Jump to content

PUPs Cleaned but Keep Recurring


Recommended Posts

My PC with Windows 7 x64 is infected with a proxy hijack.  I ran MalwareBytes (free) and it found PUPs and quarantined them.  All seemed ok til next day, symptoms returned.  Ran MB again, all fine again, and it returned again.  How do I clean it for good?  I'm attaching 2 text files of MB results - after the first scan, and after the latest scan. Appreciate your help. Thanks.  

malwarebytes results.txt

second malware results.txt

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hello and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...

 

Link to post
Share on other sites

Hi Kevn,

All instructions completed.  Logs RKill, MB, and Farbar (2) are attached and posted below.  Just FYI, "scan for rootkits" was already checked in MB, so the previous results I sent included rootkit scan.  

Although this latest MB scan may indicate no threats present, this proxy hijack infection has been persistent.  Before posting for help on this board, I ran MB 3 times -- each time it found potential threats (and once an actual "backdoor" threat - GPUpd.exe) and quarantined them.  And each time, the infection returned approx. 24 hours later.   

Thank you again for your help!

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/21/2016 04:34:54 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity: 

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic

 * WinDefend [Missing Service]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * No issues found.

Program finished at: 08/21/2016 04:35:43 PM
Execution time: 0 hours(s), 0 minute(s), and 49 seconds(s)
____________________________________________________________

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/21/2016
Scan Time: 4:42 PM
Logfile: MB results 4.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.21.08
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 534269
Time Elapsed: 19 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

_____________________________________________

Scan result of Farbar Recovery Scan Tool (FRST)
(x64) Version: 21-08-2016 01
Ran by Administrator (administrator) on
AANCWDT055444 (21-08-2016 17:06:28)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles:
bulldog & Administrator)
Platform: Windows 7 Professional Service Pack 1
(X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:
http://www.geekstogo.com/forum/topic/335081-
frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes
(Whitelisted) =================

(If an entry is included in the fixlist, the process will
be closed. The file will not be moved.)

(Symantec Corporation) C:\Program Files\Altiris
\Altiris Agent\AeXNSAgent.exe
(InterVideo Inc.) C:\Program Files (x86)\Common
Files\InterVideo\DeviceService\DevSvc.exe
(DameWare Development LLC) C:\Windows
\dwrcs\DWRCS.EXE
(Microsoft Corporation) C:\Program Files
(x86)\Common Files\microsoft shared
\VS7DEBUG\MDM.EXE
(Trend Micro Inc.) C:\Program Files (x86)\Trend
Micro\OfficeScan Client\NTRTScan.exe
(Protexis Inc.) C:\Program Files (x86)\Common
Files\Protexis\License Service\PsiService_2.exe
(arvato digital services llc) C:\Program Files
\Common Files\Protexis\License Service
\PsiService_2.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend
Micro\OfficeScan Client\TmListen.exe
(Symantec Corporation) C:\Program Files\Altiris
\Altiris Agent
\x86\AeXNSAgentHostSurrogate32.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend
Micro\OfficeScan Client\CNTAoSMgr.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend
Micro\OfficeScan Client\TmProxy.exe
(DameWare Development) C:\Windows\dwrcs
\DWRCST.EXE
(Symantec Corporation) C:\Program Files\Altiris
\Altiris Agent\AeXAgentUIHost.exe
(Altiris, Inc.) C:\Program Files\Altiris\Dagent
\dagentui.exe
(Realtek Semiconductor) C:\Program Files
\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows
\System32\igfxtray.exe
(Intel Corporation) C:\Windows
\System32\hkcmd.exe
(Intel Corporation) C:\Windows
\System32\igfxpers.exe
(Specops Software) C:\Windows
\System32\SppClient.exe
(Microsoft Corporation) C:\Program Files
\Microsoft IntelliPoint\ipoint.exe
(Sun Microsystems, Inc.) C:\Program Files
(x86)\Common Files\Java\Java Update
\jusched.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend
Micro\OfficeScan Client\PccNTMon.exe
(Microsoft Corporation) C:\Program Files
\Common Files\Microsoft Shared
\OfficeSoftwareProtectionPlatform
\OSPPSVC.EXE
(Altiris, Inc.) C:\Program Files\Altiris\Dagent
\dagent.exe
(Google Inc.) C:\Program Files (x86)\Google
\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google
\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google
\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google
\Chrome\Application\chrome.exe


==================== Registry (Whitelisted)
===========================

(If an entry is included in the fixlist, the registry
item will be restored to default or removed. The
file will not be moved.)

HKLM\...\Run: [DagentUI] => C:\Program Files
\Altiris\Dagent\dagentui.exe [847184 2010-03-22]
(Altiris, Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files
\Realtek\Audio\HDA\RAVCpl64.exe [10135584
2011-04-21] (Realtek Semiconductor)
HKLM\...\Run: [Specops Password Client] => C:
\Windows\system32\SppClient.exe [896088
2011-06-17] (Specops Software)
HKLM\...\Run: [IntelliPoint] => C:\Program Files
\Microsoft IntelliPoint\ipoint.exe [2320752 2009-
11-05] (Microsoft Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:
\Windows\dwrcs\DWRCST.exe [295808 2011-02
-25] (DameWare Development)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:
\Program Files (x86)\Common Files\Java\Java
Update\jusched.exe"
HKLM-x32\...\Run: [BCSSync] => C:\Program
Files (x86)\Microsoft Office
\Office14\BCSSync.exe [91520 2010-03-13]
(Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program
Files (x86)\Common Files\Adobe\ARM
\1.0\AdobeARM.exe [1022152 2014-12-19]
(Adobe Systems Incorporated)
HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:
\Program Files (x86)\Trend Micro\OfficeScan
Client\pccntmon.exe [1362624 2010-08-12]
(Trend Micro Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program
Files (x86)\Common Files\Apple\Apple
Application Support\APSDaemon.exe [59720
2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:
\Program Files (x86)\QuickTime\QTTask.exe
[421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [UVS11 Preload] => C:
\Program Files (x86)\Ulead Systems\Ulead
VideoStudio 11\uvPL.exe [341488 2007-03-03]
(InterVideo Digital Technology Corporation)
HKLM-x32\...\Run: [RealTray] => C:\Program Files
(x86)\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
HKLM-x32\...\Run: [DXM6Patch_981116] => C:
\Windows\p_981116.exe /Q:A
HKLM-x32\...\Run: [LVCOMS] => C:\Windows
\system32\LVCOMS.EXE
Winlogon\Notify\igfxcui: C:\Windows
\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-528961038-3273730476-
2519966485-500\...\MountPoints2: H - H:
\LaunchU3.exe -a
HKU\S-1-5-21-528961038-3273730476-
2519966485-500\...\MountPoints2: {4bb57228-
c070-11e5-817f-842b2bbd274e} - H:
\LG_PC_Programs.exe
HKU\S-1-5-21-528961038-3273730476-
2519966485-500\...\MountPoints2: {d27acf04-
d845-11e4-819a-842b2bbd274e} - H:
\LaunchU3.exe -a
Startup: C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Startup\Adobe Gamma
Loader.lnk [2015-10-14]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:
\Program Files (x86)\Common Files\Adobe
\Calibration\Adobe Gamma Loader.exe (Adobe
Systems, Inc.)
Startup: C:\Users\bulldog\AppData\Roaming
\Microsoft\Windows\Start Menu\Programs\Startup
\Texter.lnk [2011-05-12]
ShortcutTarget: Texter.lnk -> C:\Program Files
(x86)\Texter\texter.exe ()
Startup: C:\Users\Samer.Araabi\AppData
\Roaming\Microsoft\Windows\Start Menu
\Programs\Startup\OneNote 2010 Screen Clipper
and Launcher.lnk [2011-04-27]
ShortcutTarget: OneNote 2010 Screen Clipper
and Launcher.lnk -> C:\Program Files
(x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Microsoft Corporation)

==================== Internet (Whitelisted)
====================

(If an item is included in the fixlist, if it is a registry
item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8
8.8.4.4
Tcpip\..\Interfaces\{B952009D-E1FE-48CC-
9E43-7F5331A7CE60}: [DhcpNameServer]
8.8.8.8 8.8.4.4

