Problem with deleting InitalPage

[mata2001]

I had a problem with InitialPage malware.

I know where I got that malware and I don't go to that page anymore. I managed once to remove it, using MalwareBytes and Adcleaner. After I did a complete scan with both of them and deleted all the detected threats, it seemed to have gone away. InitialPage didn't show up in my browser anymore.

However after a few days, it showed up again. I again removed it with ease, but it keeps showing up irregularly and I keep removing it, and after each removal the program tells me there are no threats. That led me to a conclusion that there is some sort of root that keeps reinstalling this malware, but that root is not detected by Malwarebytes. 

My question is: what should I do, is there any additional software I can use to detect this root and remove it.

I have a free version of Malwarebytes (and Adcleaner)

[kevinf80]

Hello mata2001 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs... Thank you, Kevin..

[mata2001]

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-05-2017
Ran by User (06-05-2017 20:53:22)
Running from C:\Users\User\Desktop
Windows 10 Pro Version 1607 (X64) (2017-03-31 05:35:31)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1330307909-1062611830-3958091394-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1330307909-1062611830-3958091394-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-1330307909-1062611830-3958091394-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-1330307909-1062611830-3958091394-501 - Limited - Disabled)
User (S-1-5-21-1330307909-1062611830-3958091394-1001 - Administrator - Enabled) => C:\Users\User

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\...\uTorrent) (Version: 3.5.0.43580 - BitTorrent Inc.)
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Photoshop CC 2015 (HKLM-x32\...\{793C2BF7-A4FE-4608-91C9-9282C5801C21}) (Version: 16.0 - Adobe Systems Incorporated)
AlphaGo (HKLM-x32\...\{51686992-16E4-4467-A12F-09B352120DAE}) (Version: 1.2.2 - AlphaGo)
Audacity 2.1.3 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.3 - Audacity Team)
Crusader Kings II version 2.5.2.0 (HKLM-x32\...\Crusader Kings II_is1) (Version: 2.5.2.0 - Mr DJ)
Finale 2014 (HKLM-x32\...\Finale 2014) (Version: 2014.0.3163.2 - MakeMusic)
Fraps (HKLM-x32\...\Fraps) (Version:  - )
GIMP 2.8.20 (HKLM\...\GIMP-2_is1) (Version: 2.8.20 - The GIMP Team)
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.3.13.5269 - Gretech Corporation)
Google Chrome (HKLM\...\{8AC8E2E9-87E7-30CA-8308-E737B3911CE5}) (Version: 58.0.3029.81 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
Herramientas de corrección de Microsoft Office 2016: español (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Inkscape 0.92.1 (HKLM-x32\...\Inkscape) (Version: 0.92.1 - Inkscape Project)
Java 8 Update 131 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
LogMeIn Hamachi (HKLM-x32\...\LogMeIn Hamachi) (Version: 2.2.0.558 - LogMeIn, Inc.)
LogMeIn Hamachi (x32 Version: 2.2.0.558 - LogMeIn, Inc.) Hidden
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft Office Professional Plus 2016 (HKLM\...\Office16.PROPLUS) (Version: 16.0.4266.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Mozilla Firefox 52.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.2 (x86 en-US)) (Version: 52.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.2 - Mozilla)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.63.14 - Black Tree Gaming)
NVIDIA 3D Vision Driver 376.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 376.53 - NVIDIA Corporation)
NVIDIA Graphics Driver 376.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 376.53 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.17 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.17 - NVIDIA Corporation)
Outils de vérification linguistique 2016 de Microsoft Office - Français (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Sid Meier's Civilization 4 - Beyond the Sword (HKLM-x32\...\{32E4F0D2-C135-475E-A841-1D59A0D22989}) (Version: 3.19 - Firaxis Games)
Sid Meier's Civilization 4 Complete (HKLM-x32\...\{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}) (Version: 1.74 - Firaxis Games)
Sid Meier's Civilization IV Colonization (HKLM-x32\...\{EF36A836-BF89-4A4F-B079-057B0C68C1E0}) (Version: 1.00 - Firaxis Games)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Team Fortress 2 (HKLM\...\Steam App 440) (Version:  - Valve)
Terraria (HKLM\...\Steam App 105600) (Version:  - Re-Logic)
TerraTech (HKLM-x32\...\1448625945_is1) (Version: 2.8.0.10 - GOG.com)
The Elder Scrolls V Skyrim Legendary Edition version 1.9.32.8 (HKLM-x32\...\The Elder Scrolls V Skyrim Legendary Edition_is1) (Version: 1.9.32.8 - Mr DJ)
Update for Skype for Business 2016 (KB3127980) 64-Bit Edition (HKLM\...\{90160000-0011-0000-1000-0000000FF1CE}_Office16.PROPLUS_{63487652-EA1D-4817-B4EB-B3D29A441B8F}) (Version:  - Microsoft)
Update for Skype for Business 2016 (KB3127980) 64-Bit Edition (HKLM\...\{90160000-012B-0409-1000-0000000FF1CE}_Office16.PROPLUS_{63487652-EA1D-4817-B4EB-B3D29A441B8F}) (Version:  - Microsoft)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
WinCDEmu (HKLM-x32\...\WinCDEmu) (Version: 4.1 - Sysprogs)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1422B07A-A812-4879-BFD9-D14D226FFFEA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-31] (Google Inc.)
Task: {1BA382C3-AE1B-4429-B9C5-EC71EBAAB136} - System32\Tasks\R@1n-KMS\Office16ProPlus => wmic 
Task: {3ACE4610-7C40-4BEC-A2D0-7F0039C6F145} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2015-07-31] (Microsoft Corporation)
Task: {5AB3104E-B23B-443B-9C91-42165ECB40D3} - \Fuwitherfakution -> No File <==== ATTENTION
Task: {5DAD185F-2F43-4D8D-A2C0-9BA707BDC1F4} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {5DB6D008-4A5C-4893-9700-66DFBB4F00E7} - System32\Tasks\R@1n-KMS\Windows100Professional => wmic 
Task: {5DCEA669-F5DF-4159-AC2C-10A0D41C85D5} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\Office16\msoia.exe [2015-07-31] (Microsoft Corporation)
Task: {6DA99BA5-7A89-4931-8035-7B9F2AAC530E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {97101063-5873-49E5-B246-B53D9296F8C6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-31] (Google Inc.)
Task: {9BEE7714-466F-4858-AF2F-0B888E711967} - System32\Tasks\FRAPS => C:\Fraps\fraps.exe [2015-09-05] (Beepa P/L)
Task: {A325F7D1-C418-4CB5-8191-6DB33F450711} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\Office16\msoia.exe [2015-07-31] (Microsoft Corporation)
Task: {A796DDB8-1CEA-428E-9583-06DE3EB4AB23} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {AD1A2EAC-7909-4331-95F0-BA55CB546717} - System32\Tasks\Rugution Launcher => C:\Program Files (x86)\Ghufosh\xphatusy.exe 
Task: {C433145C-C194-4B5D-A3B1-BEE70AEB9DC0} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {E4FCD760-1271-4FDB-8285-07AD5C1AE08A} - System32\Tasks\AdobeAAMUpdater-1.0-DESKTOP-GHBNIP2-User => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-05-26] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\User\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cfa384dbd06217b1\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\a939634e1e9fb4f6\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)

ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cf37b13bbffc312b\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.) -> --profile-directory=ChromeDefaultData

