\Roaming\qqkbtsfc => moved successfully C:\Users\user\AppData\Roaming\phmxjpvs => moved successfully C:\Users\user\AppData\Roaming\psuoarzq => moved successfully C:\Users\user\AppData\Roaming\mwnekhqu => moved successfully C:\Users\user\AppData\Roaming\jszaqsdn => moved successfully C:\Users\user\AppData\Roaming\iysqhvos => moved successfully C:\Users\user\AppData\Roaming\tudychlo => moved successfully C:\Users\user\AppData\Roaming\mczxjfww => moved successfully C:\Users\user\AppData\Roaming\llgmebag => moved successfully C:\Users\user\AppData\Roaming\kwmkvswy => moved successfully C:\Users\user\AppData\Roaming\lyfntkze => moved successfully C:\Users\user\AppData\Roaming\khitfriy => moved successfully C:\Users\user\AppData\Roaming\hifmqnmr => moved successfully C:\Users\user\AppData\Roaming\weoxfgff => moved successfully C:\Users\user\AppData\Roaming\wizfnskg => moved successfully C:\Users\user\AppData\Roaming\wfzwertg => moved successfully C:\Users\user\AppData\Roaming\kyjriprf => moved successfully C:\Users\user\AppData\Roaming\wpfbosnz => moved successfully C:\Users\user\AppData\Roaming\vzsfmmuy => moved successfully C:\Users\user\AppData\Roaming\zeclmbcn => moved successfully C:\Users\user\AppData\Roaming\jqcscksz => moved successfully C:\Users\user\AppData\Roaming\jmcseecw => moved successfully C:\Users\user\AppData\Roaming\rfwxotjv => moved successfully C:\Users\user\AppData\Roaming\yeemeyrz => moved successfully C:\Users\user\AppData\Roaming\ukiwnkwh => moved successfully C:\Users\user\AppData\Roaming\smxnbqwz => moved successfully C:\Users\user\AppData\Roaming\hyaknpgr => moved successfully C:\Users\user\AppData\Roaming\rqwlagzv => moved successfully C:\Users\user\AppData\Roaming\khcqwzex => moved successfully C:\Users\user\AppData\Roaming\wvcylmez => moved successfully C:\Users\user\AppData\Roaming\tpxxfkez => moved successfully C:\Users\user\AppData\Roaming\jpcbosga => moved successfully C:\Users\user\AppData\Roaming\jxmzyuhg => moved successfully C:\Users\user\AppData\Roaming\rvbtmcpd => moved successfully C:\Users\user\AppData\Roaming\uncyukvx => moved successfully C:\Users\user\AppData\Roaming\utqwaabt => moved successfully C:\Users\user\AppData\Roaming\khohcbcf => moved successfully C:\Users\user\AppData\Roaming\ydmzxymn => moved successfully C:\Users\user\AppData\Roaming\tmmgvyaw => moved successfully C:\Users\user\AppData\Roaming\zhxudnfs => moved successfully C:\Users\user\AppData\Roaming\hhvyilre => moved successfully C:\Users\user\AppData\Roaming\rylwivpy => moved successfully C:\Users\user\AppData\Roaming\lckxgbnl => moved successfully C:\Users\user\AppData\Roaming\zufgqdjd => moved successfully C:\Users\user\AppData\Roaming\wiqhcopk => moved successfully C:\Users\user\AppData\Roaming\yriyuyqe => moved successfully C:\Users\user\AppData\Roaming\xhdacobf => moved successfully C:\Users\user\AppData\Roaming\xmymnwcq => moved successfully C:\Users\user\AppData\Roaming\jvjryrdj => moved successfully C:\Users\user\AppData\Roaming\yjbjsldi => moved successfully C:\Users\user\AppData\Roaming\vhexrplv => moved successfully C:\Users\user\AppData\Roaming\wtokpfxb => moved successfully C:\Users\user\AppData\Roaming\kykzebmk => moved successfully C:\Users\user\AppData\Roaming\ywztptwt => moved successfully C:\Users\user\AppData\Roaming\rukatgqq => moved successfully C:\Users\user\AppData\Roaming\vilkvkey => moved successfully C:\Users\user\AppData\Roaming\ymxuurqw => moved successfully C:\Users\user\AppData\Roaming\uzaivaga => moved successfully C:\Users\user\AppData\Roaming\sfuajixl => moved successfully C:\Users\user\AppData\Roaming\gsetnxvb => moved successfully C:\Users\user\AppData\Roaming\gieqhyep => moved successfully C:\Users\user\AppData\Roaming\uhozzgjt => moved successfully C:\Users\user\AppData\Roaming\dbzduqyv => moved successfully C:\Users\user\AppData\Roaming\bxixwxep => moved successfully C:\Users\user\AppData\Roaming\cjgastms => moved successfully C:\Users\user\AppData\Roaming\buigcvgm => moved successfully C:\Users\user\AppData\Roaming\bsefpbza => moved successfully C:\Users\user\AppData\Roaming\bhiecivx => moved successfully C:\Users\user\AppData\Roaming\awcjfxtm => moved successfully C:\Users\user\AppData\Roaming\afwjzugr => moved successfully C:\ProgramData\80549ce9 => moved successfully C:\Program Files\GUT41AE.tmp => moved successfully C:\Program Files\GUT7069.tmp => moved successfully C:\Program Files\GUTD588.tmp => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1A69E56C-C44D-4B29-9A13-8D1C0282506A}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A69E56C-C44D-4B29-9A13-8D1C0282506A}" => key removed successfully. C:\Windows\System32\Tasks\UpdateTask => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdateTask" => key removed successfully. "C:\Users\user\AppData\Local\{804AB~1" => not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2290A225-5460-4BD0-9B6B-BBCC737CCAF4}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2290A225-5460-4BD0-9B6B-BBCC737CCAF4}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CA13FAB3-5290-0682-FAF4-587B10AA7A33}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2ABAF70E-261F-40D0-A37B-171C14AF678F}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABAF70E-261F-40D0-A37B-171C14AF678F}" => key removed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Superclean => key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3B25E983-9659-4E18-931C-60CCC01B98ED}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3B25E983-9659-4E18-931C-60CCC01B98ED}" => key removed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Foxtab => key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4F59613F-0625-44F5-9617-34AE48DE87A7}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4F59613F-0625-44F5-9617-34AE48DE87A7}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6154B54B-F7CE-82CD-9B38-E9FC1188F970}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{62443B58-82F0-4E28-BF23-B0CF11003B2F}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62443B58-82F0-4E28-BF23-B0CF11003B2F}" => key removed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Super Optimizer Schedule => key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CAFAEC6E-0724-4CF4-A6D8-090931C5D98B}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CAFAEC6E-0724-4CF4-A6D8-090931C5D98B}" => key removed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\userCentrifugallyKingwoodV2 => key not found. C:\Windows\Tasks\UpdateTask.job => moved successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B Zemana report, type : smart scan ( first scan ) ( red ) Zemana AntiMalware 2.21.2.321 (Installed) ------------------------------------------------------- Scan Result : Completed Scan Date : 2016/8/10 Operating System : Windows 7 32-bit Processor : 2X Intel(R) Pentium(R) 4 CPU 3.00GHz BIOS Mode : Legacy CUID : 12120F98BC302835D4EFA4 Scan Type : Smart Scan Duration : 5m 40s Scanned Objects : 11004 Detected Objects : 11 Excluded Objects : 0 Read Level : SCSI Auto Upload : Enabled Detect All Extensions : Disabled Scan Documents : Disabled Domain Info : WORKGROUP,0,2 Detected Objects ------------------------------------------------------- Fake Firefox Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\моzillа firеfох.lnk MD5 : 43C336F8DA7A8D3B4D07D43AE5549DDA Publisher : - Size : 2069 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Firefox Shortcut File - %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\моzillа firеfох.lnk Fake Chrome Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\user pinned\startmenu\gооglе сhrоmе.lnk MD5 : 45E4C85F826AEF70BBCE40947214C0D3 Publisher : - Size : 2166 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %appdata%\microsoft\internet explorer\quick launch\user pinned\startmenu\gооglе сhrоmе.lnk Fake Chrome Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\gооglе сhrоmе.lnk MD5 : 738499E683C247A0FAD7B403EC74416B Publisher : - Size : 2201 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\gооglе сhrоmе.lnk Fake Chrome Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\chromium.lnk MD5 : C41846398F186510A23CB27E4B25BC7D Publisher : - Size : 2414 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %appdata%\microsoft\internet explorer\quick launch\chromium.lnk Fake Chrome Shortcut Status : Scanned Object : %userprofile%\desktop\chromium.lnk MD5 : C3F60EB4A341E98EF0A7C1245667FF26 Publisher : - Size : 2412 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %userprofile%\desktop\chromium.lnk lhmiofmipcpmhgihiecmpiekcacigpgb Status : Scanned Object : %programdata%\anvisoft\anvi smart defender 2\extensions\chrome.crx MD5 : - Publisher : - Size : - Version : - Detection : PUA.ChromeExt!Gr Cleaning Action : Repair Related Objects : Browser Extension - lhmiofmipcpmhgihiecmpiekcacigpgb