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer
\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet
Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-528961038-3273730476-
2519966485-500\Software\Microsoft\Internet
Explorer\Main,Start Page Redirect Cache =
hxxp://www.msn.com/
SearchScopes: HKLM-x32 -> DefaultScope
{20B9D1AE-AD1A-38B4-87FE-AF278DA9861D}
URL = 
SearchScopes: HKU\S-1-5-21-528961038-
3273730476-2519966485-500 -> DefaultScope
{20B9D1AE-AD1A-38B4-87FE-AF278DA9861D}
URL = 
BHO: SnagIt Toolbar Loader -> {00C6482D-
C502-44C8-8409-FCE54AD9C208} -> C:
\Program Files (x86)\TechSmith\Snagit
10\DLLx64\SnagitBHO64.dll [2011-03-21]
(TechSmith Corporation)
BHO: Groove GFS Browser Helper -> {72853161
-30C5-4D22-B7F9-0BBC1D38A37E} -> C:
\Program Files\Microsoft Office
\Office14\GROOVEEX.DLL [2011-06-12]
(Microsoft Corporation)
BHO: Office Document Cache Handler ->
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
-> C:\Program Files\Microsoft Office
\Office14\URLREDIR.DLL [2010-02-28]
(Microsoft Corporation)
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-
C502-44C8-8409-FCE54AD9C208} -> C:
\Program Files (x86)\TechSmith\Snagit
10\SnagitBHO.dll [2011-03-21] (TechSmith
Corporation)
BHO-x32: Adobe PDF Link Helper ->
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
-> C:\Program Files (x86)\Common Files\Adobe
\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01
-30] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper ->
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
-> C:\Program Files (x86)\Microsoft Office
\Office14\GROOVEEX.DLL [2011-06-12]
(Microsoft Corporation)
BHO-x32: Office Document Cache Handler ->
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
-> C:\Program Files (x86)\Microsoft Office
\Office14\URLREDIR.DLL [2010-02-28]
(Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper ->
{DBC80044-A445-435b-BC74-9C25C1C588A9}
-> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
[2011-04-20] (Sun Microsystems, Inc.)
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-
46EB-B09E-D2AAB95CABE3} - C:\Program Files
(x86)\TechSmith\Snagit
10\DLLx64\SnagitIEAddin64.dll [2011-03-21]
(TechSmith Corporation)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-
46EB-B09E-D2AAB95CABE3} - C:\Program Files
(x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
[2011-03-21] (TechSmith Corporation)
Toolbar: HKU\S-1-5-21-528961038-3273730476
-2519966485-500 -> No Name - {8FF5E180-
ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKU\S-1-5-21-528961038-3273730476
-2519966485-500 -> No Name - {7FEBEFE3-
6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {00134F72-5284-44F7-95A8-
52A619F70751}
hxxp://10.130.1.10:8080/officescan/console/html/
ClientInstall/WinNTChk.cab
DPF: HKLM-x32 {08D75BB0-D2B5-11D1-88FC-
0080C859833B}
hxxp://10.130.1.10:8080/officescan/console/html/
ClientInstall/setupini.cab
DPF: HKLM-x32 {08D75BC1-D2B5-11D1-88FC-
0080C859833B}
hxxp://10.130.1.10:8080/officescan/console/html/
ClientInstall/setup.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-
444553540000}
hxxp://download.macromedia.com/pub/shockwave
/cabs/director/sw.cab
DPF: HKLM-x32 {35C3D91E-401A-4E45-88A5-
F3B32CD72DF4}
hxxp://10.130.1.10:8080/officescan/console/html/r
oot/AtxEnc.cab
DPF: HKLM-x32 {5EFE8CB1-D095-11D1-88FC-
0080C859833B}
hxxp://10.130.1.10:8080/officescan/console/html/
ClientInstall/RemoveCtrl.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-
AC9BF37916A7}
hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6
/gp.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-
006097942311} - C:\Windows
\system32\urlmon.dll [2012-10-27] (Microsoft
Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-
006097942311} - C:\Windows
\SysWOW64\urlmon.dll [2012-10-27] (Microsoft
Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-
006097942311} - C:\Windows
\system32\urlmon.dll [2012-10-27] (Microsoft
Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-
006097942311} - C:\Windows
\SysWOW64\urlmon.dll [2012-10-27] (Microsoft
Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData
\Roaming\Mozilla\Firefox\Profiles
\gp6mhj0g.default
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:
\Windows\system32\Macromed\Flash
\NPSWF64_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @microsoft.com/GENUINE -> disabled
[No File]
FF Plugin:
@microsoft.com/OfficeAuthz,version=14.0 -> C:
\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DL
L [2010-01-09] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:
\Program Files\VLC Media Player\npvlc.dll [2015
-04-16] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:
\Windows\SysWOW64\Macromed\Flash
\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer ->
C:\Windows\system32\Adobe\Director
\np32dsw.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin -> C:
\Program Files (x86)\Java\jre6\bin\new_plugin
\npjp2.dll [2011-04-20] (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE ->
disabled [No File]
FF Plugin-x32:
@Microsoft.com/NpCtrl,version=1.0 -> c:\Program
Files (x86)\Microsoft Silverlight
\4.0.60310.0\npctrl.dll [2011-03-09] ( Microsoft
Corporation)
FF Plugin-x32:
@microsoft.com/OfficeAuthz,version=14.0 -> C:
\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DL
L [2010-01-09] (Microsoft Corporation)
FF Plugin-x32:
@microsoft.com/SharePoint,version=14.0 -> C:
\PROGRA~2\MICROS~1\Office14\NPSPWRAP.
DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google
Update;version=3 -> C:\Program Files
(x86)\Google\Update
\1.3.31.5\npGoogleUpdate3.dll [2016-07-31]
(Google Inc.)
FF Plugin-x32: @tools.google.com/Google
Update;version=9 -> C:\Program Files
(x86)\Google\Update
\1.3.31.5\npGoogleUpdate3.dll [2016-07-31]
(Google Inc.)
FF Plugin HKU\S-1-5-21-528961038-
3273730476-2519966485-500:
@citrixonline.com/appdetectorplugin -> C:\Users
\Administrator\AppData\Local\Citrix\Plugins
\104\npappdetector.dll [2015-04-02] (Citrix Online)
FF user.js: detected! => C:\Users\Administrator
\AppData\Roaming\Mozilla\Firefox\Profiles
\gp6mhj0g.default\user.js [2015-04-03]

Chrome: 
=======
CHR Profile: C:\Users\Administrator\AppData
\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users
\Administrator\AppData\Local\Google\Chrome
\User Data\Default\Extensions
\aohghmighlieiainnegkcijnfilokake [2015-05-13]
CHR Extension: (Google Drive) - C:\Users
\Administrator\AppData\Local\Google\Chrome
\User Data\Default\Extensions
\apdfllckaahabafndbhieahigkjlhalf [2015-10-28]
CHR Extension: (Google Search) - C:\Users
\Administrator\AppData\Local\Google\Chrome
\User Data\Default\Extensions
\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Docs Offline) - C:\Users
\Administrator\AppData\Local\Google\Chrome
\User Data\Default\Extensions
\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-
15]
CHR Extension: (Chrome Web Store Payments) -
C:\Users\Administrator\AppData\Local\Google
\Chrome\User Data\Default\Extensions
\nmmhkkegccagdldgiimedpiccmgmieda [2016-04
-04]
CHR Extension: (Gmail) - C:\Users\Administrator
\AppData\Local\Google\Chrome\User Data
\Default\Extensions
\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-13]
CHR Extension: (Chrome Media Router) - C:
\Users\Administrator\AppData\Local\Google
\Chrome\User Data\Default\Extensions
\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-
08-21]
StartMenuInternet: Google Chrome.Frank.Matt -
C:\Users\Frank.Matt\AppData\Local\Google
\Chrome\Application\chrome.exe

==================== Services (Whitelisted)
========================

(If an entry is included in the fixlist, it will be
removed from the registry. The file will not be
moved unless listed separately.)

R3 AeXAgentSrvHost; C:\Program Files\Altiris
\Altiris Agent
\x86\AeXNSAgentHostSurrogate32.exe [265048
2011-11-15] (Symantec Corporation)
R2 AeXNSClient; C:\Program Files\Altiris\Altiris
Agent\AeXNSAgent.exe [2107736 2011-11-15]
(Symantec Corporation)
R2 Altiris Deployment Agent; C:\Program Files
\Altiris\Dagent\dagent.exe [1960784 2010-03-22]
(Altiris, Inc.)
S3 AltirisAgentProvider; C:\Program Files\Altiris
\Altiris Agent\Agents\WMIProviderAgent
\AltirisAgentProvider.exe [408408 2011-11-15]
(Symantec Corporation)
R2 Capture Device Service; C:\Program Files
(x86)\Common Files\InterVideo\DeviceService
\DevSvc.exe [198168 2007-03-06] (InterVideo
Inc.)
R2 dwmrcs; C:\Windows\dwrcs\DWRCS.EXE
[693632 2011-02-25] (DameWare Development
LLC)
R2 ntrtscan; C:\Program Files (x86)\Trend Micro
\OfficeScan Client\ntrtscan.exe [2024896 2010-
08-04] (Trend Micro Inc.)
R2 PSI_SVC_2_x64; c:\Program Files\Common
Files\Protexis\License Service\PsiService_2.exe
[337776 2013-09-13] (arvato digital services llc)
R2 tmlisten; C:\Program Files (x86)\Trend Micro
\OfficeScan Client\tmlisten.exe [2354224 2010-
08-04] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files (x86)\Trend Micro
\OfficeScan Client\TmProxy.exe [917768 2010-
04-24] (Trend Micro Inc.)

===================== Drivers (Whitelisted)
==========================

(If an entry is included in the fixlist, it will be
removed from the registry. The file will not be
moved unless listed separately.)