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 13:42 - 2016-07-16 13:42 - 00231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 02681200 _____ () C:\Windows\system32\CoreUIComponents.dll
2017-03-31 08:18 - 2016-12-29 14:44 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2017-03-31 08:04 - 2017-03-31 08:04 - 00026112 _____ () C:\Windows\KMS-R@1n.exe
2016-10-12 21:50 - 2016-10-12 21:50 - 02681200 _____ () C:\Windows\SYSTEM32\CoreUIComponents.dll
2016-11-15 15:27 - 2016-11-15 15:27 - 08911552 _____ () C:\Program Files\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 02424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-07-16 16:34 - 2016-07-16 16:34 - 00071168 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.4.86.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2016-07-16 16:34 - 2016-07-16 16:34 - 00157184 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.4.86.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2016-07-16 16:34 - 2016-07-16 16:34 - 29443072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.4.86.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2016-07-16 16:37 - 2016-07-16 16:37 - 00017408 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2016-07-16 16:37 - 2016-07-16 16:37 - 12473856 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2016-07-16 16:37 - 2016-07-16 16:37 - 00291328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll
2016-07-16 16:35 - 2016-07-16 16:35 - 03790336 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1605.1582.0_x64__8wekyb3d8bbwe\Calculator.exe
2016-07-16 16:35 - 2016-07-16 16:35 - 00258560 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1605.1582.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll
2017-05-04 10:38 - 2017-05-02 08:44 - 00323584 _____ () C:\Users\User\AppData\Local\background_fault\bf.dll
2016-10-12 21:50 - 2016-10-12 21:50 - 02681200 _____ () C:\Windows\System32\CoreUIComponents.dll
2016-11-15 15:27 - 2016-11-15 15:27 - 08911552 _____ () C:\Program Files (x86)\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2017-05-04 10:41 - 2017-04-19 06:04 - 02864984 _____ () C:\Program Files (x86)\Zoohair\Application\libglesv2.dll
2017-05-04 10:41 - 2017-04-19 06:04 - 00087384 _____ () C:\Program Files (x86)\Zoohair\Application\libegl.dll
2017-05-04 10:58 - 2017-03-31 11:49 - 17778776 _____ () C:\Users\User\AppData\Local\Zoohair\User Data\PepperFlash\25.0.0.148\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Hamachi2Svc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-04-15 03:23 - 2017-04-15 03:24 - 00001023 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 na1r.services.adobe.com
127.0.0.1 hlrcv.stage.adobe.com
127.0.0.1 practivate.adobe.com 
127.0.0.1 activate.adobe.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\User\Desktop\JUNK\Desktop BG.png
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "LogMeIn Hamachi Ui"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{D23F3432-57B3-400A-B089-8043AEF4651E}] => (Allow) C:\Program Files\Microsoft Office\Office16\lync.exe
FirewallRules: [{D0E42057-A0E1-48B7-97E7-FD74BB1F4BE6}] => (Allow) C:\Program Files\Microsoft Office\Office16\lync.exe
FirewallRules: [{EF804A1F-B3EE-47CC-96D0-B591AE86770B}] => (Allow) C:\Program Files\Microsoft Office\Office16\UcMapi.exe
FirewallRules: [{4211699B-1EB2-4BEF-A1CE-8D3482E948DF}] => (Allow) C:\Program Files\Microsoft Office\Office16\UcMapi.exe
FirewallRules: [{F8FC2A3A-8C74-46B1-9A9A-49564D12371C}] => (Allow) C:\Windows\KMS-R@1n.exe
FirewallRules: [{5286A95D-953E-4884-A4A0-36AE7FFA00FA}] => (Allow) C:\Windows\KMS-R@1n.exe
FirewallRules: [{EE98AD61-703C-400C-A43E-9D6C163B782C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{FDD75017-BA2F-4147-84A3-992C4496E62A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{0BF3833B-2D78-47E8-BEEE-16F5336D0AEE}] => (Allow) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{88284C4A-37FC-4080-B906-232AD84DFCA8}] => (Allow) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D1047988-A104-4D7E-9F82-DF20C7672F01}] => (Allow) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{60E60239-0F44-446A-9ABF-87044F6A31A2}] => (Allow) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{7FE1D03B-11DE-42C2-A66A-1225485DF46E}] => (Allow) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{A61E94C5-CDE9-4083-8F6E-99FCFF3A561F}] => (Allow) C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{86234A1F-DABE-44EF-A8EA-A09DA5B5764F}C:\program files\java\jre1.8.0_121\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_121\bin\javaw.exe
FirewallRules: [UDP Query User{0347C07F-A769-4C73-B3E1-3E62812CBAF2}C:\program files\java\jre1.8.0_121\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_121\bin\javaw.exe
FirewallRules: [TCP Query User{E101219C-6811-43B8-AF13-F0BA7A8A0C16}C:\program files\java\jre1.8.0_121\bin\java.exe] => (Allow) C:\program files\java\jre1.8.0_121\bin\java.exe
FirewallRules: [UDP Query User{888A6205-C153-4D80-BD19-788CDF4FC3EB}C:\program files\java\jre1.8.0_121\bin\java.exe] => (Allow) C:\program files\java\jre1.8.0_121\bin\java.exe
FirewallRules: [{F808CAD2-E90B-4C13-B643-EE51C8075252}] => (Block) C:\program files\java\jre1.8.0_121\bin\java.exe
FirewallRules: [{3E98AAF7-1561-429F-AB68-22BF3991DA0D}] => (Block) C:\program files\java\jre1.8.0_121\bin\java.exe
FirewallRules: [{78F05E3C-1DFF-4F38-8720-9854DF052F6E}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{2E380B28-2122-4023-B00C-2C5AE7D165E1}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{B28E5803-4AAF-4089-8BFD-BC92271E272F}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{DFD2F12B-8734-4D62-939E-2F02D3D41028}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{C85B8CF7-B126-4CE8-93E8-B1663F0EF0C3}] => (Block) C:\Program Files (x86)\Finale 2014
FirewallRules: [{B016C641-B318-47BC-A160-3565FC631AA2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe
FirewallRules: [{E3CC6F75-01B5-4C81-BF0E-E8F1739C421D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe
FirewallRules: [{61B7F280-CD18-4231-A4AB-ECFED9E4D3EB}] => (Block) C:\Program Files\Adobe\Adobe Photoshop CC 2015
FirewallRules: [{743A5333-941E-4AEC-8DB7-778D4A055FAF}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Civilization4.exe
FirewallRules: [{A9DC3EAF-3153-4736-9ECB-5CD3AE09F66C}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Civilization4.exe
FirewallRules: [{B5FA95AB-738A-4F61-BD8A-4145BD21D6C7}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Warlords\Civ4Warlords.exe
FirewallRules: [{14D96ED3-8A6A-4D63-8D55-506A9DEA9F79}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Warlords\Civ4Warlords.exe
FirewallRules: [{2AD7D20C-E889-49C6-9B9E-127637D961E5}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Beyond the Sword\Civ4BeyondSword.exe
FirewallRules: [{50F80EDE-483B-4C23-BE7B-1DD8BEBE7F67}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Beyond the Sword\Civ4BeyondSword.exe
FirewallRules: [{7E08D3F6-4A47-445A-9FA4-84E8A968E804}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization IV Colonization\Colonization.exe
FirewallRules: [{2B896F83-1E0D-4C4C-9C3D-C00364FC8925}] => (Allow) C:\Program Files (x86)\2K Games\Firaxis Games\Sid Meier's Civilization IV Colonization\Colonization.exe
FirewallRules: [{895C929B-0138-4A5A-B69F-83B3F86D808E}] => (Allow) C:\Program Files (x86)\Mr DJ\The Elder Scrolls V Skyrim Legendary Edition\SkyrimLauncher.exe
FirewallRules: [{D686D40E-F3DE-4BEE-AB58-08901AADB789}] => (Allow) C:\Program Files (x86)\Mr DJ\The Elder Scrolls V Skyrim Legendary Edition\SkyrimLauncher.exe
FirewallRules: [{3543C442-6413-4C92-8060-584C4B08118C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe
FirewallRules: [{9CC33CCD-B902-4398-9F51-FEE9E55ECA04}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Team Fortress 2\hl2.exe
FirewallRules: [{CA2EC942-F7CB-4103-A1ED-D2C18F4E0576}] => (Allow) C:\Program Files (x86)\Mr DJ\Crusader Kings II\CK2game.exe
FirewallRules: [{9FC1A771-C5F4-4DFE-8A89-C91CDE576F7C}] => (Allow) C:\Program Files (x86)\Mr DJ\Crusader Kings II\CK2game.exe
FirewallRules: [{A0D52687-AB39-4909-B43C-B1D5FC96826A}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{30BAA10B-C1F4-45FD-98FD-F1EE2AC44435}H:\programs\fallout 4\fallout4.exe] => (Allow) H:\programs\fallout 4\fallout4.exe
FirewallRules: [UDP Query User{6DE8CBEC-F6F6-4F59-9D82-D04387C2A1E2}H:\programs\fallout 4\fallout4.exe] => (Allow) H:\programs\fallout 4\fallout4.exe
FirewallRules: [{5DA8395A-ED1F-4401-A418-62801B49C8FE}] => (Allow) C:\Program Files (x86)\MIO\loader\ts240gssd220s_012961b4d31433b10217.dat
FirewallRules: [{27B52CE9-4E19-42F4-A5B2-8AE9F1852A42}] => (Allow) C:\Program Files (x86)\MIO\loader\ts240gssd220s_012961b4d31433b10217.dat
FirewallRules: [{60E9D56A-605C-44F1-AE40-189FC6366DAB}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe
FirewallRules: [{C7941D4C-CB99-465F-B71B-20FB973F08E0}] => (Allow) C:\Program Files (x86)\Zoohair\Application\chrome.exe

==================== Restore Points =========================

16-04-2017 17:25:14 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
23-04-2017 02:08:56 Removed AlphaGo
25-04-2017 20:46:04 Removed AlphaGo
03-05-2017 11:17:25 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (05/06/2017 06:18:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ctfmon.exe, version: 10.0.14393.0, time stamp: 0x57899148
Faulting module name: InputService.dll, version: 10.0.14393.206, time stamp: 0x57dacf17
Exception code: 0xc0000005
Fault offset: 0x00057f66
Faulting process id: 0x1474
Faulting application start time: 0x01d2c66cfcc14e4e
Faulting application path: C:\Windows\SysWoW64\ctfmon.exe
Faulting module path: C:\Windows\system32\InputService.dll
Report Id: b6a260e8-03ad-4f4a-8c1a-2520dd42d6d0
Faulting package full name: 
Faulting package-relative application ID:

System errors:
=============
Error: (05/06/2017 06:34:03 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (05/06/2017 06:21:07 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-GHBNIP2)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID 
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-GHBNIP2\User SID (S-1-5-21-1330307909-1062611830-3958091394-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.WindowsStore_11606.1001.39.0_x64__8wekyb3d8bbwe SID (S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157). This security permission can be modified using the Component Services administrative tool.

Error: (05/06/2017 06:19:02 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The 3DM service terminated with the following error: 
The specified module could not be found.

Error: (05/06/2017 06:18:24 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (05/06/2017 06:18:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The LogMeIn Hamachi Tunneling Engine service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/06/2017 06:18:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The KMS-R@1n service terminated unexpectedly.  It has done this 1 time(s).

Error: (05/06/2017 06:18:24 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/06/2017 06:18:24 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/06/2017 03:30:37 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (05/05/2017 06:56:57 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

CodeIntegrity:
===================================
  Date: 2017-05-06 18:49:02.429
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-05-04 12:24:58.534
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-05-02 16:30:52.387
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-05-01 20:41:06.323
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-27 16:06:38.923
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-26 15:18:05.097
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-25 20:46:32.200
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.

