kevinf80 Posted September 13, 2017 ID:1163268 Share Posted September 13, 2017 Thanks for those logs, I want you to run another FRST fix via the recovery environment. Boot to the RE as you did before from the Windows 10 Recovery DVD. Download and save the attached file fixlist.txt (end of reply) and save it to your USB Flashdrive alongside FRST. plug into your PC... Boot to the Choose an Option Window: From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following: In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button just once and wait. FRST will run make a log (fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach fixlog.txt to your reply. Next, Reboot to normal windows and run another threat scan with Malwarebytes.... Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
Stanczyk Posted September 13, 2017 Author ID:1163277 Share Posted September 13, 2017 (edited) Things look clean, but I can't run certain programs like RKill.exe (Requested resource in use..,) or access or remove the folder the infection made in my Local\Appdata folder (unikrpc.) Fix result of Farbar Recovery Scan Tool (x64) Version: 12-09-2017 Ran by SYSTEM (13-09-2017 18:57:31) Run:9 Running from F:\ Boot Mode: Recovery ============================================== fixlist content: ***************** Start C:\WINDOWS\System32\drivers\terbehko.sys end ***************** C:\WINDOWS\System32\drivers\terbehko.sys => moved successfully ==== End of Fixlog 18:57:31 ==== Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/13/17 Scan Time: 6:59 PM Log File: 2c6f4656-98d7-11e7-8803-d017c2d264b1.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2797 License: Trial -System Information- OS: Windows 10 (Build 15063.540) CPU: x64 File System: NTFS User: DESKTOP-HO5U8KA\List -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 409815 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 1 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) Edited September 13, 2017 by Stanczyk Link to post Share on other sites More sharing options...
kevinf80 Posted September 13, 2017 ID:1163280 Share Posted September 13, 2017 I believe we`ve caught and removed the main crux of the infection, this is the first time i`ve seen two rootkit drivers..... Its really late for me, 20 past midnight... I want you to run an indepth AV scan to ensure we`ve not missed any remnants of this nasty infection, when that completes another FRST scan, i`ll catch up later... Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Let me see those logs in your reply.... Also give an update on any remaining issues or concerns... Thank you, Kevin Link to post Share on other sites More sharing options...
Stanczyk Posted September 14, 2017 Author ID:1163288 Share Posted September 14, 2017 (edited) 2017-09-13 23:33:25.760 Sophos Virus Removal Tool version 2.6.1 2017-09-13 23:33:25.760 Copyright (c) 2009-2017 Sophos Limited. All rights reserved. 2017-09-13 23:33:25.760 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-09-13 23:33:25.760 Windows version 6.2 SP 0.0 build 9200 SM=0x300 PT=0x1 WOW64 2017-09-13 23:33:25.761 Checking for updates... 2017-09-13 23:33:25.806 Update progress: proxy server not available 2017-09-13 23:33:31.607 Option all = no 2017-09-13 23:33:31.607 Option recurse = yes 2017-09-13 23:33:31.608 Option archive = no 2017-09-13 23:33:31.608 Option service = yes 2017-09-13 23:33:31.608 Option confirm = yes 2017-09-13 23:33:31.608 Option sxl = yes 2017-09-13 23:33:31.608 Option max-data-age = 35 2017-09-13 23:33:31.608 Option vdl-logging = yes 2017-09-13 23:33:31.612 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-09-13 23:33:31.612 Machine ID: bcf910b213fe40b0b98bd605fc4e1bff 2017-09-13 23:33:31.613 Component SVRTcli.exe version 2.6.1 2017-09-13 23:33:31.613 Component control.dll version 2.6.1 2017-09-13 23:33:31.613 Component SVRTservice.exe version 2.6.1 2017-09-13 23:33:31.613 Component engine\osdp.dll version 1.44.1.2286 2017-09-13 23:33:31.613 Component engine\veex.dll version 3.68.6.2286 2017-09-13 23:33:31.613 Component engine\savi.dll version 9.0.7.2286 2017-09-13 23:33:31.613 Component rkdisk.dll version 1.5.31.1 2017-09-13 23:33:31.613 Version info: Product version 2.6.1 2017-09-13 23:33:31.614 Version info: Detection engine 3.68.6 2017-09-13 23:33:31.614 Version info: Detection data 5.42 2017-09-13 23:33:31.614 Version info: Build date 7/25/2017 2017-09-13 23:33:31.614 Version info: Data files added 389 2017-09-13 23:33:31.614 Version info: Last successful update (not yet updated) 2017-09-13 23:33:36.256 Downloading updates... 2017-09-13 23:33:36.257 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-09-13 23:33:36.257 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-13 23:33:36.257 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-13 23:33:36.257 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-09-13 23:33:36.257 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-09-13 23:33:36.257 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-09-13 23:33:36.257 Update progress: [I49502] sdds.data0910.xml: found supplement IDE543 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE543 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE543 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I49502] sdds.data0910.xml: found supplement IDE544 LATEST path= baseVersion= [included from product IDE543 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE544 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE544 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I49502] sdds.data0910.xml: found supplement IDE545 LATEST path= baseVersion= [included from product IDE544 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE545 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE545 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I49502] sdds.data0910.xml: found supplement IDE546 LATEST path= baseVersion= [included from product IDE545 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE546 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE546 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-13 23:33:36.353 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-09-13 23:33:36.353 Update progress: [I19463] Product download size 170129587 bytes 2017-09-13 23:33:37.499 Update progress: [I19463] Syncing product IDE543 LATEST path= 2017-09-13 23:33:37.499 Update progress: [I19463] Product download size 2650459 bytes 2017-09-13 23:33:37.704 Update progress: [I19463] Syncing product IDE544 LATEST path= 2017-09-13 23:33:37.704 Update progress: [I19463] Product download size 2139985 bytes 2017-09-13 23:33:37.875 Update progress: [I19463] Syncing product IDE545 LATEST path= 2017-09-13 23:33:37.875 Update progress: [I19463] Product download size 2135034 bytes 2017-09-13 23:33:37.989 Update progress: [I19463] Syncing product IDE546 LATEST path= 2017-09-13 23:33:38.005 Installing updates... 