R3 DwMirror; C:\Windows\System32\DRIVERS
\DamewareMini.sys [5632 2008-03-14]
(DameWare Development, LLC)
R1 dwvkbd; C:\Windows\System32\DRIVERS
\dwvkbd64.sys [30720 2007-02-15] (DameWare)
S3 ebdrv; C:\Windows\system32\drivers
\evbda.sys [3286016 2009-06-10] (Broadcom
Corporation)
R3 stdriver; C:\Windows\System32\DRIVERS
\stdriverx64.sys [34512 2015-04-01] ()
R2 TmFilter; C:\Program Files (x86)\Trend Micro
\OfficeScan Client\TmXPFlt.sys [344864 2013-
08-14] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files (x86)\Trend
Micro\OfficeScan Client\TmPreFlt.sys [42272
2013-08-14] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS
\tmtdi.sys [108048 2010-04-24] (Trend Micro Inc.)
R2 VSApiNt; C:\Program Files (x86)\Trend Micro
\OfficeScan Client\VSApiNt.sys [2260768 2013-
08-14] (Trend Micro Inc.)
S3 ACPIEC; \SystemRoot\system32\DRIVERS
\ACPIEC.sys [X]

==================== NetSvcs (Whitelisted)
===================

(If an entry is included in the fixlist, it will be
removed from the registry. The file will not be
moved unless listed separately.)


==================== One Month Created
files and folders ========

(If an entry is included in the fixlist, the file/folder
will be moved.)

2016-08-21 17:06 - 2016-08-21 17:07 -
00016554 _____ C:\Users\Administrator
\Desktop\FRST.txt
2016-08-21 17:06 - 2016-08-21 17:06 -
00000000 ____D C:\FRST
2016-08-21 17:04 - 2016-08-21 17:04 -
02396672 _____ (Farbar) C:\Users\Administrator
\Desktop\FRST64.exe
2016-08-21 17:02 - 2016-08-21 17:02 -
00001068 _____ C:\Users\Administrator
\Desktop\MB results 4.txt
2016-08-21 16:34 - 2016-08-21 16:35 -
00002970 _____ C:\Users\Administrator
\Desktop\Rkill.txt
2016-08-21 16:33 - 2016-08-21 16:33 -
02030536 _____ (Bleeping Computer, LLC) C:
\Users\Administrator\Desktop\rkill.exe
2016-08-20 23:15 - 2016-08-20 23:15 -
00002602 _____ C:\Users\Administrator
\Desktop\mb results 3.txt
2016-08-20 17:35 - 2016-08-20 17:35 -
00000789 _____ C:\Users\Administrator
\Documents\amethyst.txt
2016-08-20 09:13 - 2016-08-20 09:13 -
00000753 _____ C:\Users\Administrator
\Desktop\windefenderfix.txt
2016-08-20 09:02 - 2016-08-20 09:02 -
00000000 ____D C:\Program Files\Microsoft
Games
2016-08-20 07:18 - 2016-08-20 07:18 -
04284888 _____ (AVAST Software) C:\Users
\Administrator\Downloads\avast-browser-
cleanup-sfx.exe
2016-08-20 04:55 - 2016-08-20 04:55 -
00003603 _____ C:\Users\Administrator
\Desktop\mb results 2.txt
2016-08-17 22:47 - 2016-08-17 22:50 -
00001228 _____ C:\Users\Administrator
\Desktop\proxy hijack removal.txt
2016-08-16 12:04 - 2016-08-16 12:04 -
00000382 _____ C:\Users\Administrator
\Documents\computer issues.txt
2016-08-15 22:43 - 2016-08-15 22:47 -
00005539 _____ C:\Users\Administrator
\Desktop\mb results 1.txt
2016-08-15 22:00 - 2016-08-15 22:00 -
00003640 _____ C:\Windows\System32\Tasks
\Video Security Worker
2016-08-15 04:47 - 2016-08-15 04:47 -
00000678 _____ C:\Users\Administrator
\Desktop\recovering docs.txt
2016-08-15 03:42 - 2016-08-15 03:42 -
00000000 ____D C:\Users\Administrator
\Desktop\Recovered
2016-08-14 22:06 - 2016-08-14 22:06 -
00000000 ____D C:\AdwCleaner
2016-08-13 12:13 - 2016-08-13 12:13 -
00002387 _____ C:\Users\Administrator
\Documents\travel places.txt
2016-08-13 01:52 - 2016-08-13 02:13 -
00000000 ____D C:\Users\Administrator
\Downloads\Ching
2016-08-13 01:11 - 2016-08-13 01:11 -
00000000 ____D C:\Program Files\Common
Files\Protexis
2016-08-13 01:10 - 2016-08-13 01:10 -
00001008 _____ C:\Users\Public\Desktop\Corel
VideoStudio Pro X7.lnk
2016-08-13 01:09 - 2016-08-13 01:10 -
00001008 _____ C:\Users\Public\Desktop\Corel
FastFlick X7.lnk
2016-08-13 01:09 - 2016-08-13 01:10 -
00000000 ___RD C:\ProgramData\Microsoft
\Windows\Start Menu\Programs\Corel
VideoStudio Pro X7
2016-08-13 01:09 - 2016-08-13 01:09 -
00001003 _____ C:\Users\Public\Desktop\Corel
ScreenCap X7.lnk
2016-08-13 01:08 - 2016-08-13 01:08 -
00000000 ____D C:\Program Files\Corel
2016-08-13 00:43 - 2016-08-13 00:43 -
00001550 _____ C:\Users\Administrator
\Desktop\ching.txt
2016-08-13 00:20 - 2016-08-13 00:50 -
00000000 ____D C:\Users\Administrator
\Downloads\Corel VideoStudio Pro X7 17.1.0.22
(64 bit) (keygen Core) [ChingLiu]
2016-08-13 00:18 - 2016-08-13 00:21 -
00000000 ____D C:\Users\Administrator
\AppData\LocalLow\uTorrent
2016-08-13 00:08 - 2016-08-13 01:57 -
00003666 _____ C:\Windows\System32\Tasks
\Fenix Defrag
2016-08-13 00:08 - 2016-08-13 01:57 -
00003328 _____ C:\Windows\System32\Tasks
\Fenix Defrag Logon
2016-08-13 00:08 - 2016-08-13 00:08 -
00000000 ____D C:\Users\Administrator
\AppData\Roaming\Fenix Defrag
2016-08-03 00:12 - 2016-08-03 00:12 -
00001164 _____ C:\Users\Administrator\Desktop
\Pixillion Image Converter.lnk
2016-08-02 21:53 - 2016-08-02 21:53 -
00024584 _____ C:\Users\Administrator
\Documents\OHR Intake sheet.pdf
2016-07-24 02:11 - 2016-07-24 02:11 -
00013414 _____ C:\Users\Administrator
\Documents\demlist-events-export-WED.xlsx
2016-07-24 01:08 - 2016-07-24 01:08 -
00013414 _____ C:\Users\Administrator
\Documents\Phila demlist-events-export-
TUES.xlsx
2016-07-23 23:37 - 2016-07-24 01:17 -
00000921 _____ C:\Users\Administrator
\Documents\Phila Megabus.txt

==================== One Month Modified
files and folders ========

(If an entry is included in the fixlist, the file/folder
will be moved.)