  Date: 2017-04-23 02:09:39.073
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Elex-tech\YAC\iSafeSrvMon64.dll that did not meet the Windows signing level requirements.

  Date: 2017-04-22 20:18:57.657
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE16\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-22 20:18:57.540
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Elex-tech\YAC\iSafeSrvMon64.dll that did not meet the Windows signing level requirements.

==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
Percentage of memory in use: 24%
Total physical RAM: 8136.09 MB
Available physical RAM: 6131.42 MB
Total Virtual: 9416.09 MB
Available Virtual: 7088.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:223.02 GB) (Free:57.97 GB) NTFS
Drive h: (Hard) (Fixed) (Total:931.39 GB) (Free:897.18 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 223.6 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

Addition.txt

[kevinf80]

Need to see the main log FRST.txt. Logs are saved here C:\FRST\Logs

[mata2001]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-05-2017
Ran by User (administrator) on DESKTOP-GHBNIP2 (06-05-2017 20:52:54)
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: defaultuser0 & User)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
() C:\Windows\KMS-R@1n.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe
(Beepa P/L) C:\Fraps\fraps.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(Beepa P/L) C:\Fraps\fraps64.dat
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(AVAST Software) C:\Users\User\AppData\Local\background_fault\aswRD.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.4.86.0_x64__kzf8qxf38zg5c\SkypeHost.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1605.1582.0_x64__8wekyb3d8bbwe\Calculator.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Zoohair\Application\chrome.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-05-26] (Adobe Systems Incorporated)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-10-12] (Microsoft Corporation)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] => C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [5883912 2017-03-02] (LogMeIn Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\...\Run: [background_fault] => C:\Users\User\AppData\Local\background_fault\aswRD.exe [1419576 2017-05-04] (AVAST Software) <===== ATTENTION
IFEO\OSppSvc.exe: [Debugger] KMS-R@1nHook.exe
IFEO\SppExtComObj.exe: [Debugger] KMS-R@1nHook.exe
ShellExecuteHooks: No Name - {D2D606BA-20DF-11E7-B48D-64006A5CFC23} - C:\Users\User\AppData\Roaming\Mojetion\Prutolethermo.dll -> No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{07852d1a-a6d0-4bfc-8ff9-aa023f80f315}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\Software\Microsoft\Internet Explorer\Main,Start Page = 
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office16\OCHelper.dll [2016-11-15] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_131\bin\ssv.dll [2017-04-24] (Oracle Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL [2016-11-16] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-04-24] (Oracle Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll [2015-07-31] (Microsoft Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office16\GROOVEEX.DLL [2016-11-16] (Microsoft Corporation)
Handler: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-11-16] (Microsoft Corporation)

Edge: 
======
Edge HomeButtonPage: HKU\S-1-5-21-1330307909-1062611830-3958091394-1001 -> hxxp://www.google.com

FireFox:
========
FF DefaultProfile: avlws67r.default
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\avlws67r.default [2017-05-04]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\avlws67r.default -> luck
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\avlws67r.default -> luck
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\avlws67r.default -> luck
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-03-23] [not signed]
FF Plugin: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-04-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-04-24] (Oracle Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-03-09] (Adobe Systems)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-11-15] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-29] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-29] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-11-15] (Microsoft Corporation)