Tabs Hijack (System) Status : Scanned Object : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs MD5 : - Publisher : - Size : - Version : - Detection : Suspicious Setting Cleaning Action : Repair Related Objects : Registry Entry - HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs = https://id.search.yahoo.com/yhs/web?hspart=elm&hsimp=yhs-001&type=hdr_s_16_06_fxtb103¶m1=1¶m2=f%3D2%26b%3DIE%26cc%3Did%26pa%3DHodor%26cd%3D2XzuyEtN2Y1L1QzutDtDyDtDzz0D0Czz0FtD0AtAtAyEzy0EtN0D0Tzu0StCyDtDyEtN1L2XzutAtFtCyBtFzytFtCtN1L1Czu1M1Q1CtBtBtFtCtFtCtN1L1G1B1V1N2Y1L1Qzu2SyDtD0E0DtBzztAyDtGyCyC0EtBtGyEyByDyCtGyBtB0ByBtGyEzz0F0AyD0FtD0D0Dzz0EyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtAzzyDyBtCyB0BtG0F0AzyzztGyEyEyCyBtGzy0AtDtAtGyE0AyCyE0BtCyE0C0ByDyE0F2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCyEyBtB%26cr%3D1789383572%26a%3Dhdr_s_16_06_fxtb103%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate winlogon.exe Status : Scanned Object : %systemroot%\system32\winlogon.exe MD5 : 6D13E1406F50C66E2A95D97F22C47560 Publisher : Microsoft Windows Size : 286720 Version : 6.1.7601.17514 Detection : Hollow Process Cleaning Action : Repair Related Objects : Process - 604 - C:\FRST\Quarantine\C\Windows\System32\winlogon.exe.xBAD File - %systemroot%\system32\winlogon.exe RewRun3.exe Status : Scanned Object : %appdata%\hprewriter2\rewrun3.exe MD5 : 25295D35CE69D44E4E2C48DA56F52103 Publisher : - Size : 5260800 Version : 3.8.153.34098 Detection : Malware:Win32/Generic!Ckrk Cleaning Action : Quarantine Related Objects : File - %appdata%\hprewriter2\rewrun3.exe Reference - C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Моzillа Firеfох.lnk HPWriterSrv2.exe Status : Scanned Object : %appdata%\hprewriter2\hpwritersrv2.exe MD5 : EDB6C9A27421BC5CC0C7E3DD8459338A Publisher : - Size : 4156416 Version : 9.12.167.6089 Detection : Malware:Win32/Edizz!Iarr Cleaning Action : Quarantine Related Objects : File - %appdata%\hprewriter2\hpwritersrv2.exe Registry Entry - HKLM\System\CurrentControlSet\Services\HPWriter Service\ImagePath = C:\Users\user\AppData\Roaming\HPRewriter2\HPWriterSrv2.exe CouponPrinter.ocx Status : Scanned Object : %systemroot%\couponprinter.ocx MD5 : 55CDB354A0EE4DE00A3F7453A5CFF324 Publisher : Coupons, Inc. Size : 71072 Version : 4.0.0.3 Detection : Adware:Win32/Coupons!Ep Cleaning Action : Quarantine Related Objects : File - %systemroot%\couponprinter.ocx Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}\InprocServer32\@ = C:\Windows\COUPON~1.OCX Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\InprocServer32\@ = C:\Windows\COUPON~1.OCX Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\@ = C:\Windows\COUPON~1.OCX Cleaning Result ------------------------------------------------------- Cleaned : 11 Reported as safe : 0 Failed : 0 Zemana report, type : scheduled scan ( second scan or sudden scan ) ( blue ) Zemana AntiMalware 2.21.2.321 (Installed) ------------------------------------------------------- Scan Result : Completed Scan Date : 2016/8/10 Operating System : Windows 7 32-bit Processor : 2X Intel(R) Pentium(R) 4 CPU 3.00GHz BIOS Mode : Legacy CUID : 12120F98BC302835D4EFA4 Scan Type : Scheduled Scan Duration : 9m 39s Scanned Objects : 11761 Detected Objects : 9 Excluded Objects : 0 Read Level : SCSI Auto Upload : Enabled Detect All Extensions : Disabled Scan Documents : Disabled Domain Info : WORKGROUP,0,2 Detected Objects ------------------------------------------------------- Fake Firefox Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\моzillа firеfох.lnk MD5 : 43C336F8DA7A8D3B4D07D43AE5549DDA Publisher : - Size : 2069 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Firefox Shortcut File - %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\моzillа firеfох.lnk Fake Chrome Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\user pinned\startmenu\gооglе сhrоmе.lnk MD5 : 45E4C85F826AEF70BBCE40947214C0D3 Publisher : - Size : 2166 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %appdata%\microsoft\internet explorer\quick launch\user pinned\startmenu\gооglе сhrоmе.lnk Fake Chrome Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\gооglе сhrоmе.lnk MD5 : 738499E683C247A0FAD7B403EC74416B Publisher : - Size : 2201 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar\gооglе сhrоmе.lnk Fake Chrome Shortcut Status : Scanned Object : %appdata%\microsoft\internet explorer\quick launch\chromium.lnk MD5 : C41846398F186510A23CB27E4B25BC7D Publisher : - Size : 2414 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %appdata%\microsoft\internet explorer\quick launch\chromium.lnk Fake Chrome Shortcut Status : Scanned Object : %userprofile%\desktop\chromium.lnk MD5 : C3F60EB4A341E98EF0A7C1245667FF26 Publisher : - Size : 2412 Version : - Detection : Suspicious Browser Setting Cleaning Action : Repair Related Objects : Browser Setting - Fake Chrome Shortcut File - %userprofile%\desktop\chromium.lnk lhmiofmipcpmhgihiecmpiekcacigpgb Status : Scanned Object : %programdata%\anvisoft\anvi smart defender 2\extensions\chrome.crx MD5 : - Publisher : - Size : - Version : - Detection : PUA.ChromeExt!Gr Cleaning Action : Repair Related Objects : Browser Extension - lhmiofmipcpmhgihiecmpiekcacigpgb Tabs Hijack (System) Status : Scanned Object : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs MD5 : - Publisher : - Size : - Version : - Detection : Suspicious Setting Cleaning Action : Repair Related Objects : Registry Entry - HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs = https://id.search.yahoo.com/yhs/web?hspart=elm&hsimp=yhs-001&type=hdr_s_16_06_fxtb103¶m1=1¶m2=f%3D2%26b%3DIE%26cc%3Did%26pa%3DHodor%26cd%3D2XzuyEtN2Y1L1QzutDtDyDtDzz0D0Czz0FtD0AtAtAyEzy0EtN0D0Tzu0StCyDtDyEtN1L2XzutAtFtCyBtFzytFtCtN1L1Czu1M1Q1CtBtBtFtCtFtCtN1L1G1B1V1N2Y1L1Qzu2SyDtD0E0DtBzztAyDtGyCyC0EtBtGyEyByDyCtGyBtB0ByBtGyEzz0F0AyD0FtD0D0Dzz0EyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtAzzyDyBtCyB0BtG0F0AzyzztGyEyEyCyBtGzy0AtDtAtGyE0AyCyE0BtCyE0C0ByDyE0F2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCyEyBtB%26cr%3D1789383572%26a%3Dhdr_s_16_06_fxtb103%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate RewRun3.exe Status : Scanned Object : %appdata%\hprewriter2\rewrun3.exe MD5 : 25295D35CE69D44E4E2C48DA56F52103 Publisher : - Size : 5260800 Version : 3.8.153.34098 Detection : Malware:Win32/Generic!Ckrk Cleaning Action : Quarantine Related Objects : File - %appdata%\hprewriter2\rewrun3.exe Reference - C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Моzillа Firеfох.lnk CouponPrinter.ocx Status : Scanned Object : %systemroot%\couponprinter.ocx MD5 : 55CDB354A0EE4DE00A3F7453A5CFF324 Publisher : Coupons, Inc. Size : 71072 Version : 4.0.0.3 Detection : Adware:Win32/Coupons!Ep Cleaning Action : Quarantine Related Objects : File - %systemroot%\couponprinter.ocx Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}\InprocServer32\@ = C:\Windows\COUPON~1.OCX Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\InprocServer32\@ = C:\Windows\COUPON~1.OCX Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\@ = C:\Windows\COUPON~1.OCX Cleaning Result ------------------------------------------------------- Cleaned : 9 Reported as safe : 0 Failed : 0 Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055613 Share Posted August 10, 2016 yes Zemana has repaired browser entries again, possibly LKGC brought those entries back, I want two fresh logs from FRST to see if any other infected entries are also back.. Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs.... Link to post Share on other sites More sharing options...