2016-08-21 16:42 - 2015-05-25 02:56 -
00192216 _____ (Malwarebytes) C:\Windows
\system32\Drivers\MBAMSwissArmy.sys
2016-08-21 16:41 - 2013-01-18 15:55 -
00000898 _____ C:\Windows\Tasks
\GoogleUpdateTaskMachineUA.job
2016-08-21 16:27 - 2011-04-25 13:10 -
00000936 _____ C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-205915UA.job
2016-08-21 16:22 - 2011-09-02 15:39 -
00000928 _____ C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-225270UA.job
2016-08-21 16:18 - 2012-06-07 11:05 -
00000830 _____ C:\Windows\Tasks\Adobe Flash
Player Updater.job
2016-08-21 09:28 - 2011-04-25 13:10 -
00000884 _____ C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-205915Core.job
2016-08-21 09:22 - 2011-09-02 15:39 -
00000876 _____ C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-225270Core.job
2016-08-21 02:18 - 2009-07-13 23:20 -
00000000 ____D C:\Windows\rescache
2016-08-21 01:41 - 2013-01-18 15:55 -
00000894 _____ C:\Windows\Tasks
\GoogleUpdateTaskMachineCore.job
2016-08-21 01:12 - 2015-04-17 20:50 -
00000000 ____D C:\Users\Administrator
\Desktop\Sale Items
2016-08-20 23:39 - 2009-07-14 00:45 -
00013664 ____H C:\Windows
\system32\7B296FB0-376B-497e-B012-
9C450E1B7327-5P-1.C7483456-A289-439d-
8115-601632D005A0
2016-08-20 23:39 - 2009-07-14 00:45 -
00013664 ____H C:\Windows
\system32\7B296FB0-376B-497e-B012-
9C450E1B7327-5P-0.C7483456-A289-439d-
8115-601632D005A0
2016-08-20 23:32 - 2009-07-14 01:08 -
00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-20 23:16 - 2009-07-13 23:20 -
00000000 ____D C:\Windows\PLA
2016-08-20 22:12 - 2015-10-17 00:37 -
00000000 ____D C:\Users\Administrator\from
Dell machine
2016-08-20 20:23 - 2015-09-14 12:26 -
00004464 _____ C:\Users\Administrator
\Desktop\short LIST.txt
2016-08-20 19:32 - 2015-11-19 03:50 -
04194365 _____ C:\Windows\pfirewall.log.old
2016-08-20 17:03 - 2016-05-27 02:09 -
00000147 _____ C:\Users\Administrator
\Desktop\blended iced coffee.txt
2016-08-20 09:02 - 2009-07-14 01:32 -
00000000 ___RD C:\ProgramData\Microsoft
\Windows\Start Menu\Programs\Games
2016-08-20 07:46 - 2013-01-18 15:56 -
00002279 _____ C:\Users\Public\Desktop
\Google Chrome.lnk
2016-08-20 04:56 - 2009-07-13 23:20 -
00000000 ____D C:\Windows\system
2016-08-19 22:07 - 2015-04-10 17:58 -
00000000 ____D C:\Users\Administrator
\AppData\Local\CrashDumps
2016-08-19 02:58 - 2015-04-01 03:46 -
00000000 ____D C:\Users\Administrator
2016-08-18 14:26 - 2015-04-23 06:37 -
00000000 ____D C:\Users\Administrator
\Desktop\Pics
2016-08-17 23:15 - 2009-07-13 23:20 -
00000000 ____D C:\Windows\Web
2016-08-17 22:51 - 2015-05-25 02:56 -
00000000 ____D C:\Program Files
(x86)\Malwarebytes Anti-Malware
2016-08-17 06:50 - 2015-12-18 23:54 -
00000000 ____D C:\Users\Administrator
\AppData\Roaming\vlc
2016-08-16 00:39 - 2016-07-20 22:06 -
00000496 _____ C:\Users\Administrator
\Documents\patrick visit wishlist.txt
2016-08-15 22:12 - 2009-07-13 23:20 -
00000000 ____D C:\Windows\system32\NDF
2016-08-15 04:12 - 2015-11-17 21:39 -
00000000 ____D C:\Program Files\Recuva
2016-08-14 23:04 - 2015-04-01 03:53 -
00000000 ____D C:\Users\Administrator
\AppData\Local\ElevatedDiagnostics
2016-08-14 00:50 - 2015-04-02 22:13 -
00000000 ____D C:\Users\Administrator
\Documents\Corel VideoStudio Pro
2016-08-13 05:17 - 2015-11-14 16:12 -
00007611 _____ C:\Users\Administrator
\AppData\Local\Resmon.ResmonCfg
2016-08-13 02:25 - 2009-07-14 00:45 -
00437744 _____ C:\Windows
\system32\FNTCACHE.DAT
2016-08-13 02:24 - 2012-07-11 00:02 -
00000000 ____D C:\ProgramData\Norton
2016-08-13 01:30 - 2009-07-14 01:13 -
00746116 _____ C:\Windows
\system32\PerfStringBackup.INI
2016-08-13 01:30 - 2009-07-13 23:20 -
00000000 ____D C:\Windows\inf
2016-08-13 01:24 - 2011-04-21 13:25 -
00121848 _____ C:\Users\bulldog\AppData
\Local\GDIPFONTCACHEV1.DAT
2016-08-13 01:15 - 2015-04-02 22:12 -
00000000 ____D C:\ProgramData\Protexis64
2016-08-13 01:12 - 2015-04-02 21:44 -
00000000 ____D C:\Program Files (x86)\Corel
2016-08-13 01:06 - 2015-04-02 21:49 -
00000000 ____D C:\ProgramData\Package
Cache
2016-08-13 00:17 - 2015-05-25 02:44 -
02370560 _____ (BitTorrent Inc.) C:\Users
\Administrator\Downloads\uTorrent.exe
2016-08-12 23:56 - 2015-04-02 22:12 -
00000000 ____D C:\Users\Administrator
\AppData\Roaming\Ulead Systems
2016-08-05 13:02 - 2015-08-14 12:27 -
00000000 ____D C:\Users\Administrator
\AppData\Roaming\Skype
2016-08-05 02:28 - 2015-08-24 02:14 -
00000000 ____D C:\Users\Administrator
\Documents\OWL
2016-08-04 16:49 - 2015-10-16 21:33 -
00236568 _____ C:\Windows
\RegBootClean64.exe
2016-08-04 16:49 - 2015-10-16 21:33 -
00181272 _____ C:\Windows\RegBootClean.exe
2016-08-04 00:27 - 2013-01-18 15:56 -
00002195 _____ C:\ProgramData\Microsoft
\Windows\Start Menu\Programs\Google
Chrome.lnk
2016-07-31 18:55 - 2016-04-07 18:28 -
00001279 _____ C:\Users\Administrator
\Documents\dc eats and drinks.txt
2016-07-31 01:36 - 2013-01-18 15:55 -
00003894 _____ C:\Windows\System32\Tasks
\GoogleUpdateTaskMachineUA
2016-07-31 01:36 - 2013-01-18 15:55 -
00003642 _____ C:\Windows\System32\Tasks
\GoogleUpdateTaskMachineCore
2016-07-25 18:54 - 2011-04-21 14:07 -
00000000 ____D C:\ProgramData\Roxio

==================== Files in the root of
some directories =======

2016-05-10 20:48 - 2016-05-10 21:06 - 0000096
_____ () C:\Users\Administrator\AppData
\Roaming\Camdata.ini
2016-05-10 20:48 - 2016-05-10 21:06 - 0000408
_____ () C:\Users\Administrator\AppData
\Roaming\CamLayout.ini
2016-05-10 20:48 - 2016-05-10 21:06 - 0000408
_____ () C:\Users\Administrator\AppData
\Roaming\CamShapes.ini
2016-05-10 20:48 - 2016-05-10 21:06 - 0004533
_____ () C:\Users\Administrator\AppData
\Roaming\CamStudio.cfg
2015-04-01 13:40 - 2015-04-01 13:40 - 0001181
_____ () C:\Users\Administrator\AppData
\Roaming\trace_FilterInstaller.txt
2015-04-01 13:40 - 2015-04-01 13:40 - 0000000
_____ () C:\Users\Administrator\AppData
\Roaming\trace_FilterInstaller.txt-CRT.txt
2016-05-10 20:48 - 2016-05-10 21:06 - 0000096
_____ () C:\Users\Administrator\AppData
\Roaming\version2.xml
2015-11-14 16:12 - 2016-08-13 05:17 - 0007611
_____ () C:\Users\Administrator\AppData\Local
\Resmon.ResmonCfg
2011-07-29 16:10 - 2011-08-08 09:02 - 0010096
___SH () C:\ProgramData
\m6p4mymi84m4o2bye78412pgnvg08161tos3w
65qq3f

Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp
\GPUpd57B91FC60.exe
C:\Users\Administrator\AppData\Local\Temp
\libeay32.dll
C:\Users\Administrator\AppData\Local\Temp
\msvcr120.dll
C:\Users\Administrator\AppData\Local\Temp
\sqlite3.dll
C:\Users\Omar.Tewfik\AppData\Local\Temp\jre-
6u33-windows-i586-iftw.exe
C:\Users\Omar.Tewfik\AppData\Local\Temp
\Setup.exe
C:\Users\Samer.Araabi\AppData\Local\Temp
\esri32.exe
C:\Users\Samer.Araabi\AppData\Local\Temp
\LMUTIL.EXE


==================== Bamital & volsnap
=================

(There is no automatic fix for files that do not pass
verification.)

C:\Windows\system32\winlogon.exe => File is
digitally signed
C:\Windows\system32\wininit.exe => File is
digitally signed
C:\Windows\SysWOW64\wininit.exe => File is
digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is
digitally signed
C:\Windows\system32\svchost.exe => File is
digitally signed
C:\Windows\SysWOW64\svchost.exe => File is
digitally signed
C:\Windows\system32\services.exe => File is
digitally signed
C:\Windows\system32\User32.dll => File is
digitally signed
C:\Windows\SysWOW64\User32.dll => File is
digitally signed
C:\Windows\system32\userinit.exe => File is
digitally signed
C:\Windows\SysWOW64\userinit.exe => File is
digitally signed
C:\Windows\system32\rpcss.dll => File is digitally
signed
C:\Windows\system32\dnsapi.dll => File is
digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is
digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File
is digitally signed


LastRegBack: 2016-08-16 02:32

==================== End of FRST.txt
============================

Additional scan result of Farbar Recovery Scan
Tool (x64) Version: 21-08-2016 01
Ran by Administrator (21-08-2016 17:07:21)
Running from C:\Users\Administrator\Desktop
Windows 7 Professional Service Pack 1 (X64)
(2011-04-22 18:59:34)
Boot Mode: Normal
======================================
====================


==================== Accounts:
=============================

AANAdmin (S-1-5-21-528961038-3273730476-
2519966485-1004 - Administrator - Enabled)
Administrator (S-1-5-21-528961038-
3273730476-2519966485-500 - Administrator -
Enabled) => C:\Users\Administrator
bulldog (S-1-5-21-528961038-3273730476-
2519966485-1001 - Administrator - Enabled) =>
C:\Users\bulldog
Guest (S-1-5-21-528961038-3273730476-
2519966485-501 - Limited - Enabled)

==================== Security Center
========================

(If an entry is included in the fixlist, it will be
removed.)

AV: Trend Micro OfficeScan Antivirus (Enabled -
Up to date) {68F968AC-2AA0-091D-848C-
803E83E35902}
AS: Trend Micro OfficeScan Anti-spyware
(Enabled - Up to date) {D3988948-0C9A-0693-
BE3C-BB4CF86413BF}
AS: Windows Defender (Enabled - Out of date)
{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs
======================

(Only the adware programs with "Hidden" flag
could be added to the fixlist to unhide them. The
adware programs should be uninstalled manually.)