Chrome: 
=======
CHR DefaultProfile: ChromeDefaultData
CHR StartupUrls: ChromeDefaultData -> "hxxps://www.google.rs/"
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-04] <==== ATTENTION
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-24]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-24]
CHR Extension: (Adblock Plus) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-04-27]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-24]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-24]
CHR Extension: (AdBlock) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-04-24]
CHR Extension: (Material Incognito Light Theme) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\necpbhkfondbpbloppmkjpdkdimldobc [2017-04-27]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-25]
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Guest Profile [2017-05-03]
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\System Profile [2017-05-03]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Hamachi2Svc; C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe [3416584 2017-03-02] (LogMeIn Inc.)
R2 KMS-R@1n; C:\Windows\KMS-R@1n.exe [26112 2017-03-31] () [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe [419248 2017-02-27] (LogMeIn, Inc.)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [458176 2016-12-29] (NVIDIA Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-10-12] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
S2 3DM; C:\Users\User\AppData\Local\3DM\Kitty.dll [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dtlitescsibus; C:\Windows\System32\drivers\dtlitescsibus.sys [30264 2017-04-16] (Disc Soft Ltd)
S3 dtliteusbbus; C:\Windows\System32\drivers\dtliteusbbus.sys [47672 2017-04-16] (Disc Soft Ltd)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77440 2017-03-22] ()
R3 Hamachi; C:\Windows\system32\DRIVERS\Hamdrv.sys [45680 2017-02-27] (LogMeIn Inc.)
R3 iaLPSS2_UART2; C:\Windows\System32\drivers\iaLPSS2_UART2.sys [287032 2016-10-26] (Intel Corporation)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [186304 2017-04-24] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [111544 2017-05-05] (Malwarebytes)
S3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-05-05] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [251832 2017-05-05] (Malwarebytes)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 netr28ux; C:\Windows\System32\drivers\netr28ux.sys [2224128 2016-07-16] (MediaTek Inc.)
R3 nvlddmkm; C:\Windows\System32\DriverStore\FileRepository\nv_dispiwu.inf_amd64_b67dc924fff8de6d\nvlddmkm.sys [14199224 2017-01-05] (NVIDIA Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-06 20:52 - 2017-05-06 20:53 - 00014513 _____ C:\Users\User\Desktop\FRST.txt
2017-05-06 20:52 - 2017-05-06 20:52 - 00000000 ____D C:\FRST
2017-05-06 20:51 - 2017-05-06 20:52 - 02429440 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2017-05-05 22:33 - 2017-05-06 18:19 - 00003202 _____ C:\Windows\System32\Tasks\FRAPS
2017-05-04 21:32 - 2017-05-04 21:32 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Users\User\AppData\Roaming\Zoohair
2017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Users\User\AppData\Local\Zoohair
2017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Program Files (x86)\Zoohair
2017-05-04 10:38 - 2017-05-05 11:38 - 00000000 ____D C:\Users\User\AppData\Local\background_fault
2017-05-04 10:07 - 2017-05-04 10:37 - 00000000 ____D C:\Program Files (x86)\AlphaGo
2017-05-03 22:17 - 2017-05-03 22:17 - 00000000 ____D C:\Users\User\AppData\LocalLow\uTorrent
2017-05-03 22:14 - 2017-05-03 22:18 - 00000000 ____D C:\Users\User\Desktop\Torrents
2017-05-03 13:20 - 2017-05-03 21:06 - 00002061 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-05-03 13:20 - 2017-05-03 13:20 - 00000000 ____D C:\Users\Public\Documents\Google
2017-05-03 13:20 - 2017-05-03 13:20 - 00000000 ____D C:\Program Files (x86)\IIS
2017-05-03 01:09 - 2017-05-06 18:19 - 00000000 ____D C:\Fraps
2017-05-03 01:09 - 2017-05-03 01:09 - 00000599 _____ C:\Users\Public\Desktop\Fraps.lnk
2017-05-03 01:09 - 2017-05-03 01:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fraps
2017-05-01 15:22 - 2017-05-01 15:22 - 00000000 ____D C:\Users\User\AppData\Local\Fallout4
2017-04-30 20:12 - 2017-04-30 20:12 - 00015136 _____ C:\Users\User\AppData\Local\recently-used.xbel
2017-04-30 02:31 - 2017-05-04 10:41 - 00002593 _____ C:\Users\User\Desktop\Google Chrome.lnk
2017-04-29 02:00 - 2017-04-29 02:00 - 00344064 _____ C:\Users\User\Documents\Database1.accdb
2017-04-27 15:56 - 2017-05-04 10:41 - 00002244 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-27 15:56 - 2017-04-27 15:56 - 01129376 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup (1).exe
2017-04-26 14:27 - 2017-04-26 14:27 - 00000000 ____D C:\Users\User\Documents\Custom Office Templates
2017-04-26 14:00 - 2017-04-26 14:00 - 571913261 _____ C:\Windows\MEMORY.DMP
2017-04-26 14:00 - 2017-04-26 14:00 - 00545316 _____ C:\Windows\Minidump\042617-6515-01.dmp
2017-04-26 14:00 - 2017-04-26 14:00 - 00000000 ____D C:\Windows\Minidump
2017-04-25 22:06 - 2017-05-06 18:18 - 00000000 ____D C:\AdwCleaner
2017-04-25 22:05 - 2017-04-25 22:06 - 04102600 _____ C:\Users\User\Desktop\Malwarebytes Adcleaner.exe
2017-04-25 20:16 - 2017-04-25 20:17 - 01129376 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup.exe
2017-04-25 20:11 - 2017-04-25 20:11 - 00000000 ____D C:\ProgramData\Apple
2017-04-25 20:10 - 2017-04-25 20:10 - 00000000 ____D C:\Windows\psgo
2017-04-25 00:41 - 2017-04-30 01:25 - 00000000 ____D C:\Users\User\Desktop\Aenigma Aeterna
2017-04-24 21:41 - 2017-04-24 21:41 - 00003299 _____ C:\Users\User\Desktop\Scan documents and photos - Shortcut.lnk
2017-04-24 18:49 - 2017-04-24 18:49 - 00000000 ____D C:\Users\User\AppData\LocalLow\Oracle
2017-04-24 16:01 - 2017-05-05 10:07 - 00251832 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-24 16:01 - 2017-05-05 10:07 - 00111544 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-04-24 16:01 - 2017-05-05 10:07 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-04-24 16:01 - 2017-05-03 22:51 - 00092096 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-04-24 16:01 - 2017-04-24 16:01 - 00186304 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-04-24 16:01 - 2017-04-24 16:01 - 00001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-04-24 16:01 - 2017-04-24 16:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-04-24 16:01 - 2017-04-24 16:01 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-04-24 16:01 - 2017-04-24 16:01 - 00000000 ____D C:\Program Files\Malwarebytes
2017-04-24 16:01 - 2017-03-22 11:02 - 00077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-04-23 02:09 - 2017-04-23 02:09 - 00000000 ____D C:\Windows\system32\appmgmt
2017-04-21 19:40 - 2017-04-21 19:40 - 00000000 _____ C:\Windows\SysWOW64\33
2017-04-21 01:47 - 2017-04-21 01:47 - 00000000 ____D C:\Users\User\Documents\Paradox Interactive
2017-04-21 01:47 - 2017-04-21 01:47 - 00000000 ____D C:\Users\User\AppData\Roaming\Steam
2017-04-20 18:49 - 2017-04-20 18:49 - 00000000 ____D C:\Users\User\AppData\Roaming\Google
2017-04-19 20:00 - 2017-04-23 20:57 - 00000000 _____ C:\Windows\SysWOW64\2
2017-04-19 19:56 - 2017-04-25 22:09 - 00000000 ____D C:\Windows\system32\log
2017-04-19 12:42 - 2017-04-19 12:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinCDEmu
2017-04-19 12:41 - 2017-04-19 12:41 - 00000000 ____D C:\Program Files (x86)\WinCDEmu
2017-04-19 12:21 - 2017-04-25 20:14 - 00000000 ____D C:\Users\User\AppData\Local\3DM
2017-04-18 01:44 - 2017-04-18 01:44 - 00002644 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2017-04-18 01:22 - 2017-04-25 22:09 - 00000000 ____D C:\Windows\Update
2017-04-18 01:16 - 2017-04-21 19:39 - 00000000 ____D C:\Program Files (x86)\MK
2017-04-18 01:15 - 2017-05-04 10:07 - 00034328 _____ (Sysinternals - www.sysinternals.com) C:\Windows\system32\Drivers\PROCEXP152.SYS
2017-04-17 00:32 - 2017-04-17 00:35 - 00000000 ____D C:\Users\User\AppData\Local\Skyrim
2017-04-17 00:32 - 2017-04-17 00:32 - 00000000 ____D C:\Games
2017-04-17 00:30 - 2017-04-21 01:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mr DJ
2017-04-17 00:30 - 2017-04-18 01:42 - 00001116 _____ C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2017-04-17 00:30 - 2017-04-18 00:56 - 00000000 ____D C:\Users\User\Documents\Nexus Mod Manager
2017-04-17 00:30 - 2017-04-17 00:32 - 00000000 ____D C:\Program Files\Nexus Mod Manager
2017-04-17 00:30 - 2017-04-17 00:30 - 00000000 ____D C:\Users\User\AppData\Local\Black_Tree_Gaming
2017-04-17 00:30 - 2017-04-17 00:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nexus Mod Manager
2017-04-17 00:12 - 2017-04-29 17:28 - 00000000 ____D C:\Program Files (x86)\Mr DJ
2017-04-17 00:12 - 2017-04-21 01:44 - 00000000 ____D C:\Windows\SysWOW64\directx
2017-04-16 17:25 - 2017-04-16 17:25 - 00000000 ____D C:\Users\User\AppData\LocalLow\Payload
2017-04-16 17:25 - 2017-04-16 17:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TerraTech [GOG.com]
2017-04-16 17:24 - 2017-04-16 17:24 - 00000000 ____D C:\GOG Games
2017-04-16 16:54 - 2017-04-16 17:23 - 435153219 ____R C:\Users\User\Downloads\TerraTech.v0.7.2.rar
2017-04-16 02:34 - 2017-04-16 02:34 - 00000000 ____D C:\Users\User\AppData\Local\My Games
2017-04-16 02:20 - 2017-04-16 02:31 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-04-16 02:20 - 2017-04-16 02:20 - 00000000 ____D C:\Program Files (x86)\2K Games
2017-04-16 02:12 - 2017-04-16 02:12 - 00000000 ____D C:\Users\User\AppData\Local\Disc_Soft_Ltd
2017-04-16 02:11 - 2017-04-16 02:11 - 00000000 ____D C:\Users\Public\Documents\Daemon Tools Images
2017-04-16 02:09 - 2017-04-20 19:00 - 00000000 ____D C:\Users\User\AppData\Roaming\Mojetion
2017-04-16 02:09 - 2017-04-16 02:09 - 00006154 _____ C:\Windows\System32\Tasks\Rugution Launcher
2017-04-16 02:09 - 2017-04-16 02:09 - 00000000 ____D C:\Users\User\AppData\Local\Lvidombavu
2017-04-16 02:08 - 2017-04-16 02:11 - 00000000 ____D C:\Users\User\AppData\Roaming\DAEMON Tools Lite
2017-04-16 02:08 - 2017-04-16 02:08 - 00047672 _____ (Disc Soft Ltd) C:\Windows\system32\Drivers\dtliteusbbus.sys
2017-04-16 02:08 - 2017-04-16 02:08 - 00030264 _____ (Disc Soft Ltd) C:\Windows\system32\Drivers\dtlitescsibus.sys
2017-04-16 02:08 - 2017-04-16 02:08 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite
2017-04-15 23:14 - 2017-04-15 23:14 - 00000000 ____D C:\Program Files (x86)\Microsoft XNA
2017-04-15 20:24 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2017-04-15 20:24 - 2010-06-02 04:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2017-04-15 20:24 - 2010-06-02 04:55 - 00239960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
2017-04-15 20:24 - 2010-06-02 04:55 - 00176984 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2017-04-15 20:24 - 2010-06-02 04:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2017-04-15 20:24 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 02526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 02401112 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 01998168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 01907552 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 01868128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 00511328 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 00470880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2017-04-15 20:24 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00530776 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_6.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00528216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00238936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00176984 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_6.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00078680 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_4.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00074072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00024920 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2017-04-15 20:24 - 2010-02-04 10:01 - 00022360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
2017-04-15 20:24 - 2009-09-04 17:44 - 00517960 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_5.dll
2017-04-15 20:24 - 2009-09-04 17:44 - 00515416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_5.dll
2017-04-15 20:24 - 2009-09-04 17:44 - 00238936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_5.dll
2017-04-15 20:24 - 2009-09-04 17:44 - 00176968 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_5.dll
2017-04-15 20:24 - 2009-09-04 17:44 - 00073544 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_3.dll
2017-04-15 20:24 - 2009-09-04 17:44 - 00069464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_3.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 05554512 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 05501792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 02582888 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 02475352 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 01974616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 01892184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 00523088 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 00453456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 00285024 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_42.dll
2017-04-15 20:24 - 2009-09-04 17:29 - 00235344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_42.dll
2017-04-15 20:24 - 2009-03-16 14:18 - 00521560 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_4.dll
2017-04-15 20:24 - 2009-03-16 14:18 - 00517448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_4.dll
2017-04-15 20:24 - 2009-03-16 14:18 - 00235352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_4.dll
2017-04-15 20:24 - 2009-03-16 14:18 - 00174936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_4.dll
2017-04-15 20:24 - 2009-03-16 14:18 - 00024920 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_6.dll
2017-04-15 20:24 - 2009-03-16 14:18 - 00022360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_6.dll
2017-04-15 20:24 - 2009-03-09 15:27 - 05425496 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_41.dll
2017-04-15 20:24 - 2009-03-09 15:27 - 04178264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_41.dll
2017-04-15 20:24 - 2009-03-09 15:27 - 02430312 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_41.dll
2017-04-15 20:24 - 2009-03-09 15:27 - 01846632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_41.dll
2017-04-15 20:24 - 2009-03-09 15:27 - 00520544 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_41.dll
2017-04-15 20:24 - 2009-03-09 15:27 - 00453456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_41.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00518480 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_3.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00514384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_3.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00235856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_3.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00175440 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_3.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00074576 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_2.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00070992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_2.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00025936 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_5.dll
2017-04-15 20:24 - 2008-10-27 10:04 - 00023376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_5.dll
2017-04-15 20:24 - 2008-10-15 06:22 - 05631312 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2017-04-15 20:24 - 2008-10-15 06:22 - 04379984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
2017-04-15 20:24 - 2008-10-15 06:22 - 02605920 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2017-04-15 20:24 - 2008-10-15 06:22 - 02036576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
2017-04-15 20:24 - 2008-10-15 06:22 - 00519000 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2017-04-15 20:24 - 2008-10-15 06:22 - 00452440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
2017-04-15 20:24 - 2008-07-31 10:41 - 00238088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_2.dll
2017-04-15 20:24 - 2008-07-31 10:41 - 00177672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_2.dll
2017-04-15 20:24 - 2008-07-31 10:41 - 00072200 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_1.dll
2017-04-15 20:24 - 2008-07-31 10:41 - 00068616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_1.dll
2017-04-15 20:24 - 2008-07-31 10:40 - 00513544 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_2.dll
2017-04-15 20:24 - 2008-07-31 10:40 - 00509448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
2017-04-15 20:24 - 2008-07-10 11:01 - 00467984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
2017-04-15 20:24 - 2008-07-10 11:00 - 04992520 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2017-04-15 20:24 - 2008-07-10 11:00 - 03851784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
2017-04-15 20:24 - 2008-07-10 11:00 - 01942552 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2017-04-15 20:24 - 2008-07-10 11:00 - 01493528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
2017-04-15 20:24 - 2008-07-10 11:00 - 00540688 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2017-04-15 20:24 - 2008-05-30 14:19 - 00511496 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_1.dll
2017-04-15 20:24 - 2008-05-30 14:19 - 00507400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_1.dll
2017-04-15 20:24 - 2008-05-30 14:18 - 00238088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_1.dll
2017-04-15 20:24 - 2008-05-30 14:18 - 00177672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_1.dll
2017-04-15 20:24 - 2008-05-30 14:17 - 00068104 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_0.dll
2017-04-15 20:24 - 2008-05-30 14:17 - 00065032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_0.dll
2017-04-15 20:24 - 2008-05-30 14:17 - 00025608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_4.dll
2017-04-15 20:24 - 2008-05-30 14:16 - 00028168 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_4.dll
2017-04-15 20:24 - 2008-05-30 14:11 - 04991496 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_38.dll
2017-04-15 20:24 - 2008-05-30 14:11 - 03850760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_38.dll
2017-04-15 20:24 - 2008-05-30 14:11 - 01941528 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_38.dll
2017-04-15 20:24 - 2008-05-30 14:11 - 01491992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_38.dll
2017-04-15 20:24 - 2008-05-30 14:11 - 00540688 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_38.dll
2017-04-15 20:24 - 2008-05-30 14:11 - 00467984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_38.dll
2017-04-15 20:24 - 2008-03-05 16:04 - 00489480 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_0.dll
2017-04-15 20:24 - 2008-03-05 16:03 - 00479752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_0.dll
2017-04-15 20:24 - 2008-03-05 16:03 - 00238088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_0.dll
2017-04-15 20:24 - 2008-03-05 16:03 - 00177672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_0.dll
2017-04-15 20:24 - 2008-03-05 16:00 - 00028168 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_3.dll
2017-04-15 20:24 - 2008-03-05 16:00 - 00025608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_3.dll
2017-04-15 20:24 - 2008-03-05 15:56 - 04910088 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_37.dll
2017-04-15 20:24 - 2008-03-05 15:56 - 03786760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_37.dll
2017-04-15 20:24 - 2008-03-05 15:56 - 01860120 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_37.dll
2017-04-15 20:24 - 2008-03-05 15:56 - 01420824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_37.dll
2017-04-15 20:24 - 2008-02-05 23:07 - 00529424 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_37.dll
2017-04-15 20:24 - 2008-02-05 23:07 - 00462864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_37.dll
2017-04-15 20:24 - 2007-10-22 03:40 - 00411656 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_10.dll
2017-04-15 20:24 - 2007-10-22 03:39 - 00267272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_10.dll
2017-04-15 20:24 - 2007-10-22 03:37 - 00021000 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_2.dll
2017-04-15 20:24 - 2007-10-22 03:37 - 00017928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_2.dll
2017-04-15 20:24 - 2007-10-12 15:14 - 05081608 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_36.dll
2017-04-15 20:24 - 2007-10-12 15:14 - 03734536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_36.dll
2017-04-15 20:24 - 2007-10-12 15:14 - 02006552 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_36.dll
2017-04-15 20:24 - 2007-10-12 15:14 - 01374232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_36.dll
2017-04-15 20:24 - 2007-10-02 09:56 - 00508264 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_36.dll
2017-04-15 20:24 - 2007-10-02 09:56 - 00444776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_36.dll
2017-04-15 20:24 - 2007-07-20 00:57 - 00411496 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_9.dll
2017-04-15 20:24 - 2007-07-20 00:57 - 00267112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_9.dll
2017-04-15 20:24 - 2007-07-19 18:14 - 05073256 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_35.dll
2017-04-15 20:24 - 2007-07-19 18:14 - 03727720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_35.dll
2017-04-15 20:24 - 2007-07-19 18:14 - 01985904 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_35.dll
2017-04-15 20:24 - 2007-07-19 18:14 - 01358192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_35.dll
2017-04-15 20:24 - 2007-07-19 18:14 - 00508264 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_35.dll
2017-04-15 20:24 - 2007-07-19 18:14 - 00444776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_35.dll
2017-04-15 20:24 - 2007-06-20 20:49 - 00409960 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_8.dll
2017-04-15 20:24 - 2007-06-20 20:46 - 00266088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_8.dll
2017-04-15 20:24 - 2007-05-16 16:45 - 04496232 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_34.dll
2017-04-15 20:24 - 2007-05-16 16:45 - 03497832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_34.dll
2017-04-15 20:24 - 2007-05-16 16:45 - 01401200 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_34.dll
2017-04-15 20:24 - 2007-05-16 16:45 - 01124720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_34.dll
2017-04-15 20:24 - 2007-05-16 16:45 - 00506728 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_34.dll
2017-04-15 20:24 - 2007-05-16 16:45 - 00443752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_34.dll
2017-04-15 20:24 - 2007-04-04 18:55 - 00403304 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_7.dll
2017-04-15 20:24 - 2007-04-04 18:55 - 00261480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_7.dll
2017-04-15 20:24 - 2007-04-04 18:54 - 00107368 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2017-04-15 20:24 - 2007-04-04 18:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_3.dll
2017-04-15 20:24 - 2007-03-15 16:57 - 00506728 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_33.dll
2017-04-15 20:24 - 2007-03-15 16:57 - 00443752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_33.dll
2017-04-15 20:24 - 2007-03-12 16:42 - 04494184 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_33.dll
2017-04-15 20:24 - 2007-03-12 16:42 - 03495784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_33.dll
2017-04-15 20:24 - 2007-03-12 16:42 - 01400176 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_33.dll
2017-04-15 20:24 - 2007-03-12 16:42 - 01123696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_33.dll
2017-04-15 20:24 - 2007-03-05 12:42 - 00017688 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_1.dll
2017-04-15 20:24 - 2007-03-05 12:42 - 00015128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_1.dll
2017-04-15 20:24 - 2007-01-24 15:27 - 00393576 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_6.dll
2017-04-15 20:24 - 2007-01-24 15:27 - 00255848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_6.dll
2017-04-15 20:24 - 2006-12-08 12:02 - 00251672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_5.dll
2017-04-15 20:24 - 2006-12-08 12:00 - 00390424 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_5.dll
2017-04-15 20:24 - 2006-11-29 13:06 - 04398360 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2017-04-15 20:24 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_32.dll
2017-04-15 20:24 - 2006-11-29 13:06 - 00469264 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10.dll
2017-04-15 20:24 - 2006-11-29 13:06 - 00440080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10.dll
2017-04-15 20:24 - 2006-09-28 16:05 - 03977496 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_31.dll
2017-04-15 20:24 - 2006-09-28 16:05 - 02414360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_31.dll
2017-04-15 20:24 - 2006-09-28 16:05 - 00237848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_4.dll
2017-04-15 20:24 - 2006-09-28 16:04 - 00364824 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_4.dll
2017-04-15 20:24 - 2006-07-28 09:31 - 00083736 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_2.dll
2017-04-15 20:24 - 2006-07-28 09:30 - 00363288 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_3.dll
2017-04-15 20:24 - 2006-07-28 09:30 - 00236824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_3.dll
2017-04-15 20:24 - 2006-07-28 09:30 - 00062744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_2.dll
2017-04-15 20:24 - 2006-05-31 07:24 - 00230168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_2.dll
2017-04-15 20:24 - 2006-05-31 07:22 - 00354072 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_2.dll
2017-04-15 20:24 - 2006-03-31 12:41 - 03927248 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_30.dll
2017-04-15 20:24 - 2006-03-31 12:40 - 02388176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_30.dll
2017-04-15 20:24 - 2006-03-31 12:40 - 00352464 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_1.dll
2017-04-15 20:24 - 2006-03-31 12:39 - 00229584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_1.dll
2017-04-15 20:24 - 2006-03-31 12:39 - 00083664 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_1.dll
2017-04-15 20:24 - 2006-03-31 12:39 - 00062672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_1.dll
2017-04-15 20:24 - 2006-02-03 08:43 - 03830992 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_29.dll
2017-04-15 20:24 - 2006-02-03 08:43 - 02332368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_29.dll
2017-04-15 20:24 - 2006-02-03 08:42 - 00355536 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_0.dll
2017-04-15 20:24 - 2006-02-03 08:42 - 00230096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_0.dll
2017-04-15 20:24 - 2006-02-03 08:41 - 00016592 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_0.dll
2017-04-15 20:24 - 2006-02-03 08:41 - 00014032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_0.dll
2017-04-15 20:24 - 2005-12-05 18:09 - 03815120 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_28.dll
2017-04-15 20:24 - 2005-12-05 18:09 - 02323664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_28.dll
2017-04-15 20:24 - 2005-07-22 19:59 - 03807440 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_27.dll
2017-04-15 20:24 - 2005-07-22 19:59 - 02319568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_27.dll
2017-04-15 20:24 - 2005-05-26 15:34 - 03767504 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_26.dll
2017-04-15 20:24 - 2005-05-26 15:34 - 02297552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_26.dll
2017-04-15 20:24 - 2005-03-18 17:19 - 03823312 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_25.dll
2017-04-15 20:24 - 2005-03-18 17:19 - 02337488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_25.dll
2017-04-15 20:24 - 2005-02-05 19:45 - 03544272 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_24.dll
2017-04-15 20:24 - 2005-02-05 19:45 - 02222800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_24.dll
2017-04-15 18:17 - 2017-04-15 18:17 - 00000000 ____D C:\ProgramData\GRETECH
2017-04-15 17:27 - 2017-05-06 18:24 - 00000456 _____ C:\Users\User\Desktop\Steam kod za recovery.txt
2017-04-15 03:25 - 2017-04-15 03:25 - 00000000 ____D C:\Users\User\AppData\LocalLow\Adobe
2017-04-15 03:24 - 2017-04-15 03:24 - 00001085 _____ C:\Users\User\Desktop\Adobe Photoshop CC 2015.lnk
2017-04-15 03:17 - 2017-04-15 03:17 - 00003630 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-DESKTOP-GHBNIP2-User
2017-04-15 03:17 - 2017-04-15 03:17 - 00001085 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CC 2015.lnk
2017-04-15 03:17 - 2017-04-15 03:17 - 00000000 ____D C:\Users\User\Documents\Adobe
2017-04-15 03:17 - 2017-04-15 03:17 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2017-04-15 03:16 - 2017-05-04 10:41 - 00000000 ____D C:\ProgramData\Package Cache
2017-04-15 03:15 - 2017-04-15 03:17 - 00000000 ____D C:\Program Files\Common Files\Adobe
2017-04-15 03:15 - 2017-04-15 03:15 - 00001619 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
2017-04-15 03:15 - 2017-04-15 03:15 - 00000000 ____D C:\Program Files\Adobe
2017-04-15 03:12 - 2017-05-06 15:33 - 00000000 ____D C:\Users\User\AppData\Local\Adobe
2017-04-15 03:12 - 2017-04-16 02:00 - 00000000 ____D C:\ProgramData\Adobe
2017-04-15 03:12 - 2017-04-15 03:12 - 00000000 ____D C:\Users\User\AppData\Roaming\Macromedia
2017-04-15 01:05 - 2017-04-19 21:07 - 00000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2017-04-12 00:39 - 2017-04-12 00:39 - 00001092 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2017-04-12 00:39 - 2017-04-12 00:39 - 00001080 _____ C:\Users\Public\Desktop\Audacity.lnk
2017-04-12 00:39 - 2017-04-12 00:39 - 00000000 ____D C:\Program Files (x86)\Audacity
2017-04-11 17:53 - 2017-04-11 17:54 - 00000000 ____D C:\Users\User\AppData\Roaming\MakeMusic
2017-04-11 17:53 - 2017-04-11 17:53 - 00001520 _____ C:\Users\User\Desktop\Finale - Shortcut.lnk
2017-04-11 17:53 - 2017-04-11 17:53 - 00000000 ____D C:\Users\User\Documents\Finale Files
2017-04-11 17:50 - 2017-04-11 17:53 - 00000000 ____D C:\Program Files (x86)\Finale 2014
2017-04-11 17:50 - 2017-04-11 17:50 - 00001089 _____ C:\Users\Public\Desktop\Finale 2014.lnk
2017-04-11 17:50 - 2017-04-11 17:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Finale 2014
2017-04-11 17:50 - 2017-04-11 17:50 - 00000000 ____D C:\ProgramData\MakeMusic
2017-04-11 17:39 - 2017-04-11 17:39 - 00000000 ____D C:\Users\User\AppData\Roaming\inkscape
2017-04-11 17:18 - 2017-04-11 17:19 - 00000000 ____D C:\Program Files\Inkscape
2017-04-11 17:18 - 2017-04-11 17:18 - 00000873 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inkscape.lnk
2017-04-11 17:18 - 2017-04-11 17:18 - 00000861 _____ C:\Users\Public\Desktop\Inkscape.lnk
2017-04-10 23:33 - 2017-04-10 23:33 - 00000000 ____D C:\Users\User\.thumbnails
2017-04-10 01:04 - 2017-04-30 01:25 - 00000000 ____D C:\Users\User\AppData\Local\gtk-2.0
2017-04-10 00:54 - 2017-04-11 18:20 - 00000000 ____D C:\Users\User\Desktop\Images
2017-04-08 01:50 - 2017-04-18 01:43 - 00000971 _____ C:\Users\User\Desktop\GIMP 2.lnk
2017-04-08 01:43 - 2017-05-01 00:21 - 00000000 ____D C:\Users\User\.gimp-2.8
2017-04-08 01:43 - 2017-04-08 01:43 - 00000000 ____D C:\Users\User\AppData\Local\gegl-0.2
2017-04-08 01:43 - 2017-04-08 01:43 - 00000000 ____D C:\Users\User\AppData\Local\fontconfig
2017-04-08 01:39 - 2017-04-08 01:42 - 00000939 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
2017-04-08 01:38 - 2017-04-08 01:39 - 00000000 ____D C:\Program Files\GIMP 2