javelineou Posted August 10, 2016 Author ID:1055618 Share Posted August 10, 2016 FRST.txt Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-08-2016 01 Ran by user (administrator) on USER-PC (10-08-2016 22:21:46) Running from C:\Users\user\Desktop Loaded Profiles: user & UpdatusUser (Available Profiles: user & UpdatusUser) Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States) Internet Explorer Version 8 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Google Inc.) C:\Program Files\Google\Update\1.3.31.5\GoogleCrashHandler.exe (Smadsoft) C:\Program Files\SMADAV\SMΔRTP.exe (Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe (Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (Zemana Ltd.) C:\Program Files\Zemana AntiMalware\ZAM.exe (Zemana Ltd.) C:\Program Files\Zemana AntiMalware\ZAM.exe () C:\Users\user\Desktop\AdwCleaner.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [ZAM] => C:\Program Files\Zemana AntiMalware\ZAM.exe [13922544 2016-08-09] (Zemana Ltd.) HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Policies\Explorer: [TaskbarNoNotification] 0 HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Policies\Explorer: [HideSCAHealth] 0 ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-05-17] (Google) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [94208 2006-02-28] (Apple Computer, Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4 Tcpip\..\Interfaces\{18D9B629-713A-47D4-A18A-8D9C82BAB74E}: [DhcpNameServer] 61.247.0.133 61.247.0.130 202.73.99.4 202.73.99.2 Tcpip\..\Interfaces\{1AD66B58-C5F3-4679-9A69-C29A8E477959}: [NameServer] 8.8.8.8,8.8.4.4 Tcpip\..\Interfaces\{3DC0582F-6C7A-4268-976B-A873CA74E5B2}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{53677DC8-B7FF-46A4-A35E-55F560BEEF83}: [NameServer] 8.8.8.8,8.8.4.4 Tcpip\..\Interfaces\{53677DC8-B7FF-46A4-A35E-55F560BEEF83}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{CEFB7252-4B6E-455B-960D-2E1B627E574A}: [NameServer] 8.8.8.8,8.8.4.4 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://plasa.msn.com/?ocid=iehp SearchScopes: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE SearchScopes: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE SearchScopes: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000 -> {1b31c9d2-7135-442b-bb93-7c002172adc6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06] (Adobe Systems Incorporated) BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation) Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation) StartMenuInternet: IEXPLORE.EXE - iexplore.exe FireFox: ======== FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\u52asnkz.default-1469286427057 FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-03-03] () FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-08] (Google) FF Plugin: @innorix.com/innogmp -> C:\Program Files\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX) FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation) FF Plugin: @t.garena.com/garenatalk -> C:\Users\user\Downloads\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File] FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-06-06] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @innorix.com/innogmp -> C:\Program Files\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\user\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @talk.google.com/O1DPlugin -> C:\Users\user\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-04-28] (Unity Technologies ApS) FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1000: anvisoft.com/AdblockPlugin -> C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll [No File] FF Plugin HKU\S-1-5-21-3897908082-2070258231-4265155790-1001: @innorix.com/innogmp -> C:\Program Files\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll [2010-10-07] (Coupons, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll [2010-10-07] (Coupons, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npwachk.dll [2011-03-23] (Nullsoft, Inc.) FF Plugin ProgramFiles/Appdata: C:\Users\user\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google) FF Plugin ProgramFiles/Appdata: C:\Users\user\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google) Chrome: ======= CHR HomePage: Default -> hxxp://www.google.com/ CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxps://www.google.com/" CHR Plugin: (Widevine Content Decryption Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll => No File CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\User Data\PepperFlash\14.0.0.145\pepflashplayer.dll => No File CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\52.0.2743.116\ppGoogleNaClPluginChrome.dll => No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\52.0.2743.116\pdf.dll => No File CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll (Coupons, Inc.) CHR Plugin: (Winamp Application Detector) - C:\Program Files\Mozilla Firefox\plugins\npwachk.dll (Nullsoft, Inc.) CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Users\user\AppData\Local\Google\Chrome\Application\plugins\npMozCouponPrinter.dll => No File CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) CHR Plugin: (Innorix File Transfer Solution) - C:\Program Files\INNORIX\npinnogmp.dll (INNORIX) CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation) CHR Plugin: (Unity Player) - C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll => No File CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-30] CHR Extension: (Google Dokumen Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2007-02-15] CHR Extension: (http://ask.fm/) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodkangnoihaogpgakjfdkepoljfcfbc [2016-01-15] CHR Extension: (https://plus.google.com/u/0/) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jginlfhgcfmfhaabnekdaemhegpebfip [2016-01-15] CHR Extension: (Сияние) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jidbpkjafbnohlnbflllphpkfmojpdac [2016-08-07] CHR Extension: (Pembayaran Toko Web Chrome) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2007-02-15] CHR Extension: (https://www.google.com/) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\okkolgldfknecfjnhhglfopimelbaceh [2016-01-15] CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-09] CHR HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ajcmdlkeklfmbjffnlofgfkjcnpfckab] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\user\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2014-08-18] Opera: ======= OPR StartupUrls: "hxxp://www.mystartsearch.com/?type=hp&ts=1428909754&from=wpc&uid=ST3160815SV_5RX63JTHXXXX5RX63JTH" ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S4 Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [229376 2006-02-28] (Apple Computer, Inc.) [File not signed] S4 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2007-02-17] (Macrovision Europe Ltd.) [File not signed] S2 HPWriter Service; C:\Users\user\AppData\Roaming\HPRewriter2\HPWriterSrv2.exe [4156416 2016-08-06] () [File not signed] S4 Innosvcd; C:\Windows\system32\innosvcd.exe [193144 2013-04-04] (INNORIX) R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20472 2012-09-12] (Microsoft Corporation) R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [287824 2012-09-12] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation) R2 ZAMSvc; C:\Program Files\Zemana AntiMalware\ZAM.exe [13922544 2016-08-09] (Zemana Ltd.) S2 4622402a; "C:\Windows\system32\rundll32.exe" "c:\Program Files\CutterModule\CutterModule.dll",serv ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 ISODrive; C:\Program Files\UltraISO\drivers\ISODrive.sys [82320 2009-02-10] (EZB Systems, Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-10] (Malwarebytes) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation) R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation) R1 MpKsl1b332fcd; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3140038C-BB1D-4D1C-A706-0570952A898D}\MpKsl1b332fcd.sys [39168 2016-08-10] (Microsoft Corporation) S3 ndiscm; C:\Windows\System32\DRIVERS\NetMotCM.sys [15360 2004-09-30] (Motorola Inc.) R3 RD9700; C:\Windows\System32\DRIVERS\RD9700.sys [16512 2012-01-04] (Corechip Semiconductor, Inc. Co Ltd.) R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [23040 2014-11-05] (The OpenVPN Project) R1 ZAM; C:\Windows\System32\drivers\zam32.sys [181496 2016-08-10] (Zemana Ltd.) R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard32.sys [181496 2016-08-10] (Zemana Ltd.) R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}; C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl [87536 2010-03-13] (CyberLink Corp.) S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X] R3 gkernel; \??\C:\Users\user\AppData\Local\Temp\gkernel.sys [X] S4 InCDFs; system32\drivers\InCDFs.sys [X] S1 InCDPass; system32\drivers\InCDPass.sys [X] S1 InCDRm; system32\drivers\InCDRm.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] S3 xspirit; \??\C:\Windows\xspirit.