7-Zip 15.12 (x64) (HKLM\...\7-Zip) (Version: 15.12
- Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version:
2.6.0.19140 - Adobe Systems Incorporated)
Adobe Flash Player 22 ActiveX (HKLM-x32\...
\Adobe Flash Player ActiveX) (Version: 22.0.0.210
- Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM-x32\...
\Adobe Flash Player NPAPI) (Version: 22.0.0.209
- Adobe Systems Incorporated)
Adobe Photoshop 7.0 (HKLM-x32\...\Adobe
Photoshop 7.0) (Version: 7.0 - Adobe Systems,
Inc.)
Adobe Reader X (10.0.1) (HKLM-x32\...
\{AC76BA86-7AD7-1033-7B44-AA0000000001})
(Version: 10.0.1 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM-x32\...
\Adobe Shockwave Player) (Version: 11.5.9.620 -
Adobe Systems, Inc.)
Altiris Agent Install Service (x32 Version: 7.0.0.1 -
Altiris Inc.) Hidden
Altiris Deployment Agent (HKLM\...\{6C8D5E56-
CA12-42B2-9075-044B4C7067A9}) (Version:
1.0.0 - Altiris)
Altiris Inventory Agent (x32 Version: 7.1.7580.0 -
Altiris Inc.) Hidden
Amazon Kindle (HKLM-x32\...\Amazon Kindle)
(Version:  - Amazon)
Amped Wireless USB Wireless-N Driver (HKLM-
x32\...\{B20F9D1C-A0A5-4cd8-8306-
DE95842311B1}) (Version: 1.00.0149 - Amped
Wireless.)
Any Video Converter 5.7.9 (HKLM-x32\...\Any
Video Converter_is1) (Version:  - Any-Video-
Converter.com)
Apple Application Support (HKLM-x32\...
\{46F044A5-CE8B-4196-984E-5BD6525E361D})
(Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...
\{789A5B64-9DD9-4BA5-915A-
F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple
Inc.)
Audacity 2.1.2 (HKLM-x32\...\Audacity®_is1)
(Version: 2.1.2 - Audacity Team)
CamStudio Lossless Codec v1.5 (HKLM-x32\...
\camcodec) (Version: 1.5 - CamStudio)
CCleaner (HKLM\...\CCleaner) (Version: 3.03 -
Piriform)
Cisco EAP-FAST Module (HKLM-x32\...
\{64BF0187-F3D2-498B-99EA-
163AF9AE6EC9}) (Version: 2.2.14 - Cisco
Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-
C3F6-4635-8E8A-231306D810FE}) (Version:
1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-
59B4-46B7-AF81-5F2D94D7C640}) (Version:
1.1.6 - Cisco Systems, Inc.)
Citrix Online Launcher (HKLM-x32\...
\{1EFF9E6C-76E1-43F9-81FB-
BC8C037B0902}) (Version: 1.0.258 - Citrix)
Common (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
Contents (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
Contents64 (Version: 17.0.0.249 - Corel
Corporation) Hidden
Corel VideoStudio Pro X4 (HKLM-x32\...\_
{AA902C31-B49D-4608-BCCF-2519EB77722D})
(Version: 14.1.0.150 - Corel Corporation)
Corel VideoStudio Pro X7 (HKLM-x32\...\_
{77B3BEA9-835C-4DDF-BCE7-1510271E4E37})
(Version: 17.1.0.22 - Corel Corporation)
DeviceIO (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
Google Chrome (HKLM-x32\...\Google Chrome)
(Version: 52.0.2743.116 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.123 -
Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 -
Google Inc.) Hidden
Haali Media Splitter (HKLM-x32\...\HaaliMkx)
(Version:  - )
ICA (x32 Version: 14.1.0.150 - Corel Corporation)
Hidden
ICA (x32 Version: 17.0.0.249 - Corel Corporation)
Hidden
InterVideo DeviceService (HKLM-x32\...
\{521AAD14-5030-44BB-8B0E-
5CE65FCE57E0}) (Version: 1.0.0 - InterVideo)
IPM_VS_Pro (x32 Version: 13.0 - Corel
Corporation) Hidden
IPM_VS_Pro64 (Version: 17.0 - Corel
Corporation) Hidden
ISCOM (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
Java(TM) 6 Update 24 (HKLM-x32\...\{26A24AE4
-039D-4CA4-87B4-2F83216024FF}) (Version:
6.0.240 - Oracle)
Malwarebytes Anti-Malware version 2.2.1.1043
(HKLM-x32\...\Malwarebytes Anti-Malware_is1)
(Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM
\...\Microsoft .NET Framework 4 Client Profile)
(Version: 4.0.30319 - Microsoft Corporation)
Microsoft IntelliPoint 7.1 (HKLM\...\{5EBE0F1F-
45DF-4298-AC6B-E8E54EAEC834}) (Version:
7.10.344.0 - Microsoft)
Microsoft Office Professional Edition 2003
(HKLM-x32\...\{90110409-6000-11D3-8CFE-
0150048383C9}) (Version: 11.0.5614.0 -
Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-
x32\...\Office14.PROPLUS) (Version:
14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-
6C26-4A84-BDB8-2E5A4BB71E00}) (Version:
4.0.60310.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable
(HKLM-x32\...\{7299052b-02a4-4627-81f2-
1818da5d550d}) (Version: 8.0.56336 - Microsoft
Corporation)
Microsoft Visual C++ 2005 Redistributable
(HKLM-x32\...\{A49F249F-0C91-497F-86DF-
B2585E8E76B7}) (Version: 8.0.50727.42 -
Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64
9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-
3710-913E-5BC23FCE91E6}) (Version:
9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64
9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-
37AB-B2B8-22AB8CEDB1D4}) (Version:
9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86
9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-
39D9-BD6F-21E6EC160475}) (Version:
9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86
9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-
2D24-3E06-BCB8-725134ADF989}) (Version:
9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86
9.0.30729.6161 (HKLM-x32\...\{9BE518E6-
ECC6-35A9-88E4-87755C07200F}) (Version:
9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable -
10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-
93A4-6FD5B20BCC6E}) (Version: 10.0.30319 -
Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable -
10.0.30319 (HKLM-x32\...\{196BB40D-1578-
3D01-B289-BEFC77A11A1E}) (Version:
10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) -
11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554
-8af1-2175904903a1}) (Version: 11.0.60610.1 -
Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) -
11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-
413a-b50c-4b9ceb6d66c6}) (Version:
11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) -
11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-
8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 -
Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) -
11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1
-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 -
Microsoft Corporation)
mindSHIFT Support Portal (HKLM-x32\...
\{03DFEB86-43F2-47F9-91C4-
71B7FD3E6EEE}) (Version: 1.0 - Default
Manufacturer)
Mozilla Firefox 14.0.1 (x86 en-US) (HKLM-x32\...
\Mozilla Firefox 14.0.1 (x86 en-US)) (Version:
14.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...
\MozillaMaintenanceService) (Version: 38.2.0 -
Mozilla)
Mozilla Thunderbird 38.2.0 (x86 en-US) (HKLM-
x32\...\Mozilla Thunderbird 38.2.0 (x86 en-US))
(Version: 38.2.0 - Mozilla)
Pixillion Image Converter (HKLM-x32\...\Pixillion)
(Version: 3.04 - NCH Software)
PureHD (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-
4463-87AB-BB2C859C1F3E}) (Version:
7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-
x32\...\{F132AF7F-7BCA-4EDE-8A7C-
958108FE7DBC}) (Version: 6.0.1.6077 - Realtek
Semiconductor Corp.)
RecordPad Sound Recorder (HKLM-x32\...
\Recordpad) (Version: 5.28 - NCH Software)
Recuva (HKLM\...\Recuva) (Version: 1.52 -
Piriform)
Roxio Creator DE 10.3 (HKLM-x32\...\{09760D42
-E223-42AD-8C3E-55B47D0DDAC3}) (Version:
10.3 - Roxio)
Samsung Digital Camera (HKLM-x32\...
\{8B79684C-6DAC-438C-8F30-
10DF65C2068F}) (Version:  - )
Samsung Master (HKLM-x32\...\{AEC0CEBC-
0FC7-4716-8222-1C4A742719B1}) (Version:
1.0.43 - Samsung)
Setup (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
Setup (x32 Version: 17.0.0.249 - Corel
Corporation) Hidden
Shadow Copy Client (HKLM-x32\...\{23E5032B-
56CA-4C19-A72E-B50161DB82CA}) (Version:
5.2.01 - Microsoft)
Share (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
Share64 (Version: 14.1.0.150 - Corel Corporation)
Hidden
Share64 (Version: 17.0.0.249 - Corel Corporation)
Hidden
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-
44AD-9CC8-5EC50AECF6B7}) (Version:
6.21.104 - Skype Technologies S.A.)
SmartSound Common Data (HKLM-x32\...
\InstallShield_{B8A2869E-30CA-40C5-9CF8-
BD7354E57EF8}) (Version: 1.1.0 - SmartSound
Software Inc.)
SmartSound Common Data (x32 Version: 1.1.0 -
SmartSound Software Inc.) Hidden
SmartSound Quicktracks 5 (HKLM-x32\...
\InstallShield_{2F8BA3FD-1FA9-4279-B696-
712ABB12F09F}) (Version: 5.1.6 - SmartSound
Software Inc.)
SmartSound Quicktracks 5 (x32 Version: 5.1.6 -
SmartSound Software Inc.) Hidden
SmartSound Quicktracks Plugin (HKLM-x32\...
\InstallShield_{4A7FDA4D-F4D7-4A49-934A-
066D59A43C7E}) (Version: 3.0.5.0 - SmartSound
Software Inc)
SmartSound Quicktracks Plugin (x32 Version:
3.0.5.0 - SmartSound Software Inc) Hidden
Snagit 10.0.1 (HKLM-x32\...\{22FC7536-BE5C-
4E88-8069-C24689D34EC5}) (Version: 10.0.1 -
TechSmith Corporation)
Software Management Solution Plugin (Version:
7.1.7580.0 - Altiris Inc.) Hidden
SoundTap Streaming Audio Recorder (HKLM-
x32\...\SoundTap) (Version: 2.31 - NCH Software)
Specops Password Client (x64) (HKLM\...
\{73563738-6080-4193-9CCD-C670631590CB})
(Version: 4.5.10617.1 - Specops Software)
Spotify (HKLM-x32\...\Spotify) (Version: 0.3.23 - )
Switch Sound File Converter (HKLM-x32\...
\Switch) (Version:  - NCH Software)
Trend Micro OfficeScan Client (HKLM-x32\...
\OfficeScanNT) (Version: 10.5 - Trend Micro)
Ulead VideoStudio 11 (HKLM-x32\...
\InstallShield_{F99F9E24-EE2F-47FD-AEB0-
FDB82859B5C9}) (Version: 11.0.0.0000 -
InterVideo Digital Technology Corporation)
Universal Imaging Utility - Live Version (HKLM\...
\UIU) (Version: 4.6.2.0 - )
VideoStudio (x32 Version: 11.0.0.0000 -
InterVideo Digital Technology Corporation) Hidden
VIO (x32 Version: 14.1.0.150 - Corel Corporation)
Hidden
VLC media player (HKLM\...\VLC media player)
(Version: 2.2.1 - VideoLAN)
VSClassic (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
VSClassic64 (Version: 17.0.0.249 - Corel
Corporation) Hidden
VSPro (x32 Version: 14.1.0.150 - Corel
Corporation) Hidden
VSPro64 (Version: 17.0.0.249 - Corel
Corporation) Hidden
WavePad Sound Editor (HKLM-x32\...\WavePad)
(Version: 6.11 - NCH Software)
Windows Media Encoder 9 Series (HKLM-x32\...
\Windows Media Encoder 9) (Version:  - )