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-06 19:02 - 2017-03-31 07:34 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-05-06 18:23 - 2017-03-31 07:39 - 01260112 _____ C:\Windows\system32\PerfStringBackup.INI
2017-05-06 18:19 - 2017-03-31 08:18 - 00000000 ____D C:\ProgramData\NVIDIA
2017-05-06 18:19 - 2017-03-31 07:34 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-05-06 18:18 - 2017-03-31 17:08 - 00000000 ____D C:\Users\User\AppData\Local\CrashDumps
2017-05-06 18:18 - 2016-07-16 08:04 - 00262144 _____ C:\Windows\system32\config\BBI
2017-05-04 21:32 - 2016-07-16 13:45 - 00000000 ____D C:\Windows\INF
2017-05-04 11:28 - 2017-03-31 08:20 - 00000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2017-05-03 23:25 - 2017-03-31 16:41 - 00000000 ____D C:\Users\User\AppData\Roaming\uTorrent
2017-05-03 13:20 - 2017-03-31 08:13 - 00002073 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-05-03 11:16 - 2017-03-31 20:07 - 00000000 ____D C:\Users\User\AppData\Local\ElevatedDiagnostics
2017-05-01 15:22 - 2017-03-31 22:12 - 00000000 ____D C:\Users\User\Desktop\Games
2017-05-01 15:22 - 2017-03-31 20:52 - 00000000 ____D C:\Users\User\Documents\My Games
2017-05-01 15:09 - 2017-03-31 07:33 - 00367464 _____ C:\Windows\system32\FNTCACHE.DAT
2017-05-01 11:10 - 2017-04-01 18:34 - 00000000 ____D C:\Program Files (x86)\Steam
2017-04-28 17:30 - 2017-03-31 08:13 - 00003416 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-04-28 17:30 - 2017-03-31 08:13 - 00003292 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-04-26 21:37 - 2017-03-31 07:35 - 00000000 ____D C:\Users\User\AppData\Local\Packages
2017-04-26 14:02 - 2017-03-31 20:09 - 00000000 ____D C:\Users\User\AppData\Local\LogMeIn Hamachi
2017-04-24 18:51 - 2017-03-31 18:21 - 00110144 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2017-04-24 18:51 - 2017-03-31 18:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-04-24 18:51 - 2017-03-31 18:21 - 00000000 ____D C:\Program Files\Java
2017-04-23 02:14 - 2017-03-31 19:53 - 00000000 ____D C:\Users\User\Desktop\JUNK
2017-04-20 18:49 - 2017-03-31 08:23 - 00000000 ____D C:\Users\User\AppData\Local\Google
2017-04-20 02:03 - 2017-03-31 07:35 - 00000000 ____D C:\Users\User\AppData\Roaming\Adobe
2017-04-18 01:44 - 2017-03-31 07:53 - 00002644 _____ C:\Users\User\Desktop\Word 2016.lnk
2017-04-17 22:37 - 2017-03-31 08:24 - 00003288 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-04-17 22:37 - 2017-03-31 07:37 - 00002364 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-04-17 22:37 - 2017-03-31 07:37 - 00000000 ___RD C:\Users\User\OneDrive
2017-04-15 03:17 - 2017-03-31 19:01 - 00000000 ____D C:\Users\User\AppData\Roaming\NVIDIA
2017-04-15 03:16 - 2016-07-16 13:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-04-14 22:22 - 2017-03-31 18:21 - 00000000 ____D C:\Users\User\Desktop\FTB_Pack_Install
2017-04-06 22:35 - 2016-07-16 13:36 - 00000000 ____D C:\Windows\CbsTemp