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-03-31 11:23 - 2020-03-31 11:26 - 00524288 ___SH C:\Users\UpdatusUser\NTUSER.DAT{9a36c4d3-7306-11ea-a391-00508dc8f0a3}.TMContainer00000000000000000002.regtrans-ms 2020-03-31 11:23 - 2020-03-31 11:26 - 00524288 ___SH C:\Users\UpdatusUser\NTUSER.DAT{9a36c4d3-7306-11ea-a391-00508dc8f0a3}.TMContainer00000000000000000001.regtrans-ms 2020-03-31 11:23 - 2020-03-31 11:26 - 00065536 ___SH C:\Users\UpdatusUser\NTUSER.DAT{9a36c4d3-7306-11ea-a391-00508dc8f0a3}.TM.blf 2016-08-10 21:48 - 2016-08-10 21:48 - 03712064 _____ C:\Users\user\Desktop\AdwCleaner.exe 2016-08-10 21:45 - 2016-08-10 22:22 - 00074042 _____ C:\Windows\ZAM.krnl.trace 2016-08-10 21:45 - 2016-08-10 22:22 - 00008821 _____ C:\Windows\ZAM_Guard.krnl.trace 2016-08-10 21:45 - 2016-08-10 21:45 - 00181496 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard32.sys 2016-08-10 21:45 - 2016-08-10 21:45 - 00181496 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam32.sys 2016-08-10 21:45 - 2016-08-10 21:45 - 00001892 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk 2016-08-10 21:45 - 2016-08-10 21:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware 2016-08-10 21:40 - 2016-08-10 21:41 - 05697904 _____ ( ) C:\Users\user\Desktop\Zemana.AntiMalware.Setup.exe 2016-08-10 15:15 - 2016-08-10 21:49 - 00000000 ____D C:\AdwCleaner 2016-08-10 14:56 - 2016-08-10 21:45 - 00000000 ____D C:\Program Files\Zemana AntiMalware 2016-08-10 14:55 - 2016-08-10 14:55 - 00000000 ____D C:\Users\user\AppData\Local\Zemana 2016-08-10 14:50 - 2016-08-10 14:51 - 00022809 _____ C:\Users\user\Desktop\Fixlog(reply 9).txt 2016-08-10 14:49 - 2016-08-10 14:49 - 00000000 ____D C:\Users\user\Desktop\FRST-OlderVersion 2016-08-10 14:48 - 2016-08-10 14:48 - 00011432 _____ C:\Users\user\Desktop\Fixlist.txt 2016-08-09 18:22 - 2016-08-09 18:25 - 00001683 _____ C:\Users\user\Desktop\Search.txt 2016-08-09 16:28 - 2016-08-09 16:30 - 00045171 _____ C:\Users\user\Desktop\Addition.txt 2016-08-09 16:27 - 2016-08-10 22:22 - 00016350 _____ C:\Users\user\Desktop\FRST.txt 2016-08-09 16:26 - 2016-08-10 22:21 - 00000000 ____D C:\FRST 2016-08-09 16:25 - 2016-08-10 14:49 - 01743872 _____ (Farbar) C:\Users\user\Desktop\FRST.exe 2016-08-09 15:22 - 2016-08-10 21:30 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2016-08-09 15:06 - 2016-08-09 15:06 - 00001064 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2016-08-09 15:06 - 2016-08-09 15:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2016-08-09 15:05 - 2016-08-09 15:06 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware 2016-08-09 15:05 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2016-08-09 15:05 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys 2016-08-09 15:05 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2016-08-09 14:59 - 2016-08-09 15:00 - 00005008 _____ C:\Users\user\Desktop\Rkill.txt 2016-08-09 14:46 - 2016-08-09 14:46 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\user\Desktop\rkill.com 2016-08-09 14:32 - 2016-04-11 03:55 - 13347841 _____ C:\Users\user\Desktop\XIGNCODE.rar 2016-08-09 14:32 - 2015-11-26 05:57 - 05331464 _____ C:\Users\user\Desktop\[Pricelist] Kios Pasar Modern @Intermoda BSD City.pdf 2016-08-09 14:32 - 2015-01-26 00:54 - 00000364 _____ C:\Users\user\Desktop\pos.dat 2016-08-09 14:32 - 2014-12-27 01:17 - 01307106 _____ C:\Users\user\Desktop\Survey Remover V3.02 Updated.zip 2016-08-09 14:32 - 2014-05-26 14:54 - 01070624 _____ (Unity Technologies ApS) C:\Users\user\Desktop\UnityWebPlayer.exe 2016-08-09 14:31 - 2015-11-04 20:44 - 1272583000 _____ C:\Users\user\Desktop\PointBlank_GarenaPlus_Install_1026.exe 2016-08-09 14:30 - 2016-08-07 18:55 - 22851472 _____ (Malwarebytes ) C:\Users\user\Desktop\mbam-setup-2.2.1.1043.exe 2016-08-09 14:30 - 2016-03-05 20:03 - 77267144 _____ C:\Users\user\Desktop\Garena+_Install_id (1).exe 2016-08-09 14:30 - 2015-11-04 20:37 - 77494272 _____ C:\Users\user\Desktop\Garena+_Install_id.exe 2016-08-09 14:30 - 2015-11-04 19:40 - 02739648 _____ C:\Users\user\Desktop\pbidInstaller.exe 2016-08-09 14:30 - 2014-08-18 21:30 - 00895120 _____ (Google Inc.) C:\Users\user\Desktop\googledrivesync.exe 2016-08-09 14:30 - 2014-07-19 21:22 - 00895120 _____ (Google Inc.) C:\Users\user\Desktop\GoogleVoiceAndVideoSetup.exe 2016-08-09 14:30 - 2014-05-27 10:48 - 07760696 _____ (INNORIX) C:\Users\user\Desktop\InnoGMP_Win.exe 2016-08-09 14:30 - 2014-03-26 21:37 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup (3).exe 2016-08-09 14:30 - 2014-03-26 21:37 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup (2).exe 2016-08-09 14:30 - 2014-03-26 21:35 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup (1).exe 2016-08-09 14:30 - 2014-03-26 21:34 - 00847824 _____ (Google Inc.) C:\Users\user\Desktop\GoogleEarthSetup.exe 2016-08-09 14:29 - 2016-08-09 14:32 - 00000000 ____D C:\Users\user\Desktop\Garena Plus 2016-08-09 14:29 - 2016-08-07 20:49 - 39269240 _____ (Anvisoft) C:\Users\user\Desktop\asdsetup.exe 2016-08-09 14:29 - 2016-01-15 14:44 - 00927824 _____ (Google Inc.) C:\Users\user\Desktop\ChromeSetup(1).exe 2016-08-09 14:29 - 2014-12-23 18:46 - 00880784 _____ (Google Inc.) C:\Users\user\Desktop\ChromeSetup.exe 2016-08-07 21:36 - 2016-08-07 21:36 - 00000047 _____ C:\Users\user\Desktop\blahblah.txt 2016-08-07 20:54 - 2016-08-08 22:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anvisoft 2016-08-07 20:54 - 2016-08-07 20:54 - 00000000 ____D C:\ProgramData\boost_interprocess 2016-08-07 20:51 - 2016-08-07 20:51 - 00000000 ____D C:\ProgramData\Anvisoft 2016-08-07 20:51 - 2016-08-07 20:51 - 00000000 ____D C:\Program Files\Anvisoft 2016-08-07 20:48 - 2016-08-07 20:49 - 39269240 _____ (Anvisoft) C:\Users\user\Downloads\asdsetup.exe 2016-08-07 18:54 - 2016-08-07 18:55 - 22851472 _____ (Malwarebytes ) C:\Users\user\Downloads\mbam-setup-2.2.1.1043.exe 2016-08-07 17:31 - 2016-08-07 17:31 - 00003584 _____ C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2016-08-06 20:06 - 2016-08-06 20:06 - 00000000 ____D C:\Users\user\AppData\Local\GMap.NET 2016-08-06 19:00 - 2016-08-10 21:57 - 00000000 ____D C:\Users\user\AppData\Roaming\HPRewriter2 2016-08-06 19:00 - 2016-08-06 19:33 - 00000000 ____D C:\Users\user\AppData\Roaming\Seviler2DGame 2016-08-06 19:00 - 2016-08-06 19:00 - 00002056 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk 2016-08-06 19:00 - 2016-08-06 19:00 - 00002054 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk 2016-08-06 19:00 - 2016-08-06 19:00 - 00002026 _____ C:\Users\Public\Desktop\Моzillа Firеfох.lnk 2016-08-06 19:00 - 2016-08-06 19:00 - 00002024 _____ C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk 2016-07-24 17:25 - 2016-07-24 17:26 - 00045125 _____ C:\ProgramData\1469355928.2132.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 00042049 _____ C:\ProgramData\1469355928.3948.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 00004431 _____ C:\ProgramData\1469355928.172.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 00002928 _____ C:\ProgramData\1469355928.3196.bin 2016-07-24 17:25 - 2016-07-24 17:25 - 00037915 _____ C:\ProgramData\1469355918.bdinstall.bin 2016-07-24 01:13 - 2016-07-24 01:13 - 00000000 ____D C:\ProgramData\Malwarebytes 2016-07-24 00:45 - 2016-07-24 00:45 - 00225330 _____ C:\ProgramData\1469295588.bdinstall.bin 2016-07-24 00:44 - 2009-07-14 22:27 - 01461992 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01009.dll 2016-07-24 00:30 - 2016-07-24 00:32 - 00000494 _____ C:\ProgramData\1469294993.2720.bin 2016-07-24 00:30 - 2016-07-24 00:30 - 00002049 _____ C:\ProgramData\1469294993.1704.bin 2016-07-24 00:29 - 2016-07-24 00:32 - 00040831 _____ C:\ProgramData\1469294993.2684.bin 2016-07-24 00:21 - 2016-07-24 00:21 - 00045499 _____ C:\ProgramData\1469294336.bdinstall.bin 2016-07-24 00:18 - 2016-07-24 00:40 - 00000000 ____D C:\Users\user\AppData\Roaming\QuickScan ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2020-03-31 11:19 - 2007-02-17 04:42 - 00262144 ___SH C:\Users\user\ntuser.dat.LOG2 2016-08-11 12:27 - 2015-01-23 21:01 - 00000000 ____D C:\Program Files\Foxtab 2016-08-11 12:27 - 2014-03-25 11:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons 2016-08-11 12:27 - 2010-11-21 07:46 - 00000000 ___RD C:\Users\Public\Recorded TV 2016-08-11 12:27 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\registration 2016-08-10 22:22 - 2007-02-17 04:45 - 00001018 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000UA.job 2016-08-10 22:21 - 2016-01-25 22:32 - 00000266 _____ C:\Windows\Tasks\UpdateTask.job 2016-08-10 22:20 - 2014-03-26 21:38 - 00001000 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2016-08-10 21:57 - 2015-12-26 08:21 - 00001134 _____ C:\Users\user\Desktop\Chromium.lnk 2016-08-10 21:31 - 2007-02-17 05:02 - 00000000 ____D C:\Users\UpdatusUser 2016-08-10 21:29 - 2014-03-26 21:38 - 00000996 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2016-08-10 21:29 - 2009-07-14 11:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-08-10 14:24 - 2014-07-06 13:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2016-08-09 17:22 - 2007-02-17 04:45 - 00000966 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000Core.job 2016-08-09 15:59 - 2009-07-14 11:34 - 00020832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2016-08-09 15:59 - 2009-07-14 11:34 - 00020832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2016-08-09 14:33 - 2016-03-05 20:05 - 00000000 ____D C:\Users\user\Downloads\Garena Plus 2016-08-08 22:46 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\inf 2016-08-08 22:40 - 2007-02-17 04:44 - 00000000 ____D C:\Program Files\WinRAR 2016-08-08 20:49 - 2010-11-21 04:01 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI 2016-08-07 19:34 - 2007-02-17 04:56 - 00000000 ____D C:\Windows\PCHEALTH 2016-08-07 17:45 - 2007-02-15 00:09 - 00000000 ____D C:\Users\user\Documents\~Tristan 2016-08-07 17:14 - 2007-02-17 05:02 - 00000000 __SHD C:\[Smad-Cage] 