2017-09-13 23:33:38.611 Error level 1 2017-09-13 23:33:40.984 Update successful 2017-09-13 23:33:46.990 Option all = no 2017-09-13 23:33:46.990 Option recurse = yes 2017-09-13 23:33:46.990 Option archive = no 2017-09-13 23:33:46.990 Option service = yes 2017-09-13 23:33:46.990 Option confirm = yes 2017-09-13 23:33:46.990 Option sxl = yes 2017-09-13 23:33:46.991 Option max-data-age = 35 2017-09-13 23:33:46.991 Option vdl-logging = yes 2017-09-13 23:33:46.994 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-09-13 23:33:46.994 Machine ID: bcf910b213fe40b0b98bd605fc4e1bff 2017-09-13 23:33:46.995 Component SVRTcli.exe version 2.6.1 2017-09-13 23:33:46.996 Component control.dll version 2.6.1 2017-09-13 23:33:46.996 Component SVRTservice.exe version 2.6.1 2017-09-13 23:33:46.996 Component engine\osdp.dll version 1.44.1.2286 2017-09-13 23:33:46.996 Component engine\veex.dll version 3.68.6.2286 2017-09-13 23:33:46.996 Component engine\savi.dll version 9.0.7.2286 2017-09-13 23:33:46.996 Component rkdisk.dll version 1.5.31.1 2017-09-13 23:33:46.996 Version info: Product version 2.6.1 2017-09-13 23:33:46.997 Version info: Detection engine 3.68.6 2017-09-13 23:33:46.997 Version info: Detection data 5.42 2017-09-13 23:33:46.997 Version info: Build date 7/25/2017 2017-09-13 23:33:46.997 Version info: Data files added 389 2017-09-13 23:33:46.997 Version info: Last successful update 9/13/2017 7:33:40 PM 2017-09-13 23:40:21.858 >>> Virus 'Mal/Generic-S' found in file C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe 2017-09-13 23:40:21.858 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-09-13 23:40:21.858 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-09-13 23:40:22.022 Could not open C:\found.000\dir0001.chk\System32\imekqde\msaabbo.sys 2017-09-13 23:40:22.886 Could not open C:\hiberfil.sys 2017-09-13 23:40:27.162 Could not open C:\pagefile.sys 2017-09-13 23:47:53.129 Could not open C:\swapfile.sys 2017-09-13 23:52:07.109 Could not open C:\Windows\System32\config\BBI 2017-09-13 23:52:07.142 Could not open C:\Windows\System32\config\DRIVERS 2017-09-13 23:52:07.144 Could not open C:\Windows\System32\config\HARDWARE 2017-09-13 23:52:07.146 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-09-13 23:52:07.146 Could not open C:\Windows\System32\config\RegBack\SAM 2017-09-13 23:52:07.147 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-09-13 23:52:07.147 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-09-13 23:52:07.148 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-09-13 23:52:30.454 Could not open C:\Windows\System32\drivers\teroruxb.sys 2017-09-14 00:17:36.233 Could not open LOGICAL:0006:00000000 2017-09-14 00:17:36.233 Could not open G:\ 2017-09-14 00:17:36.233 Could not open LOGICAL:0007:00000000 2017-09-14 00:17:36.234 Could not open H:\ 2017-09-14 00:17:36.234 Could not open LOGICAL:0008:00000000 2017-09-14 00:17:36.234 Could not open I:\ 2017-09-14 00:17:36.470 Could not open LOGICAL:000A:00000000 2017-09-14 00:17:36.470 Could not open K:\ 2017-09-14 00:17:36.669 The following items will be cleaned up: 2017-09-14 00:17:36.669 Mal/Generic-S 2017-09-14 00:25:46.071 Threat 'Mal/Generic-S' needs a reboot to complete cleanup. 2017-09-14 00:25:46.071 File "C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe" belongs to malware 'Mal/Generic-S'. 2017-09-14 00:25:46.071 File "C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe" has been cleaned up. 2017-09-14 00:25:46.071 Removal successful 2017-09-14 00:25:46.529 Error level 0 Edited September 14, 2017 by Stanczyk Link to post Share on other sites More sharing options...
Stanczyk Posted September 14, 2017 Author ID:1163293 Share Posted September 14, 2017 I still can't run RKill.exe or view/delete the appdata/local folder unikrpc (I haven't used RKill, but run it to check if the infection is gone.) MBAM still says it's unable to load the anti-Rootkit DDA driver and recommends a restart to try to install it (I'll wait for instructions before doing anything.) Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-09-2017 02 Ran by List (administrator) on DESKTOP-HO5U8KA (13-09-2017 20:36:22) Running from C:\Users\List\Desktop\FINALFIX\_1 Loaded Profiles: List (Available Profiles: List) Platform: Windows 10 Home Version 1703 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe () C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe (Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe (IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe (Microsoft Corporation) C:\Windows\System32\InstallAgent.exe (Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe () C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe (Disc Soft Ltd) D:\Programs\DAEMON Tools Lite\DiscSoftBusServiceLite.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation) HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8783616 2015-12-10] (Realtek Semiconductor) HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163800 2016-07-30] (IvoSoft) HKLM\...\Run: [BCSSync] => D:\Programs\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation) HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation) HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.) HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.) HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] => C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe HKLM-x32\...\Run: [iTubeStudioUpdateHelper.exe] => C:\Program Files (x86)\Aimersoft\iTube Studio\iTubeStudioUpdateHelper.exe HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-07-21] (Oracle Corporation) HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.) HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3071776 2017-09-07] (Valve Corporation) HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\Run: [DAEMON Tools Lite Automount] => D:\Programs\DAEMON Tools Lite\DTAgent.exe [4299968 2016-08-29] (Disc Soft Ltd) HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\MountPoints2: {231b7c74-313a-11e7-8bc9-d017c2d264b1} - "H:\VerizonSWUpgradeAssistantLauncher.exe" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\MountPoints2: {6ba43824-6f5c-11e6-a373-806e6f6e6963} - "E:\setup.exe" ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{75773b14-766e-4b4b-857e-e19d16d283c3}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001 -> DefaultScope {17FFCF3A-1AC2-499E-91B3-89F44E86A4F1} URL = BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> D:\Programs\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation) BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-09-12] (Oracle Corporation) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation) BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-09-12] (Oracle Corporation) Handler: WSISAllmytubechrome - No CLSID Value FireFox: ======== FF DefaultProfile: n0s9lrf3.default FF ProfilePath: D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default [2017-09-13] FF NewTab: Mozilla\Firefox\Profiles\n0s9lrf3.default -> hxxp://www.bing.com/?pc=COSP&ptag=D090517-AD26CBEB7DD&form=CONMHP&conlogo=CT3335811 FF DefaultSearchEngine: Mozilla\Firefox\Profiles\n0s9lrf3.default -> Bing® FF SelectedSearchEngine: Mozilla\Firefox\Profiles\n0s9lrf3.default -> Bing® FF Session Restore: Mozilla\Firefox\Profiles\n0s9lrf3.default -> is enabled. FF Keyword.URL: Mozilla\Firefox\Profiles\n0s9lrf3.default -> user_pref("keyword.URL", true); FF Extension: (AdBlocker for YouTube™) - D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\Extensions\jid1-q4sG8pYhq8KGHs@jetpack.xpi [2017-08-10] FF Extension: (Youtube Feed Cleaner) - D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\Extensions\jid1-SFLtLoBERr5i6A@jetpack.xpi [2017-07-11] FF Extension: (JSONView) - D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\Extensions\jsonview@brh.numbera.com.xpi [2017-03-25] FF Extension: (Flashblock) - D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-09-23] FF Extension: (NoScript) - D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-09-12] FF Extension: (Download YouTube Videos as MP4) - D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2017-02-14] FF SearchPlugin: D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\searchplugins\bing-lavasoft.xml [2017-09-05] FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> D:\Programs\Microsoft Office\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-08-25] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-08-25] (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-09-12] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-09-12] (Oracle Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-05-01] (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-05-01] (NVIDIA Corporation) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-07-31] (Adobe Systems Inc.) Chrome: ======= CHR HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [dhdgffkkebhmkfjojejmpbldmpobfkfo] - hxxp://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 DAUpdaterSvc; D:\Games\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [25832 2016-09-23] (BioWare) R3 Disc Soft Lite Bus Service; D:\Programs\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [1467072 2016-08-29] (Disc Soft Ltd) S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel(R) Corporation) S3 Intel(R) Security Assist; C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed] R2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed] S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [207648 2015-10-16] (Intel Corporation) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes) R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462968 2017-05-01] (NVIDIA Corporation) S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2098528 2017-08-23] (Electronic Arts) R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2977640 2017-08-23] (Electronic Arts) R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed] R2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [60440 2015-08-29] (Advanced Micro Devices, Inc.) S3 VSStandardCollectorService140; C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe [108776 2016-07-26] (Microsoft Corporation) R2 WCAssistantService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe [25704 2017-09-05] () S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation) S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-06-20] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 amdkmafd; C:\WINDOWS\System32\drivers\amdkmafd.sys [40720 2015-07-28] (Advanced Micro Devices, Inc.) S3 amdkmcsp; C:\WINDOWS\System32\drivers\amdkmcsp.sys [101112 2015-08-29] (Advanced Micro Devices, Inc. ) R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [73976 2015-06-03] (Advanced Micro Devices, Inc.) S3 amdpsp; C:\WINDOWS\System32\drivers\amdpsp.sys [277240 2015-08-29] (Advanced Micro Devices, Inc. ) R3 dtlitescsibus; C:\WINDOWS\System32\drivers\dtlitescsibus.sys [30264 2016-09-23] (Disc Soft Ltd) R3 dtliteusbbus; C:\WINDOWS\System32\drivers\dtliteusbbus.sys [47672 2016-09-23] (Disc Soft Ltd) S3 e1dexpress; C:\WINDOWS\system32\DRIVERS\e1d64x64.sys [529392 2015-06-18] (Intel Corporation) S3 EsgScanner; C:\WINDOWS\System32\DRIVERS\EsgScanner.sys [22704 2017-09-12] () R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77440 2017-08-24] () R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [192960 2017-09-12] (Malwarebytes) R3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [101824 2017-09-13] (Malwarebytes) R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [45472 2017-09-13] (Malwarebytes) R4 MBAMSwissArmy; C:\WINDOWS\system32\drivers\527B3A51.sys [253888 2017-09-13] (Malwarebytes) S3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [94144 2017-09-13] (Malwarebytes) R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvpcdwu.inf_amd64_4f213dee333805ba\nvlddmkm.sys [14456920 2017-05-18] (NVIDIA Corporation) R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [935168 2015-10-09] (Realtek ) S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-18] () S3 Secdrv; C:\WINDOWS\SysWOW64\drivers\SECDRV.SYS [20128 2017-08-20] () [File not signed] R3 SensorsSimulatorDriver; C:\WINDOWS\System32\drivers\WUDFRd.sys [220672 2017-03-18] (Microsoft Corporation) U5 UnlockerDriver5; D:\Programs\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] () S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation) S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation) S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation) S3 MSPCLOCK; \SystemRoot\system32\DRIVERS\MSPCLOCK.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-09-13 20:35 - 2017-09-13 20:35 - 000253888 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\527B3A51.sys 2017-09-13 20:35 - 2017-09-13 20:35 - 000113488 ____N C:\WINDOWS\system32\Drivers\terehknr.sys 2017-09-13 19:33 - 2017-09-13 19:33 - 000000000 ____D C:\ProgramData\Sophos 2017-09-13 19:32 - 2017-09-13 19:32 - 000002775 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk 2017-09-13 19:32 - 2017-09-13 19:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos 2017-09-13 19:32 - 2017-09-13 19:32 - 000000000 ____D C:\Program Files (x86)\Sophos 2017-09-13 18:23 - 2017-09-13 18:23 - 000014040 ____N C:\WINDOWS\system32\Drivers\terbehko.sys 2017-09-13 18:19 - 2017-09-13 18:19 - 000253888 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\709B529C.sys 2017-09-13 18:18 - 2017-09-13 18:18 - 000000000 __SHD C:\found.000 2017-09-13 16:55 - 2017-09-13 18:33 - 000000177 _____ C:\Users\List\Desktop\resp.txt 2017-09-12 22:54 - 2017-09-12 22:54 - 000000000 _____ C:\Recovery.txt 2017-09-12 17:40 - 2017-09-12 17:41 - 000000000 ____D C:\Users\List\Desktop\fileBoot 2017-09-12 17:08 - 2017-09-12 17:08 - 000000085 _____ C:\WINDOWS\wininit.ini 2017-09-12 17:08 - 2017-09-12 17:08 - 000000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking 2017-09-12 16:23 - 2017-09-13 20:35 - 000101824 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys 2017-09-12 16:23 - 2017-09-12 16:23 - 000253888 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\53E92B01.sys 2017-09-12 16:17 - 2017-09-13 20:35 - 000045472 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys 2017-09-12 16:17 - 2017-09-13 18:34 - 000253888 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2017-09-12 16:17 - 2017-09-13 07:18 - 000094144 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys 2017-09-12 16:17 - 2017-09-12 16:23 - 000192960 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys 2017-09-12 16:17 - 2017-09-12 16:17 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2017-09-12 