==================== Files in the root of some directories =======

2017-04-30 20:12 - 2017-04-30 20:12 - 0015136 _____ () C:\Users\User\AppData\Local\recently-used.xbel

Files to move or delete:
====================
C:\Users\User\AppData\Local\background_fault\aswRD.exe

Some files in TEMP:
====================
2017-04-15 03:25 - 2015-03-05 08:54 - 2212008 _____ (Adobe Systems Incorporated) C:\Users\User\AppData\Local\Temp\AdobeApplicationManager.exe
2017-04-01 20:21 - 2017-04-01 20:21 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-5510633469918994607.dll
2017-03-31 20:14 - 2017-03-31 20:14 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-5860634072921949545.dll
2017-03-31 20:01 - 2017-03-31 20:01 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-7245449982420327427.dll
2017-04-01 20:22 - 2017-04-01 20:22 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-7298948993584861270.dll
2017-03-31 20:00 - 2017-03-31 20:00 - 0019968 _____ (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-7644159703659385550.dll
2017-04-24 18:49 - 2017-04-24 18:49 - 0739904 _____ (Oracle Corporation) C:\Users\User\AppData\Local\Temp\jre-8u131-windows-au.exe
2017-04-16 02:24 - 2007-02-28 01:08 - 0456416 ____R (Macrovision Corporation) C:\Users\User\AppData\Local\Temp\_is551F.exe
2017-04-16 02:20 - 2007-02-28 01:08 - 0456416 ____R (Macrovision Corporation) C:\Users\User\AppData\Local\Temp\_isE36.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-04-28 12:49

==================== End of FRST.txt ============================

[kevinf80]

Thanks for those logs, continue with the following..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop. Or from this Mirror   Double click on Adwcleaner.exe to run the tool Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Please download Junkware Removal Tool to your desktop.   Shut down your protection software now to avoid potential conflicts. (re-enable when done) Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message. Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Let me see those logs in your reply, also tell me if there are any remaining issues or concerns.... Thank you, Kevin...