2016-08-07 16:23 - 2007-02-17 05:02 - 00000000 ____D C:\Program Files\SMADAV 2016-08-05 16:20 - 2014-12-23 16:49 - 00000000 ____D C:\Program Files\Opera 2016-07-28 02:25 - 2014-03-25 11:17 - 00406184 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe 2016-07-24 17:34 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\system32\NDF 2016-07-24 16:19 - 2009-07-14 11:46 - 00001503 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk 2016-07-24 16:19 - 2009-07-14 11:42 - 00001318 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk 2016-07-24 16:19 - 2009-07-14 11:42 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk 2016-07-24 16:19 - 2009-07-14 11:42 - 00001198 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk 2016-07-24 16:19 - 2007-02-17 05:40 - 00001083 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:37 - 00001169 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Stock Photos CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:35 - 00001349 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit 2.lnk 2016-07-24 16:19 - 2007-02-17 05:34 - 00001138 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Device Central CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:30 - 00001045 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS3.lnk 2016-07-24 16:19 - 2007-02-17 05:06 - 00002105 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk 2016-07-24 16:19 - 2007-02-17 04:48 - 00002429 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk 2016-07-24 16:19 - 2007-02-17 04:35 - 00001333 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk 2016-07-24 16:19 - 2007-02-17 04:35 - 00001314 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk 2016-07-24 16:17 - 2016-03-05 20:20 - 00000987 _____ C:\Users\Public\Desktop\PointBlank Garena.lnk 2016-07-24 16:17 - 2016-03-05 20:06 - 00000909 _____ C:\Users\Public\Desktop\Garena+.lnk 2016-07-24 16:17 - 2014-03-26 21:41 - 00002164 _____ C:\Users\Public\Desktop\Google Earth.lnk 2016-07-24 16:17 - 2014-03-25 11:38 - 00001053 _____ C:\Users\Public\Desktop\HP Photo Creations.lnk 2016-07-24 16:17 - 2014-03-25 11:37 - 00002230 _____ C:\Users\Public\Desktop\HP Deskjet 1050 J410 series.lnk 2016-07-24 16:17 - 2014-03-25 11:37 - 00001188 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 1050 J410 series.lnk 2016-07-24 16:17 - 2014-03-25 11:37 - 00001183 _____ C:\Users\Public\Desktop\HP Deskjet 1050 J410 series Scan.lnk 2016-07-24 16:17 - 2007-02-17 05:22 - 00002652 _____ C:\Users\Public\Desktop\Nero StartSmart.lnk 2016-07-24 16:17 - 2007-02-17 05:05 - 00001229 _____ C:\Users\Public\Desktop\Media Player Classic.lnk 2016-07-24 16:17 - 2007-02-17 05:04 - 00001793 _____ C:\Users\Public\Desktop\Winamp.lnk 2016-07-24 16:17 - 2007-02-17 04:51 - 00002061 _____ C:\Users\Public\Desktop\CyberLink PowerDVD 10.lnk 2016-07-24 16:17 - 2007-02-17 04:48 - 00001983 _____ C:\Users\Public\Desktop\Adobe Reader X.lnk 2016-07-24 16:17 - 2007-02-17 04:47 - 00001065 _____ C:\Users\Public\Desktop\GOM Player.lnk 2016-07-24 16:16 - 2009-07-14 11:46 - 00001282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk 2016-07-24 16:16 - 2009-07-14 11:37 - 00001266 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk 2016-07-24 16:15 - 2016-06-16 18:50 - 00001095 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\LINE.lnk 2016-07-24 16:15 - 2016-06-16 18:50 - 00001093 _____ C:\Users\user\Desktop\LINE.lnk 2016-07-24 16:15 - 2007-02-17 05:41 - 00001083 _____ C:\Users\user\Desktop\Adobe Photoshop CS3.lnk 2016-07-24 16:15 - 2007-02-17 05:13 - 00002105 _____ C:\Users\user\Desktop\Microsoft Security Essentials.lnk 2016-07-24 16:15 - 2007-02-17 04:47 - 00001095 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk 2016-07-24 16:14 - 2014-06-19 15:40 - 00000258 __RSH C:\ProgramData\ntuser.pol 2016-07-24 16:11 - 2009-07-14 11:52 - 00000000 ____D C:\Windows\Offline Web Pages 2016-07-24 15:57 - 2014-06-06 10:32 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games 2016-07-24 00:22 - 2007-02-17 05:06 - 00002127 _____ C:\Windows\epplauncher.mif 2016-07-22 20:19 - 2015-01-23 22:01 - 00000327 _____ C:\Users\user\AppData\Roaming\WB.CFG ==================== Files in the root of some directories ======= 2015-05-22 00:31 - 2007-02-15 00:11 - 0000024 _____ () C:\Users\user\AppData\Roaming\appdataFr25.bin 2015-04-28 15:38 - 2015-05-22 00:26 - 0000020 _____ () C:\Users\user\AppData\Roaming\appdataFr3.bin 2014-12-23 21:41 - 2014-12-23 21:41 - 0138056 _____ () C:\Users\user\AppData\Roaming\PnkBstrK.sys 2015-01-23 22:01 - 2016-07-22 20:19 - 0000327 _____ () C:\Users\user\AppData\Roaming\WB.CFG 2016-08-07 17:31 - 2016-08-07 17:31 - 0003584 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2014-08-23 18:28 - 2014-08-23 18:28 - 0000000 _____ () C:\Users\user\AppData\Local\{021E2386-759F-43C7-93D9-3D5BF70A0319} 2014-02-19 15:02 - 2014-02-19 15:02 - 0000000 _____ () C:\Users\user\AppData\Local\{5C8F489D-835A-451E-AAFA-E6B0E4953A05} 2014-05-29 13:35 - 2014-05-29 13:36 - 0000000 _____ () C:\Users\user\AppData\Local\{A76B11C5-E75C-4DE6-AA0C-DD6FC1E47834} 2016-07-24 00:21 - 2016-07-24 00:21 - 0045499 _____ () C:\ProgramData\1469294336.bdinstall.bin 2016-07-24 00:30 - 2016-07-24 00:30 - 0002049 _____ () C:\ProgramData\1469294993.1704.bin 2016-07-24 00:29 - 2016-07-24 00:32 - 0040831 _____ () C:\ProgramData\1469294993.2684.bin 2016-07-24 00:30 - 2016-07-24 00:32 - 0000494 _____ () C:\ProgramData\1469294993.2720.bin 2016-07-24 00:45 - 2016-07-24 00:45 - 0225330 _____ () C:\ProgramData\1469295588.bdinstall.bin 2016-07-24 17:25 - 2016-07-24 17:25 - 0037915 _____ () C:\ProgramData\1469355918.bdinstall.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0004431 _____ () C:\ProgramData\1469355928.172.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0045125 _____ () C:\ProgramData\1469355928.2132.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0002928 _____ () C:\ProgramData\1469355928.3196.bin 2016-07-24 17:25 - 2016-07-24 17:26 - 0042049 _____ () C:\ProgramData\1469355928.3948.bin Some files in TEMP: ==================== C:\Users\user\AppData\Local\Temp\c8eb790646128f34aa04a36111aca8cf.dll C:\Users\user\AppData\Local\Temp\d45bf640ca3c263b5d4928241c7a8e35.dll C:\Users\user\AppData\Local\Temp\eauninstall.exe C:\Users\user\AppData\Local\Temp\ggspawn1556635582.dll C:\Users\user\AppData\Local\Temp\ggspawn770000468.dll C:\Users\user\AppData\Local\Temp\libeay32.dll C:\Users\user\AppData\Local\Temp\msvcr120.dll C:\Users\user\AppData\Local\Temp\openvpn.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1003_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1004_11.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1005.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1006.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1007.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1008_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1009.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1010.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1011.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1012.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1013_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1014.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1015_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1016_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1017.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1018.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1019.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1020.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1021.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1022.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1023.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1024.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1025_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1026.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1027.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1028.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1029.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1030.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1031.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1032.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1033.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1034.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1035.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1036.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1037.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1038_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1039.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1040.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1041.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1042.