16:17 - 2017-09-12 16:17 - 000000000 ____D C:\ProgramData\Malwarebytes 2017-09-12 16:17 - 2017-09-12 16:17 - 000000000 ____D C:\Program Files\Malwarebytes 2017-09-12 16:17 - 2017-08-24 11:27 - 000077440 _____ C:\WINDOWS\system32\Drivers\mbae64.sys 2017-09-12 16:00 - 2017-09-12 16:00 - 000194776 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\08981A07.sys 2017-09-12 15:42 - 2017-09-12 15:52 - 000000000 ____D C:\Users\List\Desktop\FINALFIX 2017-09-12 15:37 - 2017-09-13 20:36 - 000000000 ____D C:\FRST 2017-09-12 15:29 - 2017-09-12 15:30 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2017-09-12 15:27 - 2017-09-12 15:27 - 000041800 _____ (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\Drivers\PROCEXP152.SYS 2017-09-12 15:02 - 2017-09-12 15:02 - 000000000 ____D C:\Users\List\AppData\Local\unikrpc - Copy 2017-09-12 11:05 - 2017-09-12 11:05 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job 2017-09-12 10:32 - 2017-09-12 10:32 - 000000000 ____D C:\WINDOWS\pss 2017-09-12 09:55 - 2017-09-12 09:55 - 000022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys 2017-09-12 09:15 - 2017-09-12 09:15 - 000000000 _____ C:\autoexec.bat 2017-09-12 09:01 - 2017-09-12 09:00 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\List\Desktop\rkill.exe 2017-09-12 08:12 - 2017-09-12 08:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-09-07 11:03 - 2017-09-07 23:54 - 000000168 _____ C:\Users\List\Desktop\GREATORDERING.txt 2017-09-05 09:48 - 2017-09-05 09:48 - 000000000 ____D C:\WINDOWS\System32\Tasks\S-1-5-21-2489865123-2485827485-1206147462-1001 2017-09-05 06:20 - 2017-09-05 06:21 - 000000000 ____D C:\Users\List\AppData\Local\qBittorrent 2017-09-05 05:31 - 2017-09-05 05:31 - 000713556 _____ C:\WINDOWS\Minidump\090517-4875-01.dmp 2017-09-05 05:31 - 2017-09-05 05:31 - 000000000 ____D C:\WINDOWS\Minidump 2017-09-05 05:15 - 2017-09-05 04:48 - 000454405 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20170905-051541.backup 2017-09-05 04:48 - 2017-09-05 04:10 - 000454437 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20170905-044805.backup 2017-09-05 04:35 - 2017-09-05 04:35 - 000000000 ____D C:\Users\List\AppData\Local\Lavasoft 2017-09-05 04:35 - 2017-09-05 04:35 - 000000000 ____D C:\ProgramData\Lavasoft 2017-09-05 04:35 - 2017-09-05 04:35 - 000000000 ____D C:\Program Files (x86)\Lavasoft 2017-09-05 04:10 - 2017-09-05 03:56 - 000453776 _____ C:\WINDOWS\system32\Drivers\etc\hosts.20170905-041005.backup 2017-09-05 04:02 - 2017-09-09 08:46 - 000000000 ____D C:\Users\List\AppData\Local\unikrpc 2017-09-05 03:09 - 2017-09-05 03:09 - 000000000 ____D C:\ProgramData\DigitalWave.ApplicationUpdater_files 2017-09-03 18:33 - 2017-09-10 22:36 - 000000000 ____D C:\Users\List\AppData\Local\Battle.net 2017-09-03 13:01 - 2017-09-03 13:01 - 000000000 ____D C:\ProgramData\Wondershare 2017-09-03 12:58 - 2017-09-05 03:27 - 000000000 ____D C:\ProgramData\Wondershare Filmora Scrn 2017-08-28 02:56 - 2017-09-05 04:48 - 000000000 ____D C:\Users\List\AppData\LocalLow\BitTorrent 2017-08-22 20:08 - 2017-08-22 20:08 - 000286720 _____ (Indigo Rose Corporation) C:\WINDOWS\iun506.exe 2017-08-22 20:08 - 2017-08-22 20:08 - 000000000 ____D C:\Program Files (x86)\Tattoo Manager 2017-08-20 22:16 - 2001-04-12 18:00 - 000182272 _____ C:\WINDOWS\patchw32.dll 2017-08-20 22:15 - 2017-08-20 22:15 - 000020128 _____ C:\WINDOWS\SysWOW64\Drivers\SECDRV.SYS 2017-08-20 15:26 - 2017-09-10 21:47 - 000000000 ____D C:\Program Files (x86)\Blizzard App 2017-08-18 20:37 - 2017-08-18 20:37 - 000000000 ____D C:\Program Files (x86)\Free2X 2017-08-18 20:37 - 2000-04-24 16:14 - 000239888 _____ (Microcrap Corporation) C:\WINDOWS\SysWOW64\MPG4ds32.ax 2017-08-18 20:25 - 2017-08-18 20:26 - 000000000 ____D C:\WINDOWS\System32\Tasks\NCH Software 2017-08-18 20:25 - 2017-08-18 20:25 - 000000000 ____D C:\ProgramData\NCH Software 2017-08-18 20:22 - 2017-08-18 20:22 - 000000000 ____D C:\Users\List\AppData\Local\iTube Studio 2017-08-18 20:22 - 2017-08-18 20:22 - 000000000 ____D C:\ProgramData\Aimersoft 2017-08-18 20:21 - 2017-08-18 20:23 - 000000000 ____D C:\ProgramData\iTube Studio 2017-08-18 20:21 - 2017-08-18 20:23 - 000000000 ____D C:\Program Files (x86)\Aimersoft 2017-08-18 20:21 - 2017-08-18 20:21 - 000000000 ____D C:\Users\List\AppData\Local\Aimersoft ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-09-13 20:36 - 2016-03-29 03:17 - 003436434 _____ C:\WINDOWS\SysWOW64\rootpa.e2e 2017-09-13 20:35 - 2017-04-17 18:31 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-09-13 20:35 - 2017-03-18 17:03 - 000000000 ____D C:\WINDOWS\AppReadiness 2017-09-13 20:35 - 2017-03-18 07:40 - 017039360 _____ C:\WINDOWS\system32\config\HARDWARE 2017-09-13 20:35 - 2017-03-18 07:40 - 000524288 _____ C:\WINDOWS\system32\config\BBI 2017-09-13 20:35 - 2017-02-11 13:32 - 000000000 ____D C:\ProgramData\NVIDIA 2017-09-13 20:33 - 2016-11-18 13:59 - 000000000 ____D C:\Users\List\AppData\LocalLow\Mozilla 2017-09-13 20:33 - 2016-08-30 14:57 - 000000000 ____D C:\Users\List\AppData\Local\ClassicShell 2017-09-13 20:22 - 2017-04-17 18:24 - 000000000 ____D C:\WINDOWS\system32\SleepStudy 2017-09-13 18:51 - 2017-07-26 16:11 - 000000000 ____D C:\Users\List\AppData\LocalLow\Temp 2017-09-13 18:41 - 2017-04-27 07:44 - 001358114 _____ C:\WINDOWS\system32\perfh015.dat 2017-09-13 18:41 - 2017-04-27 07:44 - 000331290 _____ C:\WINDOWS\system32\perfc015.dat 2017-09-13 18:41 - 2017-04-17 18:25 - 003343384 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-09-13 16:49 - 2016-09-02 09:15 - 000000000 ____D C:\KMPlayer 2017-09-13 09:14 - 2017-03-18 16:51 - 000000000 ____D C:\WINDOWS\CbsTemp 2017-09-13 07:16 - 2017-03-18 17:03 - 000000000 ___HD C:\Program Files\WindowsApps 2017-09-12 22:53 - 2017-03-18 17:03 - 000000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy 2017-09-12 21:03 - 2016-08-31 15:59 - 000000000 ____D C:\WINDOWS\system32\MRT 2017-09-12 21:02 - 2016-08-31 15:59 - 138202976 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe 2017-09-12 20:59 - 2016-12-15 17:53 - 000544424 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe 2017-09-12 18:57 - 2017-03-18 17:01 - 000000000 ____D C:\WINDOWS\INF 2017-09-12 17:47 - 2016-09-10 20:04 - 000000000 ____D C:\Users\List\Desktop\Pile 2017-09-12 13:35 - 2016-09-23 12:35 - 000000258 __RSH C:\ProgramData\ntuser.pol 2017-09-12 09:37 - 2017-04-17 18:25 - 000000000 ____D C:\Users\List 2017-09-12 08:14 - 2017-03-01 19:32 - 000000000 ____D C:\ProgramData\Oracle 2017-09-12 08:12 - 2017-04-22 08:47 - 000000000 ____D C:\Program Files (x86)\Java 2017-09-12 08:12 - 2017-03-01 19:32 - 000097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll 2017-09-11 22:35 - 2016-08-30 15:04 - 000000000 ____D C:\Program Files (x86)\Steam 2017-09-09 11:44 - 2017-02-10 18:29 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games 2017-09-09 11:05 - 2017-04-17 18:24 - 000256528 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2017-09-05 05:27 - 2016-11-18 13:05 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox 2017-09-05 05:27 - 2016-08-30 14:34 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2017-09-02 11:15 - 2017-03-18 17:06 