 

 

 

fixlist.txt

[mata2001]

AdCleaner didn't detect anything thus I didn't obtain a log file. Here are the rest:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Pro x64 
Ran by User (Administrator) on 06-May-17 at 22:48:23.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 0 

Deleted the following from C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\avlws67r.default\prefs.js
user_pref(browser.search.searchengine.alias, );
user_pref(browser.search.searchengine.name, luck);
user_pref(browser.search.searchengine.ref, );
user_pref(browser.search.searchengine.ts, 1492706584);
user_pref(browser.search.searchengine.type, );
user_pref(browser.search.searchengine.uid, ts240gssd220s_012961b4d31433b10217);

Registry: 0 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 06-May-17 at 22:49:10.85
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

2017-05-06 21:02:47.623    Sophos Virus Removal Tool version 2.5.6
2017-05-06 21:02:47.623    Copyright (c) 2009-2016 Sophos Limited. All rights reserved.

2017-05-06 21:02:47.623    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2017-05-06 21:02:47.623    Windows version 6.2 SP 0.0  build 9200 SM=0x100 PT=0x1 WOW64
2017-05-06 21:02:47.624    Checking for updates...
2017-05-06 21:02:47.641    Update progress: proxy server not available
2017-05-06 21:02:55.549    Option all = no
2017-05-06 21:02:55.549    Option recurse = yes
2017-05-06 21:02:55.549    Option archive = no
2017-05-06 21:02:55.549    Option service = yes
2017-05-06 21:02:55.549    Option confirm = yes
2017-05-06 21:02:55.549    Option sxl = yes
2017-05-06 21:02:55.549    Option max-data-age = 35
2017-05-06 21:02:55.549    Option vdl-logging = yes
2017-05-06 21:02:55.565    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-05-06 21:02:55.565    Machine ID:    2fad8d4bba344232848a54929734e165
2017-05-06 21:02:55.565    Component SVRTcli.exe version 2.5.6
2017-05-06 21:02:55.565    Component control.dll version 2.5.6
2017-05-06 21:02:55.565    Component SVRTservice.exe version 2.5.6
2017-05-06 21:02:55.565    Component engine\osdp.dll version 1.44.1.2281
2017-05-06 21:02:55.565    Component engine\veex.dll version 3.68.1.2281
2017-05-06 21:02:55.565    Component engine\savi.dll version 9.0.7.2281
2017-05-06 21:02:55.565    Component rkdisk.dll version 1.5.31.1
2017-05-06 21:02:55.565    Version info:    Product version    2.5.6
2017-05-06 21:02:55.565    Version info:    Detection engine    3.68.1
2017-05-06 21:02:55.565    Version info:    Detection data    5.38
2017-05-06 21:02:55.565    Version info:    Build date    4/4/2017
2017-05-06 21:02:55.565    Version info:    Data files added    267
2017-05-06 21:02:55.565    Version info:    Last successful update    (not yet updated)
2017-05-06 21:03:00.566    Downloading updates...
2017-05-06 21:03:00.566    Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2017-05-06 21:03:00.566    Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-05-06 21:03:00.566    Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-05-06 21:03:00.566    Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2017-05-06 21:03:00.566    Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I49502] sdds.data0910.xml: found supplement IDE539 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2017-05-06 21:03:00.566    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE539 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE539 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I49502] sdds.data0910.xml: found supplement IDE540 LATEST path= baseVersion= [included from product IDE539 LATEST path=]
2017-05-06 21:03:00.566    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE540 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE540 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I49502] sdds.data0910.xml: found supplement IDE541 LATEST path= baseVersion= [included from product IDE540 LATEST path=]
2017-05-06 21:03:00.566    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE541 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE541 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I49502] sdds.data0910.xml: found supplement IDE542 LATEST path= baseVersion= [included from product IDE541 LATEST path=]
2017-05-06 21:03:00.566    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE542 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE542 LATEST path=
2017-05-06 21:03:00.566    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2017-05-06 21:03:00.722    Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2017-05-06 21:03:00.722    Update progress: [I19463] Product download size 162626989 bytes
2017-05-06 21:03:04.707    Update progress: [I19463] Syncing product IDE539 LATEST path=
2017-05-06 21:03:04.707    Update progress: [I19463] Product download size 2453408 bytes
2017-05-06 21:03:05.861    Update progress: [I19463] Syncing product IDE540 LATEST path=
2017-05-06 21:03:05.861    Update progress: [I19463] Product download size 1784068 bytes
2017-05-06 21:03:07.467    Update progress: [I19463] Syncing product IDE541 LATEST path=
2017-05-06 21:03:07.467    Update progress: [I19463] Product download size 361178 bytes
2017-05-06 21:03:09.217    Update progress: [I19463] Syncing product IDE542 LATEST path=
2017-05-06 21:03:09.248    Installing updates...
2017-05-06 21:03:09.873    Error level 1
2017-05-06 21:03:14.792    Update successful
2017-05-06 21:03:22.652    Option all = no
2017-05-06 21:03:22.652    Option recurse = yes
2017-05-06 21:03:22.652    Option archive = no
2017-05-06 21:03:22.652    Option service = yes
2017-05-06 21:03:22.652    Option confirm = yes
2017-05-06 21:03:22.652    Option sxl = yes
2017-05-06 21:03:22.652    Option max-data-age = 35
2017-05-06 21:03:22.652    Option vdl-logging = yes
2017-05-06 21:03:22.668    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2017-05-06 21:03:22.668    Machine ID:    2fad8d4bba344232848a54929734e165
2017-05-06 21:03:22.668    Component SVRTcli.exe version 2.5.6
2017-05-06 21:03:22.668    Component control.dll version 2.5.6
2017-05-06 21:03:22.668    Component SVRTservice.exe version 2.5.6
2017-05-06 21:03:22.668    Component engine\osdp.dll version 1.44.1.2281
2017-05-06 21:03:22.668    Component engine\veex.dll version 3.68.1.2281
2017-05-06 21:03:22.668    Component engine\savi.dll version 9.0.7.2281
2017-05-06 21:03:22.668    Component rkdisk.dll version 1.5.31.1
2017-05-06 21:03:22.668    Version info:    Product version    2.5.6
2017-05-06 21:03:22.668    Version info:    Detection engine    3.68.1
2017-05-06 21:03:22.668    Version info:    Detection data    5.38
2017-05-06 21:03:22.668    Version info:    Build date    4/4/2017
2017-05-06 21:03:22.668    Version info:    Data files added    299
2017-05-06 21:03:22.668    Version info:    Last successful update    5/6/2017 11:03:14 PM

2017-05-06 21:17:43.601    Could not open C:\hiberfil.sys
2017-05-06 21:17:44.132    Could not open C:\pagefile.sys
2017-05-06 21:43:16.292    Could not open C:\swapfile.sys
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{702533c7-26d7-11e7-8d35-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{83c1e5a9-329a-11e7-8d41-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{83c1e8b2-329a-11e7-8d41-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{9cba2e24-2212-11e7-8d33-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{aa8593f0-2f56-11e7-8d3b-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{b3abc4df-3277-11e7-8d40-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:43:16.391    Could not open C:\System Volume Information\{fe5d214a-29e2-11e7-8d36-4ccc6a8daee8}{3808876b-c176-4e48-b7ae-04046e6cc752}
2017-05-06 21:49:17.579    >>> Virus 'Troj/KMS-A' found in file C:\Windows\KMS-R@1nHook.dll
2017-05-06 21:49:17.579    >>> Virus 'Troj/KMS-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-05-06 21:49:17.579    >>> Virus 'Troj/KMS-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-05-06 21:49:33.273    >>> Virus 'Troj/KMS-A' found in file C:\Windows\KMS-R@1nHook.exe
2017-05-06 21:49:33.273    >>> Virus 'Troj/KMS-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-05-06 21:49:33.273    >>> Virus 'Troj/KMS-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-05-06 21:51:18.677    Could not open C:\Windows\System32\config\BBI
2017-05-06 21:51:18.693    Could not open C:\Windows\System32\config\DRIVERS
2017-05-06 21:51:18.693    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2017-05-06 21:51:18.693    Could not open C:\Windows\System32\config\RegBack\SAM
2017-05-06 21:51:18.693    Could not open C:\Windows\System32\config\RegBack\SECURITY
2017-05-06 21:51:18.693    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2017-05-06 21:51:18.693    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2017-05-06 22:38:47.003    >>> Virus 'Mal/VMProtBad-A' found in file H:\Torrents\DAEMON Tools Pro Advanced v5.2.0. 0348 Including Crack [h33t][iahq76]\Crack\BRD.dll
2017-05-06 22:38:47.003    >>> Virus 'Mal/VMProtBad-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-05-06 22:38:47.003    >>> Virus 'Mal/VMProtBad-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2017-05-06 22:39:51.614    The following items will be cleaned up:
2017-05-06 22:39:51.614    Troj/KMS-A
2017-05-06 22:39:51.614    Mal/VMProtBad-A
 

 

 

[kevinf80]

Can I also see the log from FRST fix...