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1043.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1044.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1045.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1046.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1047.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1048.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1049_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1050.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1051.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1052_1.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1053.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1054.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1055.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1056.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1057.exe C:\Users\user\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1058.exe C:\Users\user\AppData\Local\Temp\sqlite3.dll C:\Users\user\AppData\Local\Temp\tapinstall.exe ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe [2010-11-21 04:29] - [2010-11-20 03:17] - 0285696 ____A (Microsoft Corporation) C3EB9EA34EBE459F13F3F890F56CE72A C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll [2010-11-21 04:29] - [2010-11-20 03:21] - 0812032 ____A (Microsoft Corporation) CF97D64D7EC169C53C93B0A192218B29 C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-08-06 08:13 ==================== End of FRST.txt ============================ Addition.txt Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-08-2016 01 Ran by user (2016-08-10 22:23:07) Running from C:\Users\user\Desktop Microsoft Windows 7 Ultimate Service Pack 1 (X86) (2007-02-16 21:40:57) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-3897908082-2070258231-4265155790-500 - Administrator - Disabled) Guest (S-1-5-21-3897908082-2070258231-4265155790-501 - Limited - Disabled) UpdatusUser (S-1-5-21-3897908082-2070258231-4265155790-1001 - Limited - Enabled) => C:\Users\UpdatusUser user (S-1-5-21-3897908082-2070258231-4265155790-1000 - Administrator - Enabled) => C:\Users\user ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Microsoft Security Essentials (Enabled - Up to date) {B140BF4E-23BB-4198-90AB-A51A4C60A69C} AS: Microsoft Security Essentials (Enabled - Up to date) {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe AIR (HKLM\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated) Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.7.700.169 - Adobe Systems Incorporated) Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated) Adobe Photoshop CS3 (HKLM\...\Adobe_719d6f144d0c086a0dfa7ff76bb9ac1) (Version: 10.0 - Adobe Systems Incorporated) Adobe Reader X (10.1.0) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.0 - Adobe Systems Incorporated) Chromium (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Chromium) (Version: 46.0.2470.0 - Chromium) Counter-Strike 1.6 (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Counter-Strike 1.6) (Version: - ) File Association Helper (HKLM\...\{8975E3CB-A762-4B14-BD62-A3972A098E82}) (Version: 1.2.225.65451 - WinZip Computing International, LLC) Foxtab (HKLM\...\Foxtab) (Version: - Foxtab) <==== ATTENTION Garena - PointBlank ID (HKLM\...\PBID) (Version: - Garena Online Pte Ltd.) Garena+ (HKLM\...\im) (Version: 2011 - Garena Online Pte Ltd.) GOM Player (HKLM\...\GOM Player) (Version: 2.1.28.5039 - Gretech Corporation) Google Chrome (HKLM\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.) Google Drive (HKLM\...\{709316AD-161C-4D5C-9AE7-0B3A822DA271}) (Version: 1.30.2170.0459 - Google, Inc.) Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google) Google Talk Plugin (HKLM\...\{F9B579C2-D854-300A-BE62-A09EB9D722E4}) (Version: 5.41.3.0 - Google) Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden HP Deskjet 1050 J410 series Basic Device Software (HKLM\...\{226837D8-0BF8-4CBE-BAB2-8F07E2C2B4DD}) (Version: 22.50.231.0 - Hewlett-Packard Co.) HP Deskjet 1050 J410 series Help (HKLM\...\{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}) (Version: 140.0.66.66 - Hewlett Packard) HP Deskjet 1050 J410 series Product Improvement Study (HKLM\...\{7414C891-720D-4E86-85E5-C3AA898DA9EC}) (Version: 22.50.231.0 - Hewlett-Packard Co.) HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.3781 - HP Photo Creations Powered by RocketLife) HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard) HPRewriter2 (HKLM\...\HPRewriter2) (Version: - ) K-Lite Codec Pack 7.1.0 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 7.1.0 - ) LINE (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\LINE) (Version: 4.8.0.1097 - LINE Corporation) Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes) Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation) Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.1.522.0 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Mozilla Firefox 47.0 (x86 en-US) (HKLM\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 47.0.0.5999 - Mozilla) MSXML4 Parser (HKLM\...\{01501EBA-EC35-4F9F-8889-3BE346E5DA13}) (Version: 1.0.0 - Microsoft Game Studios) Need for Speed™ Carbon (HKLM\...\{259C0ABB-A3B2-4D70-008F-BF7EE491B70B}) (Version: - ) Nero 7 Premium (HKLM\...\{4781569D-5404-1F26-4B2B-6DF444441031}) (Version: 7.00.0087 - Nero AG) NVIDIA Graphics Driver 307.74 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.74 - NVIDIA Corporation) NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation) Opera Stable 39.0.2256.48 (HKLM\...\Opera 39.0.2256.48) (Version: 39.0.2256.48 - Opera Software) PDF Settings (Version: 1.0 - Adobe Systems Incorporated) Hidden Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6828 - Realtek Semiconductor Corp.) Search Provided by Yahoo (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\YahooProvidedSearch) (Version: - ) <==== ATTENTION SMADAV version 9.6.1 (HKLM\...\{8B9FA5FF-3E61-4658-B0DA-E6DDB46D6BAD}_is1) (Version: 9.6.1 - SmadSoft) UltraISO Premium V9.35 (HKLM\...\UltraISO_is1) (Version: - ) Unity Web Player (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\UnityWebPlayer) (Version: - Unity Technologies ApS) Winamp (HKLM\...\Winamp) (Version: 5.61 - Nullsoft, Inc) Winamp Detector Plug-in (HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc) Windows Driver Package - ASIX (AX88772) Net (06/10/2009 3.12.3.2) (HKLM\...\3720AB563DCFC005C5FB669FF957E87941CF80E6) (Version: 06/10/2009 3.12.3.2 - ASIX) WinRAR 4.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH) Zemana AntiMalware (HKLM\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.21.321 - Zemana Ltd.) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{1aad99ea-ee10-5c3a-8174-84c63a67adde}\InprocServer32 -> C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\user\AppData\Local\Chromium\Application\46.0.2470.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Google Talk Plugin\googletalkax.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\UpdatusUser\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> C:\Users\user\AppData\Local\Chromium\Application\46.0.2470.0\delegate_execute.exe (The Chromium Authors) <==== ATTENTION CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Google Talk Plugin\o1dax.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Users\user\AppData\Local\Google\Update\1.3.29.1\GoogleUpdateOnDemand.exe" => No File CustomCLSID: HKU\S-1-5-21-3897908082-2070258231-4265155790-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\UpdatusUser\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {0E26943A-E58D-4D36-9ED9-191631BCCFF7} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe Task: {16D4A03B-6672-436D-922E-D1BDE06336B6} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000Core => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2015-09-04] (Google Inc.) Task: {189F871F-7689-4B16-BC34-7EA1AC36071C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2007-02-15] (Google Inc.) Task: {1A69E56C-C44D-4B29-9A13-8D1C0282506A} - System32\Tasks\UpdateTask => C:\Users\user\AppData\Local\{804AB~1\UNINST~1.EXE Task: {1C1E0E67-A92A-4705-B5BE-3F8DF7077DEE} - System32\Tasks\{730A0B80-DE7E-4936-9138-9D4E43D39543} => pcalua.exe -a "C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe" Task: {1CD82678-09D3-4DE7-987D-516F812E5DBA} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-03] (Adobe Systems Incorporated) Task: {2290A225-5460-4BD0-9B6B-BBCC737CCAF4} - \{CA13FAB3-5290-0682-FAF4-587B10AA7A33} -> No File <==== ATTENTION Task: {27F89AFD-62F3-4A46-A5A5-66D8D7E1574F} - System32\Tasks\smadav => C:\Program Files\Smadav\SMΔRTP.exe [2014-01-21] (Smadsoft) Task: {2ABAF70E-261F-40D0-A37B-171C14AF678F} - \Superclean -> No File <==== ATTENTION Task: {2BE54B3B-AF35-416E-AD4F-56A90742DA76} - System32\Tasks\Garena+ Plugin Host Service => C:\Users\user\Downloads\Garena Plus\ggdllhost.exe [2016-02-22] () Task: {32471D25-BE59-490D-8A8C-2461921F46C7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2007-02-15] (Google Inc.) Task: {37CE6EA3-8CFD-4B23-A5E5-747AD27D33BD} - System32\Tasks\HPCustParticipation HP Deskjet 1050 J410 series => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.) Task: {3B25E983-9659-4E18-931C-60CCC01B98ED} - \Foxtab -> No File <==== ATTENTION Task: {4784428D-4A1E-4F89-AB5A-CB63F613A353} - System32\Tasks\{889C5A91-D264-4550-95DA-196724F7C8A4} => pcalua.exe -a "C:\Program Files\SaverExtEnsiion\Vr4g4Bn5Im26F4.exe" -c /s /n /i:"ExecuteCommands;UninstallCommands" "" Task: {4E3DC8E8-8ADB-458D-B424-2341DB69A79B} - System32\Tasks\Opera scheduled Autoupdate 1419328534 => C:\Program Files\Opera\launcher.exe [2016-08-03] (Opera Software) Task: {4F59613F-0625-44F5-9617-34AE48DE87A7} - \{6154B54B-F7CE-82CD-9B38-E9FC1188F970} -> No File <==== ATTENTION Task: {62443B58-82F0-4E28-BF23-B0CF11003B2F} - \Super Optimizer Schedule -> No File <==== ATTENTION Task: {933777CA-154F-46E3-88AE-8D8110E51AB8} - System32\Tasks\{7095882C-55D6-48B6-830A-B40748EB391E} => pcalua.exe -a "C:\Program Files\SalePlus\MHYQf5xAfdtoPP.exe" -c /s /n /i:"ExecuteCommands;UninstallCommands" "" Task: {B43DC576-11B7-433E-B995-4612E9879C47} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000UA => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2015-09-04] (Google Inc.) Task: {B652DE0D-87F6-4397-B81C-63796FA72B37} - System32\Tasks\{37495DE7-5931-4CAE-A82A-E4C275C0BED8} => Chrome.exe hxxp://ui.skype.com/ui/0/6.14.0.104/id/abandoninstall?source=lightinstaller&page=tsInstall Task: {CAFAEC6E-0724-4CF4-A6D8-090931C5D98B} - \userCentrifugallyKingwoodV2 -> No File <==== ATTENTION Task: {DB6E221A-5F52-4883-8697-B89D8ADDF082} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe [2006-04-21] () (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000Core.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3897908082-2070258231-4265155790-1000UA.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\user\AppData\Local\{804AB~1\UNINST~1.EXE ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) Shortcut: C:\Users\user\AppData\Local\Microsoft\Windows\GameExplorer\{6C95E218-B32A-4955-88CA-65FCA3BE5F25}\SupportTasks\1\Support.lnk -> hxxp://support.ea.com/ Shortcut: C:\Users\user\AppData\Local\Microsoft\Windows\GameExplorer\{6C95E218-B32A-4955-88CA-65FCA3BE5F25}\SupportTasks\0\More Games from Microsoft.lnk -> hxxp://www.ea.com/nfs/carbon/us/home.jsp/ ShortcutWithArgument: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-quic ==================== Loaded Modules (Whitelisted) ============== 2007-02-17 05:02 - 2013-01-03 15:38 - 00079800 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll 2016-08-10 21:48 - 2016-08-10 21:48 - 03712064 _____ () C:\Users\user\Desktop\AdwCleaner.exe 2016-08-09 14:56 - 2016-08-03 07:24 - 01771336 _____ () C:\Program Files\Google\Chrome\Application\52.0.2743.116\libglesv2.dll 2016-08-09 14:56 - 2016-08-03 07:23 - 00094024 _____ () C:\Program Files\Google\Chrome\Application\52.0.2743.116\libegl.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-14 09:04 - 2009-06-11 04:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-3897908082-2070258231-4265155790-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 8.8.8.8 - 8.8.4.4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: AdobeARMservice => 2 MSCONFIG\Services: Bonjour Service => 2 MSCONFIG\Services: FLEXnet Licensing Service => 3 MSCONFIG\Services: gupdate => 2 MSCONFIG\Services: gupdatem => 3 MSCONFIG\Services: Innosvcd => 2 MSCONFIG\Services: MozillaMaintenance => 3 MSCONFIG\startupfolder: C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: BDRegion => C:\Program Files\Cyberlink\Shared files\brs.exe MSCONFIG\startupreg: BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} => "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" MSCONFIG\startupreg: FAHConsole => C:\Program Files\File Association Helper\FAHConsole.exe MSCONFIG\startupreg: Google Update => "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c MSCONFIG\startupreg: GoogleDriveSync => "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" MSCONFIG\startupreg: HP Software Update => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe MSCONFIG\startupreg: Microsoft Default Manager => "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume MSCONFIG\startupreg: MSC => "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey MSCONFIG\startupreg: NeroFilterCheck => C:\Windows\system32\NeroCheck.exe MSCONFIG\startupreg: RemoteControl10 => "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe" MSCONFIG\startupreg: RTHDVCPL => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s MSCONFIG\startupreg: SoftonicAssistant => "C:\Users\user\AppData\Local\SoftonicAssistant\SoftonicAssistant.exe" MSCONFIG\startupreg: Super Optimizer => C:\Program Files\Super Optimizer\SupOptLauncher.exe MSCONFIG\startupreg: WinampAgent => "C:\Program Files\Winamp\winampa.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{AF55DF36-3B3A-4195-8EC7-93CBC3064418}] => (Allow) C:\Program Files\CyberLink\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe FirewallRules: [{7FB1DA94-24AC-49C8-9BB4-25F1440F5EB5}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe FirewallRules: [{C4E7657D-D846-431A-B375-DF72F21C43D4}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe FirewallRules: [TCP Query User{B75F92AB-5253-4440-9654-94F45745A5FD}C:\program files\winamp\winamp.exe] => (Allow) C:\program files\winamp\winamp.exe FirewallRules: [UDP Query User{32B99E46-7CA4-4D35-B7EC-73B5E40E177A}C:\program files\winamp\winamp.exe] => (Allow) C:\program files\winamp\winamp.exe FirewallRules: [{B5EBD52A-8A6C-495C-8914-45C0D8B7BB49}] => (Allow) C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\USBSetup.exe FirewallRules: [{84844E85-F746-4836-9F8B-2DD4DC6BBFF7}] => (Allow) C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\USBSetup.exe FirewallRules: [{CDE097F3-B5C0-47CF-8440-9B34E38C38FC}] => (Allow) C:\Gemscool\PointBlank\PointBlank.exe FirewallRules: [{63FE68A2-2AEF-4A9D-B30D-D8E5F745C104}] => (Allow) C:\Gemscool\PointBlank\PointBlank.exe FirewallRules: [{219D2E55-3CA6-4E0A-AAFD-9EB3D5D8438C}] => (Allow) C:\Windows\System32\innogmp.exe FirewallRules: [{057FE20A-96B0-4751-B20B-11B4921E3A22}] => (Allow) C:\Windows\System32\innogmp.exe FirewallRules: [{58BC5D0F-05D4-4393-8AC2-4F3D8B5B6AE8}] => (Allow) C:\Windows\System32\innosvcd.exe FirewallRules: [{AFE59780-6795-4CA7-93E1-D36C420077A1}] => (Allow) C:\Windows\System32\innosvcd.exe FirewallRules: [TCP Query User{BA77D0C4-8BA4-42D5-888D-071A3EFA81A1}C:\program files\microsoft games\rise of nations\nations.exe] => (Block) C:\program files\microsoft games\rise of nations\nations.exe FirewallRules: [UDP Query User{ADF314B4-57CB-4C37-A8B2-C4FBCF5D8195}C:\program files\microsoft games\rise of nations\nations.exe] => (Block) C:\program files\microsoft games\rise of nations\nations.exe FirewallRules: [{5BAC8B25-CAEA-44CA-AC62-BCCB1A4454EE}] => (Allow) C:\Users\user\LINE\Line.exe FirewallRules: [{8E037D6B-A56A-49DC-AC85-49C97F23D196}] => (Allow) C:\Users\user\LINE\Line.exe FirewallRules: [TCP Query User{ACF23A73-DF3A-4A9C-88B4-1F2434E975EE}E:\easysetupassistant\wr842n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr842n\easysetupassistant.exe FirewallRules: [UDP Query User{6DC0004E-BF93-439A-9AC5-358BE88AAF78}E:\easysetupassistant\wr842n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr842n\easysetupassistant.exe FirewallRules: [TCP Query User{3BDA6D35-A246-40EF-9DBD-3A68E0DE01B8}E:\easysetupassistant\wr841n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr841n\easysetupassistant.exe FirewallRules: [UDP Query User{5CB6CF52-D25A-492C-B1DE-4228A01866FE}E:\easysetupassistant\wr841n\easysetupassistant.exe] => (Allow) E:\easysetupassistant\wr841n\easysetupassistant.exe FirewallRules: [{49B543D8-97BE-4320-841D-3B84E06D9A7B}] => (Allow) C:\Windows\System32\PnkBstrA.exe FirewallRules: [{43209761-FBEB-45A9-94E8-1C177053DE33}] => (Allow) C:\Windows\System32\PnkBstrA.exe FirewallRules: [{189DCB94-AA42-4442-BB16-8219FA1D0CC6}] => (Allow) C:\Windows\System32\PnkBstrB.exe FirewallRules: [{CB910983-84C6-4797-B31C-184E11836320}] => (Allow) C:\Windows\System32\PnkBstrB.exe FirewallRules: [TCP Query User{33FB15B6-FE57-4E5C-88B7-40AC1C133776}C:\users\user\line\line.exe] => (Allow) C:\users\user\line\line.exe FirewallRules: [UDP Query User{6F6AA9AA-4E2B-49DE-9C0B-95422BB078C8}C:\users\user\line\line.exe] => (Allow) C:\users\user\line\line.exe FirewallRules: [{AB130FB7-6DF0-4F95-8354-EA486AECD18F}] => (Allow) C:\Users\user\Downloads\pbidInstaller.exe FirewallRules: [{3C77BF32-775D-4F97-AC00-88C4589F710B}] => (Allow) C:\Users\user\Downloads\pbidInstaller.exe