==================== Custom CLSID
(Whitelisted): ==========================

(If an entry is included in the fixlist, it will be
removed from the registry. The file will not be
moved unless listed separately.)


==================== Scheduled Tasks
(Whitelisted) =============

(If an entry is included in the fixlist, it will be
removed from the registry. The file will not be
moved unless listed separately.)

Task: {00BE26F3-6B83-4A5A-B026-
286A7F93451A} - System32\Tasks\{A4654520-
26B4-45CF-93A0-676F46B09BAF} => C:
\Program Files (x86)\Corel\Corel VideoStudio Pro
X4\vstudio.exe [2011-09-20] (Corel TW Corp.)
Task: {068BBC38-7258-4BC4-BAD9-
B28C4C50EBDD} - System32\Tasks
\Microsoft_Hardware_Launch_IPoint_exe => C:
\Program Files\Microsoft IntelliPoint\IPoint.exe
[2009-11-05] (Microsoft Corporation)
Task: {1961DA68-8D17-407D-8D14-
F845B46526FC} - System32\Tasks
\GoogleUpdateTaskMachineCore => C:\Program
Files (x86)\Google\Update\GoogleUpdate.exe
[2015-08-28] (Google Inc.)
Task: {19665A47-DC49-4B7D-B43A-
DE962A82453B} - System32\Tasks\{3873A303-
6A13-4CE0-A8B5-1624505A7931} => C:
\Program Files (x86)\Corel\Corel VideoStudio Pro
X4\vstudio.exe [2011-09-20] (Corel TW Corp.)
Task: {2B9DED8D-CB60-49C4-B639-
29C22BF9D89E} - System32\Tasks\{60EFD348
-3090-48CB-A2A1-1AF0B99302F4} => C:
\Program Files (x86)\Corel\Corel VideoStudio Pro
X4\vstudio.exe [2011-09-20] (Corel TW Corp.)
Task: {2DC5F47B-F6A6-46A9-BBB0-
33720DE8AC95} - System32\Tasks
\GoogleUpdateTaskMachineUA => C:\Program
Files (x86)\Google\Update\GoogleUpdate.exe
[2015-08-28] (Google Inc.)
Task: {33BBA5CC-A562-4082-8D40-
9C0430BD6677} - System32\Tasks
\{3D4026FD-8452-4A63-835B-C68D9AD5AC2C}
=> C:\Program Files (x86)\Corel\Corel
VideoStudio Pro X4\vstudio.exe [2011-09-20]
(Corel TW Corp.)
Task: {38A57134-0426-4DC4-8122-
08A7931B0453} - System32\Tasks\Fenix Defrag
=> C:\Users\Administrator\AppData\Roaming
\Fenix Defrag\Fenix Defrag.exe [2016-08-13] ()
<==== ATTENTION
Task: {43E8D8D0-9E77-418E-8C7B-
C2BBCA53C071} - System32\Tasks
\{834FEC6C-0F61-4F7E-B907-2E7B59F305CF}
=> C:\Program Files (x86)\Corel\Corel
VideoStudio Pro X4\vstudio.exe [2011-09-20]
(Corel TW Corp.)
Task: {468BEC49-DDB5-4D43-BB26-
A34215938A93} - System32\Tasks
\{5DE19C1B-FCDD-41CE-AB44-
D1AAFBE665AF} => C:\Program Files
(x86)\Corel\Corel VideoStudio Pro X4\vstudio.exe
[2011-09-20] (Corel TW Corp.)
Task: {5041EF68-5755-46D2-8C86-
400961255289} - System32\Tasks\{BA19D7D0-
8DAA-465E-9286-02A1401C7F79} => C:
\Program Files (x86)\Corel\Corel VideoStudio Pro
X4\vstudio.exe [2011-09-20] (Corel TW Corp.)
Task: {65D95EBD-569D-49FF-BF01-
81826C82A64F} - System32\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-205915Core => C:
\Users\Samer.Araabi\AppData\Local\Google
\Update\GoogleUpdate.exe [2011-04-25] (Google
Inc.)
Task: {68514646-CFBB-4E8E-9F80-
594399F2EA04} - System32\Tasks\Adobe Flash
Player Updater => C:\Windows
\SysWOW64\Macromed\Flash
\FlashPlayerUpdateService.exe [2016-07-14]
(Adobe Systems Incorporated)
Task: {6BFA02AA-002F-476A-9301-
4FB20D400519} - System32\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-225270UA => C:
\Users\Frank.Matt\AppData\Local\Google\Update
\GoogleUpdate.exe [2011-09-02] (Google Inc.)
Task: {8F087095-D0DC-4ED4-B2E4-
F63D7F7F13D9} - System32\Tasks
\{E6211ECA-8074-4E1B-8656-D79603A7F365}
=> C:\Program Files (x86)\Corel\Corel
VideoStudio Pro X4\vstudio.exe [2011-09-20]
(Corel TW Corp.)
Task: {99FA02E8-E25B-4251-A0BE-
9070BE4A5354} - System32\Tasks\{11173EEB-
E6FB-4677-8E0D-70AF3AC905D7} => C:
\Program Files (x86)\Corel\Corel VideoStudio Pro
X4\vstudio.exe [2011-09-20] (Corel TW Corp.)
Task: {A2EF5B12-7EC3-47BB-BF63-
5F54C5B720CC} - System32\Tasks\{B661D4B1
-A1D6-4E28-940D-806FAF0C64A3} => C:
\Program Files (x86)\Corel\Corel VideoStudio Pro
X4\vstudio.exe [2011-09-20] (Corel TW Corp.)
Task: {AFC81002-A8B2-4075-8795-
4C0810EB4D64} - System32\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-225270Core => C:
\Users\Frank.Matt\AppData\Local\Google\Update
\GoogleUpdate.exe [2011-09-02] (Google Inc.)
Task: {E1A5EC2D-13B5-4A6A-8720-
FE1E6E9456E4} - System32\Tasks\Fenix Defrag
Logon => C:\Users\Administrator\AppData
\Roaming\Fenix Defrag\Fenix Defrag.exe [2016-
08-13] ()
Task: {E293361D-A1DA-455A-B326-
57987E05E524} - System32\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-205915UA => C:
\Users\Samer.Araabi\AppData\Local\Google
\Update\GoogleUpdate.exe [2011-04-25] (Google
Inc.)
Task: {F484E229-4591-4E58-BAB4-
A935EC277006} - System32\Tasks\Video
Security Worker => C:\Program Files (x86)\Video
Security\VideoSecurity.exe

(If an entry is included in the fixlist, the task (.job)
file will be moved. The file which is running by the
task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player
Updater.job => C:\Windows
\SysWOW64\Macromed\Flash
\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks
\GoogleUpdateTaskMachineCore.job => C:
\Program Files (x86)\Google\Update
\GoogleUpdate.exe
Task: C:\Windows\Tasks
\GoogleUpdateTaskMachineUA.job => C:
\Program Files (x86)\Google\Update
\GoogleUpdate.exe
Task: C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-205915Core.job =>
C:\Users\Samer.Araabi\AppData\Local\Google
\Update\GoogleUpdate.exe/c Samer.Ara
Task: C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-205915UA.job => C:
\Users\Samer.Araabi\AppData\Local\Google
\Update\GoogleUpdate.exe/ua /installsource
scheduler Samer.Ara
Task: C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-225270Core.job =>
C:\Users\Frank.Matt\AppData\Local\Google
\Update\GoogleUpdate.exe/c Frank.Mat
Task: C:\Windows\Tasks
\GoogleUpdateTaskUserS-1-5-21-4112827930-
3471903450-4288694748-225270UA.job => C:
\Users\Frank.Matt\AppData\Local\Google\Update
\GoogleUpdate.exe/ua /installsource scheduler
Frank.Mat

==================== Shortcuts
=============================

(The entries could be listed to be restored or
removed.)