[mata2001]

Fix result of Farbar Recovery Scan Tool (x64) Version: 06-05-2017
Ran by User (06-05-2017 22:27:06) Run:1
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: defaultuser0 & User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\...\Run: [background_fault] => C:\Users\User\AppData\Local\background_fault\aswRD.exe [1419576 2017-05-04] (AVAST Software) <===== ATTENTION
C:\Users\User\AppData\Local\background_fault\aswRD.exe
C:\Users\User\AppData\Local\background_fault
IFEO\OSppSvc.exe: [Debugger] KMS-R@1nHook.exe
IFEO\SppExtComObj.exe: [Debugger] KMS-R@1nHook.exe
ShellExecuteHooks: No Name - {D2D606BA-20DF-11E7-B48D-64006A5CFC23} - C:\Users\User\AppData\Roaming\Mojetion\Prutolethermo.dll -> No File 
C:\Users\User\AppData\Roaming\Mojetion
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-04] <==== ATTENTION
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-25]
R2 KMS-R@1n; C:\Windows\KMS-R@1n.exe [26112 2017-03-31] () [File not signed]
S2 3DM; C:\Users\User\AppData\Local\3DM\Kitty.dll [X] 
017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Users\User\AppData\Roaming\Zoohair
2017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Users\User\AppData\Local\Zoohair
2017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Program Files (x86)\Zoohair
C:\Windows\SysWOW64\33
C:\Windows\SysWOW64\2
C:\Users\User\AppData\Local\Lvidombavu
2017-04-01 20:21 - 2017-04-01 20:21 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-5510633469918994607.dll
2017-03-31 20:14 - 2017-03-31 20:14 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-5860634072921949545.dll
2017-03-31 20:01 - 2017-03-31 20:01 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-7245449982420327427.dll
2017-04-01 20:22 - 2017-04-01 20:22 - 0019968 ____N (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-7298948993584861270.dll
2017-03-31 20:00 - 2017-03-31 20:00 - 0019968 _____ (Red Hat®, Inc.) C:\Users\User\AppData\Local\Temp\jansi-64-7644159703659385550.dll
2017-04-24 18:49 - 2017-04-24 18:49 - 0739904 _____ (Oracle Corporation) C:\Users\User\AppData\Local\Temp\jre-8u131-windows-au.exe
2017-04-16 02:24 - 2007-02-28 01:08 - 0456416 ____R (Macrovision Corporation) C:\Users\User\AppData\Local\Temp\_is551F.exe
2017-04-16 02:20 - 2007-02-28 01:08 - 0456416 ____R (Macrovision Corporation) C:\Users\User\AppData\Local\Temp\_isE36.exe 
Task: {1BA382C3-AE1B-4429-B9C5-EC71EBAAB136} - System32\Tasks\R@1n-KMS\Office16ProPlus => wmic
Task: {5AB3104E-B23B-443B-9C91-42165ECB40D3} - \Fuwitherfakution -> No File <==== ATTENTION
Task: {5DB6D008-4A5C-4893-9700-66DFBB4F00E7} - System32\Tasks\R@1n-KMS\Windows100Professional => wmic 
Task: {AD1A2EAC-7909-4331-95F0-BA55CB546717} - System32\Tasks\Rugution Launcher => C:\Program Files (x86)\Ghufosh\xphatusy.exe 
C:\Program Files (x86)\Ghufosh
 Shortcut: C:\Users\User\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cfa384dbd06217b1\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\a939634e1e9fb4f6\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.)
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cf37b13bbffc312b\Google Chrome.lnk -> C:\Program Files (x86)\Zoohair\Application\chrome.exe (Google Inc.) -> --profile-directory=ChromeDefaultData 
C:\Program Files (x86)\Zoohair
C:\Windows\KMS-R@1n.exe
FirewallRules: [{F8FC2A3A-8C74-46B1-9A9A-49564D12371C}] => (Allow) C:\Windows\KMS-R@1n.exe
FirewallRules: [{5286A95D-953E-4884-A4A0-36AE7FFA00FA}] => (Allow) C:\Windows\KMS-R@1n.exe
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
end

*****************

Processes closed successfully.
Restore point was successfully created.
HKU\S-1-5-21-1330307909-1062611830-3958091394-1001\Software\Microsoft\Windows\CurrentVersion\Run\\background_fault => value removed successfully
C:\Users\User\AppData\Local\background_fault\aswRD.exe => moved successfully
C:\Users\User\AppData\Local\background_fault => moved successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\OSppSvc.exe => key removed successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SppExtComObj.exe => key removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{D2D606BA-20DF-11E7-B48D-64006A5CFC23} => value removed successfully
HKCR\CLSID\{D2D606BA-20DF-11E7-B48D-64006A5CFC23} => key not found. 
C:\Users\User\AppData\Roaming\Mojetion => moved successfully
C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
C:\Users\User\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
HKLM\System\CurrentControlSet\Services\KMS-R@1n => key removed successfully
KMS-R@1n => service removed successfully
HKLM\System\CurrentControlSet\Services\3DM => key removed successfully
3DM => service removed successfully
017-05-04 10:41 - 2017-05-04 10:41 - 00000000 ____D C:\Users\User\AppData\Roaming\Zoohair => Error: No automatic fix found for this entry.
C:\Users\User\AppData\Local\Zoohair => moved successfully

"C:\Program Files (x86)\Zoohair" folder move:

Could not move "C:\Program Files (x86)\Zoohair" => Scheduled to move on reboot.

C:\Windows\SysWOW64\33 => moved successfully
C:\Windows\SysWOW64\2 => moved successfully
C:\Users\User\AppData\Local\Lvidombavu => moved successfully
C:\Users\User\AppData\Local\Temp\jansi-64-5510633469918994607.dll => moved successfully
C:\Users\User\AppData\Local\Temp\jansi-64-5860634072921949545.dll => moved successfully
C:\Users\User\AppData\Local\Temp\jansi-64-7245449982420327427.dll => moved successfully
C:\Users\User\AppData\Local\Temp\jansi-64-7298948993584861270.dll => moved successfully
C:\Users\User\AppData\Local\Temp\jansi-64-7644159703659385550.dll => moved successfully
C:\Users\User\AppData\Local\Temp\jre-8u131-windows-au.exe => moved successfully
C:\Users\User\AppData\Local\Temp\_is551F.exe => moved successfully
C:\Users\User\AppData\Local\Temp\_isE36.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1BA382C3-AE1B-4429-B9C5-EC71EBAAB136} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BA382C3-AE1B-4429-B9C5-EC71EBAAB136} => key removed successfully
C:\Windows\System32\Tasks\R@1n-KMS\Office16ProPlus => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Office16ProPlus => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5AB3104E-B23B-443B-9C91-42165ECB40D3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5AB3104E-B23B-443B-9C91-42165ECB40D3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Fuwitherfakution => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5DB6D008-4A5C-4893-9700-66DFBB4F00E7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DB6D008-4A5C-4893-9700-66DFBB4F00E7} => key removed successfully
C:\Windows\System32\Tasks\R@1n-KMS\Windows100Professional => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\R@1n-KMS\Windows100Professional => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD1A2EAC-7909-4331-95F0-BA55CB546717} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1A2EAC-7909-4331-95F0-BA55CB546717} => key removed successfully
C:\Windows\System32\Tasks\Rugution Launcher => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Rugution Launcher => key removed successfully
"C:\Program Files (x86)\Ghufosh" => not found.
C:\Users\User\Desktop\Google Chrome.lnk => moved successfully
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => moved successfully
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => moved successfully
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cfa384dbd06217b1\Google Chrome.lnk => moved successfully
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\a939634e1e9fb4f6\Google Chrome.lnk => moved successfully
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\Google Chrome.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => moved successfully
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cf37b13bbffc312b\Google Chrome.lnk => Shortcut argument removed successfully.

"C:\Program Files (x86)\Zoohair" folder move:

Could not move "C:\Program Files (x86)\Zoohair" => Scheduled to move on reboot.

C:\Windows\KMS-R@1n.exe => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F8FC2A3A-8C74-46B1-9A9A-49564D12371C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5286A95D-953E-4884-A4A0-36AE7FFA00FA} => value removed successfully

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 1430448 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 36329842 B
Java, Flash, Steam htmlcache => 248665282 B
Windows/system/drivers => 25868985 B
Edge => 33499354 B
Chrome => 482304 B
Firefox => 28771587 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 25526454 B
LocalService => 1588 B
NetworkService => 63447726 B
defaultuser0 => 128 B
User => 577506421 B

RecycleBin => 565811540 B
EmptyTemp: => 1.5 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 06-05-2017 22:28:16)

C:\Program Files (x86)\Zoohair => Is moved successfully
C:\Program Files (x86)\Zoohair => Is moved successfully

==== End of Fixlog 22:28:16 ====

Sorry. Is this it?

 

[kevinf80]

Yes thats the one, how is your PC responding now, any remaining issues or concerns...?

[mata2001]

I believe it's gone for good, seeing how thorough these scans were. Thank you very much Kevin

[kevinf80]

Thanks for the update, continue with the following to clean up..

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.