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe 2017-09-02 11:15 - 2017-03-18 17:06 - 000177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl 2017-08-31 18:59 - 2017-04-13 14:27 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk 2017-08-29 19:39 - 2017-03-28 17:25 - 000000000 ____D C:\Program Files (x86)\Origin 2017-08-26 15:12 - 2016-09-17 18:06 - 000000000 ____D C:\Users\List\AppData\Local\ElevatedDiagnostics 2017-08-22 20:08 - 2016-08-30 14:30 - 000000000 ____D C:\Users\List\AppData\Local\VirtualStore 2017-08-20 22:15 - 2016-04-07 09:35 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information 2017-08-20 21:53 - 2017-07-27 09:59 - 000000151 _____ C:\Users\List\Desktop\INSTRUCTIONS.txt 2017-08-18 20:23 - 2016-10-22 20:40 - 000000000 ____D C:\Users\List\.android 2017-08-15 17:16 - 2017-05-18 15:12 - 000000000 ____D C:\Users\List\Desktop\Rebirth ==================== Files in the root of some directories ======= 2016-09-23 13:36 - 2016-09-23 13:36 - 000000047 _____ () D:\User\Roaming\WB.CFG 2017-04-17 18:25 - 2017-04-17 18:25 - 000000000 ____H () C:\ProgramData\DP45977C.lfl 2017-06-18 11:21 - 2017-06-18 11:21 - 000000016 _____ () C:\ProgramData\mntemp ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed C:\WINDOWS\system32\drivers\terehknr.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION LastRegBack: 2017-09-12 09:36 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-09-2017 02 Ran by List (13-09-2017 20:36:50) Running from C:\Users\List\Desktop\FINALFIX\_1 Windows 10 Home Version 1703 (X64) (2017-04-17 22:33:13) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-2489865123-2485827485-1206147462-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-2489865123-2485827485-1206147462-503 - Limited - Disabled) Guest (S-1-5-21-2489865123-2485827485-1206147462-501 - Limited - Disabled) List (S-1-5-21-2489865123-2485827485-1206147462-1001 - Administrator - Enabled) => C:\Users\List ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated) Aliens versus Predator 2: Primal Hunt (HKLM-x32\...\{103B6835-DCA0-413F-A99E-ECAD6622726E}) (Version: - ) Aliens vs. Predator 2 (HKLM-x32\...\{3EF79591-BF16-4CF8-8FF0-D8AD968228B1}) (Version: - ) Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 382.05 - NVIDIA Corporation) Hidden Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.) Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.) Application Insights Tools for Visual Studio 2015 (HKLM-x32\...\{0E4C791E-B78E-477D-BD5A-CDD0985BA6EC}) (Version: 7.0.20622.1 - Microsoft Corporation) Asmedia USB Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.28.1 - Asmedia Technology) Audacity 2.1.2 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.2 - Audacity Team) Azure AD Authentication Connected Service (HKLM-x32\...\{8A1AD070-269F-4A15-AAB5-76AB896EF195}) (Version: 14.0.25420 - Microsoft Corporation) Hidden AzureTools.Notifications (HKLM-x32\...\{1E5CA362-39B6-4BD0-B9C0-69CF15F0FEA2}) (Version: 2.7.30611.1601 - Microsoft Corporation) Hidden Black and White (HKLM-x32\...\{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}) (Version: - ) Blend for Visual Studio SDK for .NET 4.5 (HKLM-x32\...\{37E53780-3944-4A6A-842F-727128E8616E}) (Version: 3.0.40218.0 - Microsoft Corporation) Hidden Blizzard App (HKLM-x32\...\Battle.net) (Version: - Blizzard Entertainment) CameraHelperMsi (HKLM-x32\...\{15634701-BACE-4449-8B25-1567DA8C9FD3}) (Version: 13.51.815.0 - Logitech) Hidden Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: - Canon Inc.) Canon MG2400 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2400_series) (Version: 1.02 - Canon Inc.) CDisplayEx 1.10.29 (HKLM\...\CDisplayEx_is1) (Version: - Progdigy Software S.A.R.L.) Cheat Engine 6.6 (HKLM-x32\...\Cheat Engine 6.6_is1) (Version: - Cheat Engine) Chromium (HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\Chromium) (Version: 51.0.2683.0 - Chromium) Classic Shell (HKLM\...\{383BB30A-B4A7-4666-9A83-22CFA8640097}) (Version: 4.3.0 - IvoSoft) Command & Conquer Gold Edition Stand Alone v1.06c revision 3 (HKLM-x32\...\{931CFA8E-3CE1-4A96-97D7-32B21A7A8DAA}_is1) (Version: - Westwood Studios) Crusader Kings II (HKLM\...\Steam App 203770) (Version: - Paradox Development Studio) DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.4.0.0195 - Disc Soft Ltd) Darkest Dungeon (HKLM\...\Steam App 262060) (Version: - Red Hook Studios) Dotfuscator and Analytics Community Edition 5.22.0 (HKLM-x32\...\{60018889-9E0F-43E8-9B89-29E8C828B40A}) (Version: 5.22.0.3788 - PreEmptive Solutions) Hidden Dragon Age: Origins - Ultimate Edition (HKLM\...\Steam App 47810) (Version: - BioWare) Dragon Age™ II (HKLM-x32\...\{E1EB9F56-AFE2-4204-B28F-AD8DA793B9F4}) (Version: 1.04.8524.0 - Electronic Arts) erLT (HKLM-x32\...\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}) (Version: 1.20.138.34 - Logitech, Inc.) Hidden Europa Universalis IV (HKLM\...\Steam App 236850) (Version: - Paradox Development Studio) FTL: Faster Than Light (HKLM\...\Steam App 212680) (Version: - Subset Games) Galactic Civilizations II: Ultimate Edition (HKLM\...\Steam App 202200) (Version: - Stardock Entertainment) Galactic Civilizations III (HKLM\...\Steam App 226860) (Version: - Stardock Entertainment) Gtk# for .Net 2.12.26 (HKLM-x32\...\{BC25B808-A11C-4C9F-9C0A-6682E47AAB83}) (Version: 2.12.26 - Xamarin, Inc.) Halo 2 for Windows Vista (HKLM-x32\...\{0CA38F52-F0FA-4B9F-8A36-EC8A9609FBBC}) (Version: 1.0.0.0 - Microsoft Corporation) Hidden Halo 2 for Windows Vista (HKLM-x32\...\Halo 2) (Version: - Microsoft Game Studios) Hearts of Iron IV (HKLM\...\Steam App 394360) (Version: - Paradox Development Studio) Intel(R) Chipset Device Software (HKLM-x32\...\{c7f54569-0018-439c-809a-48046a4d4ebc}) (Version: 10.1.1.9 - Intel(R) Corporation) Hidden Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1173 - Intel Corporation) Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 20.2 - Intel) Intel(R) Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.63.1519.7 - Intel Corporation) Intel® Security Assist (HKLM-x32\...\{4B230374-6475-4A73-BA6E-41015E9C5013}) (Version: 1.0.0.532 - Intel Corporation) IPTInstaller (HKLM-x32\...\{08208143-777D-4A06-BB54-71BF0AD1BB70}) (Version: 4.0.9 - HTC) Java 8 Update 144 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180144F0}) (Version: 8.0.1440.1 - Oracle Corporation) KMPlayer (remove only) (HKLM-x32\...\The KMPlayer) (Version: 4.1.2.2 - PandoraTV) LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - ) LIVE gaming on Windows Runtime Version 1.0.6027 (HKLM-x32\...\{839916F4-D8B5-4407-BE6D-6D4EB9D96AF4}) (Version: 1.0.6027 - Microsoft Corporation) Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.80 - Logitech Inc.) Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes) Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{56E962F0-4FB0-3C67-88DB-9EAA6EEFC493}) (Version: 4.5.50710 - Microsoft Corporation) Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM-x32\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation) Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM-x32\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation) Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation) Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (ENU) (HKLM-x32\...