Shortcut: C:\Users\Administrator\Favorites\NCH
Audio and Telephony Software.lnk ->
hxxp://www.nch.com.au/index.html
Shortcut: C:\Users\Administrator\Favorites\NCH
Software Download Site.lnk ->
hxxp://www.nchsoftware.com/index.html
Shortcut: C:\Users\Administrator\Documents
\EMACHINE\Favorites\NCH Audio and Telephony
Software Page.lnk ->
hxxp://www.nch.com.au/index.html
Shortcut: C:\Users\Administrator\Documents
\EMACHINE\Favorites\NCH Audio and Telephony
Software.lnk -> hxxp://www.nch.com.au/index.html
Shortcut: C:\Users\Administrator\Documents
\EMACHINE\Favorites\NCH Software Download
Page.lnk ->
hxxp://www.nchsoftware.com/index.html

ShortcutWithArgument: C:\Users\Administrator
\AppData\Roaming\Microsoft\Internet Explorer
\Quick Launch\Google Chrome.lnk -> C:\Program
Files (x86)\Google\Chrome\Application
\chrome.exe (Google Inc.) -> --load-
extension="C:\Program Files (x86)\Google
\Chrome\Application
\c26405a647e889ae26aeb4341bea97f1_2"
ShortcutWithArgument: C:\Users\Administrator
\AppData\Roaming\Microsoft\Internet Explorer
\Quick Launch\User Pinned\TaskBar\Google
Chrome.lnk -> C:\Program Files (x86)\Google
\Chrome\Application\chrome.exe (Google Inc.) ->
--load-extension="C:\Program Files (x86)\Google
\Chrome\Application
\c26405a647e889ae26aeb4341bea97f1_2"
ShortcutWithArgument: C:\Users\Public\Desktop
\VideoStudio Learning.lnk -> C:\Program Files
(x86)\Internet Explorer\iexplore.exe (Microsoft
Corporation) -> www.studiobacklot.tv/videostudio

==================== Loaded Modules
(Whitelisted) ==============

2007-05-16 11:42 - 2007-05-16 11:42 -
00089088 _____ () C:\Program Files (x86)\Trend
Micro\OfficeScan Client\zlibwapi.dll
2011-03-15 07:19 - 2011-03-15 07:19 -
04254560 _____ () C:\Program Files\Common
Files\Microsoft Shared\OFFICE14\Cultures
\OFFICE.ODF
2010-03-24 21:38 - 2010-03-24 21:38 -
08794976 _____ () C:\Program Files\Microsoft
Office\Office14\1033\GrooveIntlResource.dll
2011-03-15 07:13 - 2011-03-15 07:13 -
04254560 _____ () C:\Program Files
(x86)\Common Files\microsoft shared
\OFFICE14\Cultures\OFFICE.ODF
2010-03-24 21:17 - 2010-03-24 21:17 -
08794464 _____ () C:\Program Files
(x86)\Microsoft Office
\Office14\1033\GrooveIntlResource.dll
2016-08-04 00:27 - 2016-08-02 20:24 -
01771336 _____ () C:\Program Files
(x86)\Google\Chrome\Application
\52.0.2743.116\libglesv2.dll
2016-08-04 00:27 - 2016-08-02 20:23 -
00094024 _____ () C:\Program Files
(x86)\Google\Chrome\Application
\52.0.2743.116\libegl.dll

==================== Alternate Data Streams
(Whitelisted) =========

(If an entry is included in the fixlist, only the ADS
will be removed.)


==================== Safe Mode
(Whitelisted) ===================

(If an entry is included in the fixlist, it will be
removed from the registry. The "AlternateShell"
will be restored.)


==================== Association
(Whitelisted) ===============

(If an entry is included in the fixlist, the registry
item will be restored to default or removed.)


==================== Internet Explorer
trusted/restricted ===============

(If an entry is included in the fixlist, it will be
removed from the registry.)


==================== Hosts content:
===============================

(If needed Hosts: directive could be included in
the fixlist to reset Hosts.)

2016-08-20 23:28 - 2016-08-20 23:28 -
00000824 ____A C:\Windows\system32\Drivers
\etc\hosts


==================== Other Areas
============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-528961038-3273730476-
2519966485-500\Control Panel\Desktop\
\Wallpaper -> 
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\System =>
(ConsentPromptBehaviorAdmin: 0)
(ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK
MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder:
C:^ProgramData^Microsoft^Windows^Start
Menu^Programs^Startup^Snagit 10.lnk => C:
\Windows\pss\Snagit 10.lnk.CommonStartup
MSCONFIG\startupreg: Adobe Reader Speed
Launcher => "C:\Program Files (x86)\Adobe
\Reader 10.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: DameWare MRC Agent
=> C:\Windows\dwrcs\DWRCST.exe

==================== FirewallRules
(Whitelisted) ===============

(If an entry is included in the fixlist, it will be
removed from the registry. The file will not be
moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow)
%SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] =>
(Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{9D9BF7CE-96F3-4BC3-BF7A-
FEE2C92814B6}] => (Allow) C:\Program Files
(x86)\Spotify\spotify.exe
FirewallRules: [{1181673C-3C0D-4A3B-A066-
A2DD19AEB2DD}] => (Allow) C:\Program Files
(x86)\Spotify\spotify.exe
FirewallRules: [{413E3B2C-AD0A-4FCD-92C9-
44A41C1D710B}] => (Allow) C:\Users
\Omar.Tewfik\AppData\Roaming\Spotify
\spotify.exe
FirewallRules: [{BCA1D0E8-6AA0-46C5-AAEE-
76989DBF3554}] => (Allow) C:\Users
\Omar.Tewfik\AppData\Roaming\Spotify
\spotify.exe
FirewallRules: [{F53F78C6-776D-4CD6-94BD-
A7E47A9F010A}] => (Allow) C:\Program Files
(x86)\Common Files\Apple\Apple Application
Support\WebKit2WebProcess.exe
FirewallRules: [{9886049A-B487-4502-8A1E-
B9587ACF2AF8}] => (Allow) C:\Users
\Administrator\AppData\Roaming\uTorrent
\uTorrent.exe
FirewallRules: [{EC44404A-C025-47E3-B733-
2DA8C1076180}] => (Allow) C:\Users
\Administrator\AppData\Roaming\uTorrent
\uTorrent.exe
FirewallRules: [{544DAA97-29E0-42DD-8672-
843E653FBF8B}] => (Allow) C:\Program Files
(x86)\Skype\Phone\Skype.exe
FirewallRules: [{5073953A-30C9-41B3-A4ED-
70705BC06D2B}] => (Allow) C:\Program Files
(x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{694F5BD5-7BCB-4FC0-8C42-
C14F985C2C56}] => (Block) C:\ProgramFiles
\Corel\Corel VideoStudio Pro X7\vstudio.exe
FirewallRules: [{8E9A983D-CBB7-4012-8BF0-
8A63C6B53B04}] => (Block) %ProgramFiles%
\Corel\Corel VideoStudio Pro X7\vstudio.exe
FirewallRules: [{4CDFA5B2-A874-4152-8CE9-
02C4B3F0C62F}] => (Allow) C:\Windows\dwrcs
\DWRCS.EXE
FirewallRules: [{2F114138-4682-4888-9876-
6C8826D35705}] => (Allow) LPort=12345

==================== Restore Points
=========================

19-08-2016 03:25:45 Scheduled Checkpoint
20-08-2016 09:01:59 Windows Modules Installer

==================== Faulty Device Manager
Devices =============


==================== Event log errors:
=========================

Application errors:
==================
Error: (08/19/2016 10:05:49 PM) (Source:
Application Error) (EventID: 1000) (User: )
Description: Faulting application name:
GPUpd57B7B9940.exe, version: 9.2.7.3, time
stamp: 0x57b721fc
Faulting module name: GPUpd57B7B9940.exe,
version: 9.2.7.3, time stamp: 0x57b721fc
Exception code: 0xc0000417
Fault offset: 0x0004b30a
Faulting process id: 0xcb0
Faulting application start time:
0xGPUpd57B7B9940.exe0
Faulting application path:
GPUpd57B7B9940.exe1
Faulting module path: GPUpd57B7B9940.exe2
Report Id: GPUpd57B7B9940.exe3