FirewallRules: [{2BAB82FB-D3EC-4C36-A74B-AEB2443AE04E}] => (Allow) C:\Windows\system32\rundll32.exe FirewallRules: [{01735BC0-0E8A-490A-B7DA-907629A919AC}] => (Allow) C:\Program Files\Garena Plus\ggdllhost.exe FirewallRules: [TCP Query User{8B76514A-9257-4DEA-B24A-15B398F44CDE}C:\program files\garena plus\garenamessenger.exe] => (Block) C:\program files\garena plus\garenamessenger.exe FirewallRules: [UDP Query User{384E1056-A49F-4794-B992-C994FC63F05E}C:\program files\garena plus\garenamessenger.exe] => (Block) C:\program files\garena plus\garenamessenger.exe FirewallRules: [{14963CF9-3B1A-4CBC-BD62-FC79185AEB6B}] => (Allow) C:\Program Files\GarenaPBID\gamedata\Apps\PBID\PointBlank.exe FirewallRules: [{BB9D7551-A836-477C-8240-9BAB8D28C62B}] => (Allow) C:\Program Files\GarenaPBID\gamedata\Apps\PBID\PointBlank.exe FirewallRules: [TCP Query User{D1076D46-7E84-44B9-A77D-39211AF00693}C:\program files\winamp\winamp.exe] => (Block) C:\program files\winamp\winamp.exe FirewallRules: [UDP Query User{3A4AA64A-E86C-418B-BE31-DCD17C182CEF}C:\program files\winamp\winamp.exe] => (Block) C:\program files\winamp\winamp.exe FirewallRules: [TCP Query User{ABAE53C1-E284-426E-9D54-95BA45E962BA}C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe] => (Allow) C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe FirewallRules: [UDP Query User{9560033A-3E3F-40CE-882F-2AB0D60A7578}C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe] => (Allow) C:\program files\counter-strike 1.6\counter-strike 1.6\hl.exe FirewallRules: [TCP Query User{A3FC8368-32A4-4704-BCC6-E738D707DCC1}C:\program files\counter-strike 1.6\hl.exe] => (Block) C:\program files\counter-strike 1.6\hl.exe FirewallRules: [UDP Query User{1BC205D3-E569-40FB-B391-5D435DBE7423}C:\program files\counter-strike 1.6\hl.exe] => (Block) C:\program files\counter-strike 1.6\hl.exe FirewallRules: [{3716CDE8-4C40-4103-AEFC-83908367A28B}] => (Allow) C:\Users\user\AppData\Local\Chromium\Application\chrome.exe FirewallRules: [TCP Query User{0352C2C4-F36F-4961-B2E4-FFFE3C05E413}C:\program files\novalogic\delta force xtreme\dfx.exe] => (Block) C:\program files\novalogic\delta force xtreme\dfx.exe FirewallRules: [UDP Query User{AC0ACF9C-D4AA-4E4A-B848-7E96534DF905}C:\program files\novalogic\delta force xtreme\dfx.exe] => (Block) C:\program files\novalogic\delta force xtreme\dfx.exe FirewallRules: [{85C224FA-F8A8-4775-81F3-5A083E26182B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{D0223D83-91F4-40EC-84FE-2637BE3AB8C3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{32785A94-E0CB-4062-B53B-B08A5708E786}] => (Allow) C:\GarenaDownload\Games\pbid\pbidInstaller.exe FirewallRules: [{759A500F-3DF2-466D-8BFA-AFDADE9E6819}] => (Allow) C:\GarenaDownload\Games\pbid\pbidInstaller.exe FirewallRules: [TCP Query User{7D2F11DA-C6AA-43B2-A96E-A70225FD0986}C:\users\user\downloads\garena plus\garenamessenger.exe] => (Allow) C:\users\user\downloads\garena plus\garenamessenger.exe FirewallRules: [UDP Query User{8DC531C2-84B6-42C9-A51A-96AE56201C02}C:\users\user\downloads\garena plus\garenamessenger.exe] => (Allow) C:\users\user\downloads\garena plus\garenamessenger.exe FirewallRules: [{936B575F-183B-4B0C-B39A-5D218BB00D6E}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LINE.exe FirewallRules: [{E2F4FCAC-10F2-4254-860B-A08502ED41F8}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LINE.exe FirewallRules: [{76FCD2F5-A9EA-4A22-BD9D-07FBEA1D3A66}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LineUpdater.exe FirewallRules: [{947B6388-796E-4183-A363-17B08C488DF9}] => (Allow) C:\Users\user\AppData\Local\Line\bin\4.7.0.1027\LineUpdater.exe FirewallRules: [{8EBB87C4-EDBD-46BE-BA30-BFD0F7751003}] => (Allow) %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe FirewallRules: [{85531843-DBB2-45B0-82D4-7FF335F85BA1}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Restore Points ========================= 07-08-2016 20:52:59 Device Driver Package Install: Anvisoft Network Service 09-08-2016 14:34:44 Windows Update 09-08-2016 15:41:34 Microsoft Antimalware Checkpoint 10-08-2016 14:50:16 Restore Point Created by FRST ==================== Faulty Device Manager Devices ============= Name: Teredo Tunneling Pseudo-Interface Description: Microsoft Teredo Tunneling Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. ==================== Event log errors: ========================= Application errors: ================== Error: (08/10/2016 09:30:40 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/10/2016 07:28:59 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/10/2016 04:09:56 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x620 Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:09:41 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x4a8 Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:09:26 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x260 Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:09:11 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x58c Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:08:56 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x554 Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:08:40 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x4e0 Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:08:25 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x49c Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 Error: (08/10/2016 04:08:10 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Faulting module name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce794fe Exception code: 0xc0000005 Fault offset: 0x00000000 Faulting process id: 0x3bc Faulting application start time: 0xwinlogon.exe0 Faulting application path: winlogon.exe1 Faulting module path: winlogon.exe2 Report Id: winlogon.exe3 System errors: ============= Error: (08/10/2016 09:30:37 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY) Description: The following fatal alert was received: 70. Error: (08/10/2016 09:29:41 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: InCDPass InCDRm Error: (08/10/2016 09:29:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The HPWriter Service service failed to start due to the following error: %%5 = Access is denied. Error: (08/10/2016 09:29:39 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the CutterModule service to connect. Error: (08/11/2016 11:23:52 AM) (Source: Service Control Manager) (EventID: 7005) (User: ) Description: The LsaLookupOpenPolicy call failed with the following error: %%-1073741822 Error: (08/10/2016 07:29:35 PM) (Source: Service Control Manager) (EventID: 7022) (User: ) Description: The MBAMService service hung on starting. Error: (08/10/2016 07:27:54 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the CutterModule service to connect. Error: (08/10/2016 07:27:17 PM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 16:09:27 on 10/08/2016 was unexpected. Error: (08/10/2016 04:03:41 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf Error: (08/10/2016 04:03:37 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: %%1068 = The dependency service or group failed to start. CodeIntegrity: =================================== Date: 2016-08-10 22:19:13.958 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 21:56:55.923 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 21:42:57.101 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 21:35:49.722 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 21:29:04.562 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 14:49:38.736 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 14:29:31.932 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-10 14:12:32.625 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 20:46:19.832 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. Date: 2016-08-09 19:11:47.281 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\user32.dll because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz Percentage of memory in use: 75% Total physical RAM: 1023.3 MB Available physical RAM: 254.61 MB Total Virtual: 6023.3 MB Available Virtual: 4587.85 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:68.26 GB) (Free:25.09 GB) NTFS Drive d: (DATA) (Fixed) (Total:80.69 GB) (Free:80.45 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 2D6D77B5) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=68.3 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=80.7 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
kevinf80 Posted August 10, 2016 ID:1055619 Share Posted August 10, 2016 (edited) Yes most of the bad entries are back again, run FRST fix again as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Fixlist.txt Edited August 10, 2016 by kevinf80 Link to post Share on other sites More sharing options...
Recommended Posts