\{290FC320-2F5A-329E-8840-C4193BD7A9EE}) (Version: 4.5.51209 - Microsoft Corporation) Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (HKLM-x32\...\{19E8AE59-4D4A-3534-B567-6CC08FA4102E}) (Version: 4.5.51651 - Microsoft Corporation) Microsoft .NET Framework 4.6 SDK (HKLM-x32\...\{B5915D37-0637-4A26-A3AA-C5DC9F856370}) (Version: 4.6.00081 - Microsoft Corporation) Microsoft .NET Framework 4.6 Targeting Pack (ENU) (HKLM-x32\...\{034547E9-D8FA-49E7-8B9C-4C9861FB9146}) (Version: 4.6.00127 - Microsoft Corporation) Microsoft .NET Framework 4.6 Targeting Pack (HKLM-x32\...\{2CC6A4A7-AAC2-46C9-9DBB-3727B5954F65}) (Version: 4.6.00081 - Microsoft Corporation) Microsoft .NET Framework 4.6.1 SDK (HKLM-x32\...\{2F0ECC80-B9E4-4485-8083-CD32F22ABD92}) (Version: 4.6.01055 - Microsoft Corporation) Microsoft .NET Framework 4.6.1 Targeting Pack (ENU) (HKLM-x32\...\{8EEB28EE-5141-411C-9CF0-9952264FE4AF}) (Version: 4.6.01055 - Microsoft Corporation) Microsoft .NET Framework 4.6.1 Targeting Pack (HKLM-x32\...\{8BC3EEC9-090F-4C53-A8DA-1BEC913040F9}) (Version: 4.6.01055 - Microsoft Corporation) Microsoft Help Viewer 2.2 (HKLM-x32\...\Microsoft Help Viewer 2.2) (Version: 2.2.25420 - Microsoft Corporation) Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation) Microsoft SQL Server 2014 Management Objects (HKLM-x32\...\{2774595F-BC2A-4B12-A25B-0C37A37049B0}) (Version: 12.0.2000.8 - Microsoft Corporation) Microsoft SQL Server 2014 Management Objects (x64) (HKLM\...\{1F9EB3B6-AED7-4AA7-B8F1-8E314B74B2A5}) (Version: 12.0.2000.8 - Microsoft Corporation) Microsoft SQL Server 2014 Transact-SQL ScriptDom (HKLM\...\{020CDFE0-C127-4047-B571-37C82396B662}) (Version: 12.0.2000.8 - Microsoft Corporation) Microsoft SQL Server 2014 T-SQL Language Service (HKLM-x32\...\{47D08E7A-92A1-489B-B0BF-415516497BCE}) (Version: 12.0.2000.8 - Microsoft Corporation) Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation) Microsoft System CLR Types for SQL Server 2014 (HKLM\...\{FC3BB979-AA54-4B60-BBA3-2C4DA6E08D80}) (Version: 12.0.2402.29 - Microsoft Corporation) Microsoft System CLR Types for SQL Server 2014 (HKLM-x32\...\{091CE6AA-2753-4F6E-AD1C-0E875744EB54}) (Version: 12.0.2402.29 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 (HKLM-x32\...\{d992c12e-cab2-426f-bde3-fb8c53950b0d}) (Version: 14.0.24215.1 - Microsoft Corporation) Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation) Microsoft Visual Studio 2015 Tools for Unity (HKLM-x32\...\{5359C5C6-F83D-4E74-9170-F9A68BE1C57F}) (Version: 2.3.0.0 - Microsoft Corporation) Microsoft Visual Studio Community 2015 with Updates (HKLM-x32\...\{79b486b9-c5f0-4096-a00c-8351f59587c2}) (Version: 14.0.25420.1 - Microsoft Corporation) Microsoft Web Deploy 3.6 (HKLM\...\{94E1227C-08A9-4962-B388-1F05D89AEA75}) (Version: 3.1238.1962 - Microsoft Corporation) Microsoft Word 2010 (HKLM\...\Office14.WORD) (Version: 14.0.4763.1000 - Microsoft Corporation) Movavi Video Editor 12 (HKLM-x32\...\Movavi Video Editor 12) (Version: 12.5.0 - Movavi) Mozilla Firefox 55.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 55.0.3 (x86 en-US)) (Version: 55.0.3 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 55.0.3.6445 - Mozilla) MSBuild/NuGet Integration 14.0 (x86) (HKLM-x32\...\{128C1654-3B9E-4959-8BFB-CE6F09C0A01D}) (Version: 14.0.25420 - Microsoft Corporation) Hidden Multi-Device Hybrid Apps using C# - Templates - ENU (HKLM-x32\...\{12D99739-FFD3-3761-8AA6-F929E0FE407E}) (Version: 14.0.23107 - Microsoft Corporation) Hidden MyPhoneExplorer (HKLM-x32\...\MPE) (Version: 1.8.7 - F.J. Wechselberger) Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.3.3 - Notepad++ Team) NVIDIA 3D Vision Driver 382.05 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 382.05 - NVIDIA Corporation) NVIDIA Graphics Driver 382.05 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 382.05 - NVIDIA Corporation) NVIDIA HD Audio Driver 1.3.34.26 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.26 - NVIDIA Corporation) NVIDIA PhysX (HKLM-x32\...\{1C4551A6-4743-4093-91E4-1477CD655043}) (Version: 9.09.0203 - NVIDIA Corporation) OBS Studio (HKLM-x32\...\OBS Studio) (Version: 19.0.2 - OBS Project) Origin (HKLM-x32\...\Origin) (Version: 10.5.2.49155 - Electronic Arts, Inc.) Potplayer (HKLM-x32\...\PotPlayer) (Version: - Kakao Corp.) PreEmptive Analytics Visual Studio Components (HKLM-x32\...\{436A18DD-5F2C-4B3C-985E-AD3C13B0CC25}) (Version: 1.2.5134.1 - PreEmptive Solutions) Hidden Python 3.6.1 (32-bit) (HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\{1babc3bc-6a32-44f7-bf4d-60eec36c9ad1}) (Version: 3.6.1150.0 - Python Software Foundation) Python 3.6.1 Core Interpreter (32-bit) (HKLM-x32\...\{E63E60CA-437B-4894-8395-81F2F66483B0}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Development Libraries (32-bit) (HKLM-x32\...\{3029D656-0C32-4AC9-84FB-A15056F356CC}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Documentation (32-bit) (HKLM-x32\...\{D1198C40-C6F5-4FFB-B98C-79BF1FE706C1}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Executables (32-bit) (HKLM-x32\...\{A7036382-80F1-4FC1-B244-D31AA50337F4}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 pip Bootstrap (32-bit) (HKLM-x32\...\{899F7F28-F6D3-4E5B-8FBE-F7929036172A}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Standard Library (32-bit) (HKLM-x32\...\{3BCCB89B-CD98-4F78-8436-78847FABFD68}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Tcl/Tk Support (32-bit) (HKLM-x32\...\{F6ED0771-FE83-4A1C-BE65-A06CB65B46D5}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Test Suite (32-bit) (HKLM-x32\...\{F44EF183-905E-48BB-998E-53FC99B36FE3}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python 3.6.1 Utility Scripts (32-bit) (HKLM-x32\...\{2AA7DAB3-6778-42A7-9F33-22615234540E}) (Version: 3.6.1150.0 - Python Software Foundation) Hidden Python Launcher (HKLM-x32\...\{323AC113-C6CE-4F99-842F-4936332D055A}) (Version: 3.6.5923.0 - Python Software Foundation) qBittorrent 3.3.15 (HKLM-x32\...\qBittorrent) (Version: 3.3.15 - The qBittorrent project) Quake Enhanced (HKLM-x32\...\Quake Enhanced1.0.8.0) (Version: 1.0.8.0 - id Software) Quake II Evolved (HKLM-x32\...\Quake2EvolvedUninstallKey_is1) (Version: 1.0 - Team Blur) Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.6.1001.2015 - Realtek) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7687 - Realtek Semiconductor Corp.) REAPER (x64) (HKLM\...\REAPER) (Version: - ) ReaPlugs/x64 (HKLM\...\ReaPlugs) (Version: - ) Roslyn Language Services - x86 (HKLM-x32\...\{6C1985E7-E1C5-3A95-86EF-2C62465F15C3}) (Version: 14.0.23107 - Microsoft Corporation) Hidden Roslyn Language Services - x86 (HKLM-x32\...\{87BFB956-DC1D-38FC-A849-A9997A183F63}) (Version: 14.0.25425 - Microsoft Corporation) Hidden Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.6.1 - Sophos Limited) StarCraft (HKLM-x32\...\StarCraft) (Version: - Blizzard Entertainment) StarCraft II (HKLM-x32\...\StarCraft II) (Version: - Blizzard Entertainment) Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation) Tattoo Manager 0.1 (HKLM-x32\...