Error: (08/17/2016 03:42:26 AM) (Source:
Application Error) (EventID: 1000) (User: )
Description: Faulting application name:
vstudio.exe, version: 17.1.0.22, time stamp:
0x538721fe
Faulting module name: H264VDec.dll, version:
5.4.0.4, time stamp: 0x5268ada6
Exception code: 0xc0000005
Fault offset: 0x00000000000fce4e
Faulting process id: 0x16f0
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

Error: (08/15/2016 10:00:06 PM) (Source:
Application Error) (EventID: 1000) (User: )
Description: Faulting application name:
GPUpd57B273950.exe, version: 5.4.3.0, time
stamp: 0x57b1d041
Faulting module name: GPUpd57B273950.exe,
version: 5.4.3.0, time stamp: 0x57b1d041
Exception code: 0xc0000417
Fault offset: 0x00041991
Faulting process id: 0x1410
Faulting application start time:
0xGPUpd57B273950.exe0
Faulting application path: GPUpd57B273950.exe1
Faulting module path: GPUpd57B273950.exe2
Report Id: GPUpd57B273950.exe3

Error: (08/15/2016 07:44:22 PM) (Source:
Application Error) (EventID: 1000) (User: )
Description: Faulting application name:
vstudio.exe, version: 17.1.0.22, time stamp:
0x538721fe
Faulting module name: EVR.dll, version:
6.1.7601.17514, time stamp: 0x4ce7c6a7
Exception code: 0xc0000005
Fault offset: 0x0000000000050aaf
Faulting process id: 0x1188
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

Error: (08/15/2016 03:40:13 PM) (Source:
Application Error) (EventID: 1000) (User: )
Description: Faulting application name:
vstudio.exe, version: 17.1.0.22, time stamp:
0x538721fe
Faulting module name: vstudio.exe, version:
17.1.0.22, time stamp: 0x538721fe
Exception code: 0xc000041d
Fault offset: 0x00000000001ab177
Faulting process id: 0x1048
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

Error: (08/15/2016 03:39:59 PM) (Source:
Application Error) (EventID: 1000) (User: )
Description: Faulting application name:
vstudio.exe, version: 17.1.0.22, time stamp:
0x538721fe
Faulting module name: vstudio.exe, version:
17.1.0.22, time stamp: 0x538721fe
Exception code: 0xc0000005
Fault offset: 0x00000000001ab177
Faulting process id: 0x1048
Faulting application start time: 0xvstudio.exe0
Faulting application path: vstudio.exe1
Faulting module path: vstudio.exe2
Report Id: vstudio.exe3

Error: (08/15/2016 12:46:50 AM) (Source:
dwmrcs) (EventID: 110) (User: )
Description: Error: 
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available
(Local).

System Error: 0
System Message: The operation completed
successfully.

 (srv 64 bit)

Error: (08/14/2016 10:17:31 PM) (Source:
dwmrcs) (EventID: 110) (User: )
Description: Error: 
DameWare Mini Remote Control
No Link-Local or Site-Local Cloud Available
(Local).

System Error: 0
System Message: The operation completed
successfully.

 (srv 64 bit)

Error: (08/13/2016 08:26:41 PM) (Source:
dwmrcs) (EventID: 110) (User: )
Description: Error: 
DameWare Mini Remote Control
Error setsockopt (IP_DROP_MEMBERSHIP)

System Error: 10049
System Message: The requested address is not
valid in its context.

 (srv 64 bit)

Error: (08/13/2016 06:41:22 PM) (Source:
dwmrcs) (EventID: 110) (User: )
Description: Error: 
DameWare Mini Remote Control
Error setsockopt (IP_ADD_MEMBERSHIP)

System Error: 10065
System Message: A socket operation was
attempted to an unreachable host.

 (srv 64 bit)


System errors:
=============
Error: (08/21/2016 04:40:10 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:40:08 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:40:06 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:39:11 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:22:21 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:22:19 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:22:18 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:12:00 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 04:04:04 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.

Error: (08/21/2016 03:34:08 PM) (Source:
Microsoft-Windows-DNS-Client) (EventID: 1012)
(User: NT AUTHORITY)
Description: There was an error while attempting
to read the local hosts file.


==================== Memory info
=========================== 

Processor: Intel(R) Core(TM) i3 CPU 550 @
3.20GHz
Percentage of memory in use: 43%
Total physical RAM: 3895.12 MB
Available physical RAM: 2199.4 MB
Total Virtual: 7788.43 MB
Available Virtual: 6137.96 MB

==================== Drives
================================

Drive c: () (Fixed) (Total:931.38 GB) (Free:822.9
GB) NTFS

==================== MBR & Partition Table
==================

======================================
==================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5
GB) (Disk ID: 05B5A934)
Partition 1: (Not Active) - (Size=39 MB) -
(Type=DE)
Partition 2: (Active) - (Size=100 MB) - (Type=07
NTFS)
Partition 3: (Not Active) - (Size=931.4 GB) -
(Type=07 NTFS)

==================== End of Addition.txt
============================

 

 

FRST.txt

Addition.txt

MB results 4.txt

Rkill.txt

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Attach those logs to your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin..

 

 

Fixlist.txt

Link to post
Share on other sites

Kevin,

I'm sure I saved fixlist.txt to my desktop, but now, after running FRST,  i cannot find a desktop icon for fixlist.txt nor is it listed in my explorer directory. Does running FRST delete the txt file?  Should I re-save the txt file and run FRST again just to be sure?  Or does the log indicate that the fix was performed correctly?

 

Link to post
Share on other sites

Hi Kevin,

Apparently, running FRST deletes the fixlist.txt file off the desktop.  I wish I had known!  I was second-guessing myself -- I was sure I saved it, but when i couldn't find it after running FRST, I thought maybe something had gone wrong.  So I restored my system to the system restore point that FRST had created, then I re-saved the fixlog text file to the desktop, and re-ran FRST.exe.  Afterwards, I looked to see if the fixlist file was still on the desktop, and it was gone.  So I assume it deletes it -- I don't have any experience with exe programs that delete associated files, so I didn't know.   Anyway, I will download and run the other two programs tomorrow.  Thanks. 

Link to post
Share on other sites

Hi Kevin,

Just wanted to update you -- it's been 24 hours since I ran FRST with your fixlist, and I've seen no sign of the proxy hijacker!  :lol:  I haven't yet done the ADWcleaner or Sophos.  Is it possible that your fixlist got rid of it once and for all?   Should i still run the other two utilities?  

Link to post
Share on other sites

Yes FRST removed the problem you had, we still need the other two scans to make sure your system has no other hidden anomalies.... AdwCleaner checks for Browser issues and will only take minutes to complete. Sophos is a very thorough scanner that will check your full system hidden malcious entriies, this scan will take a few hours to complete, it is well worth running even if the scan returns a clean log...

Thank you,

Kevin...

Link to post
Share on other sites

Hi Kevin,

I am in dire need of your help.  I noticed an important folder is missing from my C drive.  It was in My Documents."  When I click on the folder link under My Favorites" it says "...refers to a location that is unavailable."  I did a search of C: drive, but no results.  I am positive I did not accidentally delete it.  I checked the Recycle Bin anyway and it is not there, and my C Cleaner utility has the Recycle Bin unchecked.  When I right-click on "My Documents" and select "Restore Previous Versions", it shows me restore points only since 8/19.  There should be earlier restore points on my system.  Is it possible that the fix scan I ran could have deleted it?  It was a very large folder, filled with documents and images.  How can I get it back?  I have a utility called Recuva and I ran it, but it didn't find the folder, but I did not go into its advanced scan settings.  I am leaving in 12 hours for a 2-week trip out of town, and won't be back at my PC until Sept 14th.  Hoping you get this in the next 12 hours. Thank you. 

 

Link to post
Share on other sites

Unfortunately, no.  The batch exe ran fine, but the folder is still missing.   I am 100% sure I didn't delete it.  I accessed the folder as recently as August 15, and maybe after that, too.   It is a very large folder, containing different file types, so some of the files at least should be recoverable, although I know very little about how that works.  I am hoping upon hope that it got moved somehow to another part of the drive, or that we can recover it somehow.  Is there another suggestion I can try?  I am not knowledgeable enough about Piriform Recuva to know how to use the advanced settings.  

Link to post
Share on other sites

The folder in question is named Documents not My Documents. That folder "Documents" clearly shows as being present in the FRST logs, there is no entry listed in the FRSTfix command that would remove or effect that folder (Documents) in any way....

C:\Users\Administrator\Documents

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

In my Windows 7 tree, "My Documents" is under "Documents".  And under "Administrator" which I am logged in as), there is no "Documents" -- just "My Documents."  Very confusing!  More importantly, the right-click menu for "Documents" does not give me the options of "scan for deleted files" or "restore previous versions" as it does when I right-click on "My Documents." (I've attached screenshots of both.)  The missing folder is titled "Viewpoint" and it was a sub-folder of "My Documents" (or "Documents").  I will run the fixlist now and send you the log.

 

My Documents menu.jpg

Documents menu.jpg

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.