\Tattoo_Manager_0.1) (Version: - ) Team Explorer for Microsoft Visual Studio 2015 Update 3.1 (HKLM-x32\...\{23F3B544-D6BD-322B-A48A-C66790A8AE0D}) (Version: 14.102.25521 - Microsoft) Hidden TeamSpeak 3 Client (HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\TeamSpeak 3 Client) (Version: 3.0.19 - TeamSpeak Systems GmbH) Test Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{9EABBFE1-7EED-47D9-8FB8-21D7E4808057}) (Version: 14.0.23107 - Microsoft Corporation) Hidden TypeScript Power Tool (HKLM-x32\...\{465ACA24-B8D6-4FEC-A42D-9EFCB92CD560}) (Version: 1.8.34.0 - Microsoft Corporation) Hidden TypeScript Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{BA5762C7-D35F-4725-A4BD-525854127018}) (Version: 1.8.36.0 - Microsoft Corporation) Hidden Unity (HKLM-x32\...\Unity) (Version: 5.4.1f1 - Unity Technologies ApS) Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb) Update for (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation) Visual Studio 2015 Update 3 (KB3022398) (HKLM-x32\...\{7a68448b-9cf2-4049-bd73-5875f1aa7ba2}) (Version: 14.0.25420 - Microsoft Corporation) VS Update core components (HKLM-x32\...\{2FAE53FC-8859-3EB9-BAAA-3A9BE26931BC}) (Version: 14.0.25425 - Microsoft Corporation) Hidden vs_update3notification (HKLM-x32\...\{D949D8A9-0CEF-3997-BA76-75EA19E62137}) (Version: 14.0.25425 - Microsoft Corporation) Hidden VSDC Free Video Editor version 5.7.7.702 (HKLM-x32\...\VSDC Free Video Editor_is1) (Version: 5.7.7.702 - Flash-Integro LLC) Vulkan Run Time Libraries 1.0.42.1 (HKLM\...\VulkanRT1.0.42.1) (Version: 1.0.42.1 - LunarG, Inc.) Warcraft II BNE (HKLM-x32\...\Warcraft II BNE) (Version: - ) WCF Data Services 5.6.4 Runtime (HKLM-x32\...\{DB85E7BD-B2DD-43D4-B3C0-23D7B527B597}) (Version: 5.6.62175.4 - Microsoft Corporation) Hidden WCF Data Services Tools for Microsoft Visual Studio 2015 (HKLM-x32\...\{0A3B508E-5638-4471-BCC9-954E1868CB86}) (Version: 5.6.62175.4 - Microsoft Corporation) Hidden Windows 10 Update and Privacy Settings (HKLM\...\{293F2009-0145-450B-B4AA-063D43FB368C}) (Version: 1.0.13.0 - Microsoft Corporation) WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH) WModem Driver Installer (HKLM-x32\...\HTC_WModemDriver) (Version: 3.0.16.0 - HTC) Wondershare Helper Compact 2.5.2 (HKLM-x32\...\{5363CE84-5F09-48A1-8B6C-6BB590FFEDF2}_is1) (Version: 2.5.2 - Wondershare) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\List\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\List\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File CustomCLSID: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\List\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2017-03-07] () ContextMenuHandlers1-x32: [MyPhoneExplorer] -> {A372C6DF-7A85-41B1-B3B0-D1E24073DCBF} => C:\Program Files (x86)\MyPhoneExplorer\DLL\ShellMgr.dll [2010-03-30] (F.J. Wechselberger) ContextMenuHandlers1-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal) ContextMenuHandlers1-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal) ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes) ContextMenuHandlers3: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => D:\Programs\Unlocker\UnlockerCOM.dll [2010-07-15] () ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2017-05-01] (NVIDIA Corporation) ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes) ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\WINDOWS\System32\StartMenuHelper64.dll [2016-07-30] (IvoSoft) ContextMenuHandlers6: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => D:\Programs\Unlocker\UnlockerCOM.dll [2010-07-15] () ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal) ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {4F6D05D7-339D-4CEE-AA55-F7364F52DBCF} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated) Task: {902696A5-1D2C-4938-84FB-E00094865562} - System32\Tasks\Microsoft\VisualStudio\VSIX Auto Update 14 => C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\VSIXAutoUpdate.exe [2016-06-20] (Microsoft Corporation) Task: {9251BAB4-BEE8-4B46-8403-9E2077C3BAAA} - System32\Tasks\S-1-5-21-2489865123-2485827485-1206147462-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-03-18] (Microsoft Corporation) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2017-09-05 04:35 - 2017-09-05 04:35 - 000025704 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe 2017-09-05 04:35 - 2017-09-05 04:35 - 000017000 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll 2017-09-05 04:35 - 2017-09-05 04:35 - 000036456 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll 2015-05-19 12:11 - 2015-05-19 12:11 - 000007680 _____ () C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe 2013-10-17 16:27 - 2013-10-17 16:27 - 000166912 _____ () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe 2017-03-18 16:58 - 2017-03-18 16:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll 2017-03-18 16:59 - 2017-03-18 22:31 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll 2012-09-13 00:38 - 2012-09-13 00:38 - 000264040 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe 2012-09-13 00:38 - 2012-09-13 00:38 - 000341352 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll 2012-09-13 00:38 - 2012-09-13 00:38 - 002144104 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll 2012-09-13 00:38 - 2012-09-13 00:38 - 007955304 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll 2012-09-13 00:38 - 2012-09-13 00:38 - 000028008 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll 2012-09-13 00:38 - 2012-09-13 00:38 - 000127336 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll 2012-09-13 00:39 - 2012-09-13 00:39 - 000336232 _____ () C:\Program Files (x86)\Common Files\logishrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\.DEFAULT\...\localhost -> localhost IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com There are 7936 more sites. IE trusted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\localhost -> localhost IE trusted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\webcompanion.com -> hxxp://webcompanion.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\007guard.com -> install.007guard.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\008k.com -> www.008k.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\00hq.com -> www.00hq.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\010402.com -> 010402.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\0scan.com -> www.0scan.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\10sek.com -> www.10sek.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\12-26.net -> user1.12-26.net IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\12-27.net -> user1.12-27.net IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\123simsen.com -> www.123simsen.com There are 7937 more sites. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2017-05-18 08:13 - 2017-09-09 11:11 - 000454644 ____N C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 player.kmpmedia.net 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com 127.0.0.1 10sek.com 127.0.0.1 www.10sek.com 127.0.0.1 www.1-2005-search.com 127.0.0.1 1-2005-search.com 127.0.0.1 123fporn.info 127.0.0.1 www.123fporn.info 127.0.0.1 www.123haustiereundmehr.com 127.0.0.1 123haustiereundmehr.com 127.0.0.1 123moviedownload.com There are 15603 more lines. ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\List\Desktop\Pile\BACKGROUNDZ\Wallpaper\1355335047718.jpg DNS Servers: 192.168.1.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == HKLM\...\StartupApproved\Run: => "WindowsDefender" HKLM\...\StartupApproved\Run: => "Wondershare Helper Compact.exe" HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe" HKLM\...\StartupApproved\Run32: => "iTubeStudioUpdateHelper.exe" HKLM\...\StartupApproved\Run32: => "Aimersoft Helper Compact.exe" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\StartupApproved\Run: => "OneDrive" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\StartupApproved\Run: => "Steam" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\StartupApproved\Run: => "forgetful" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\StartupApproved\Run: => "tunic" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\StartupApproved\Run: => "Web Companion" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [TCP Query User{301E9E23-5B1E-4980-B673-92C14269A1A0}D:\programs\qbittorrent\qbittorrent.exe] => (Allow) D:\programs\qbittorrent\qbittorrent.exe FirewallRules: [UDP Query User{B99C4587-61F5-40DB-AD05-22F249E1FCC7}D:\programs\qbittorrent\qbittorrent.exe] => (Allow) D:\programs\qbittorrent\qbittorrent.exe FirewallRules: [TCP Query User{B7A1F801-CCAA-462E-B255-ED134C5A9783}D:\programs\qbittorrent\qbittorrent.exe] => (Allow) D:\programs\qbittorrent\qbittorrent.exe FirewallRules: [UDP Query User{13E83787-B49C-4895-9E5E-2C5A8571E776}D:\programs\qbittorrent\qbittorrent.exe] => (Allow) D:\programs\qbittorrent\qbittorrent.exe ==================== Restore Points ========================= ATTENTION: System Restore is disabled ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (09/12/2017 09:03:26 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code. Error: (09/12/2017 06:38:24 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x1ed8 Faulting application start time: 0x01d32c17a9cca930 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: a8b626e6-b6e3-4158-8468-22efb76a74a6 Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 06:37:11 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x1ef4 Faulting application start time: 0x01d32c179843dc50 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: daac0114-f19d-4197-9650-83cd3c49ca86 Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 06:25:50 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x20c4 Faulting application start time: 0x01d32c15f960abff Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: 616ddc9c-b5aa-4c64-b393-c1e817a0949d Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 05:07:55 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0xad4 Faulting application start time: 0x01d32c0b1f8c98e6 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: 2cd60636-68a4-4231-a8dc-29799f644fbc Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 05:06:41 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x2540 Faulting application start time: 0x01d32c0af494c578 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: f52e5e84-6d73-49d5-b5d4-17bfa2cfa3da Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 05:06:23 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x2240 Faulting application start time: 0x01d32c0adedb7334 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: 3a9859e8-a9e2-4e96-8ebc-50154661030e Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 05:04:11 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x203c Faulting application start time: 0x01d32c0a9acf7077 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: 5a372ae3-4e13-4efb-b53c-0bc37b0c9be1 Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 04:31:03 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x01eed9f0 Faulting process id: 0x25d4 Faulting application start time: 0x01d32c05f7e226f0 Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: d45dbb26-f216-42f7-b3d2-7c576aa264b9 Faulting package full name: Faulting package-relative application ID: Error: (09/12/2017 01:47:46 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: vmtmuoc.exe, version: 1.0.1.5, time stamp: 0x59991256 Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a Exception code: 0xc0000005 Fault offset: 0x00180814 Faulting process id: 0x2470 Faulting application start time: 0x01d32bef2e81619a Faulting application path: C:\Users\List\AppData\Local\winwovj\vmtmuoc.exe Faulting module path: C:\Users\List\AppData\Local\winwovj\libcef.dll Report Id: a252ccab-a7f5-400f-887a-088bad16fee2 Faulting package full name: Faulting package-relative application ID: System errors: ============= Error: (09/13/2017 08:35:44 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY) Description: Installation Failure: Windows failed to install the following update with error 0x80070002: 9NBLGGH5FV99-Microsoft.MSPaint. Error: (09/13/2017 08:35:28 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The WinDefend service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Error: (09/13/2017 08:35:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The CldFlt service failed to start due to the following error: The request is not supported. Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} Error: (09/13/2017 08:34:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED} CodeIntegrity: =================================== Date: 2017-09-13 20:35:28.021 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-13 18:34:20.168 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-13 18:24:02.405 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-13 18:19:57.974 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-13 07:11:27.890 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-12 18:57:52.159 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-12 18:17:09.951 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-12 18:11:53.969 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-12 17:59:15.003 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-09-12 17:51:48.084 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume6\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz Percentage of memory in use: 6% Total physical RAM: 32691.25 MB Available physical RAM: 30552.83 MB Total Virtual: 37555.25 MB Available Virtual: 35471.53 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:111.24 GB) (Free:19.57 GB) NTFS Drive d: (BULK) (Fixed) (Total:1862.89 GB) (Free:1130.34 GB) NTFS Drive e: (DVD_ROM) (CDROM) (Total:4.16 GB) (Free:0 GB) UDF Drive j: (PARAGON) (Removable) (Total:7.38 GB) (Free:7.38 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: C3ADC3AD) Partition: GPT. ======================================================== Disk: 1 (Size: 111.8 GB) (Disk ID: 6FE6C4F8) Partition: GPT. ======================================================== Disk: 2 (MBR Code: Windows 7 or Vista) (Size: 7.5 GB) (Disk ID: 438CA2E6) Partition 1: (Active) - (Size=7.5 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2017 ID:1164469 Share Posted September 17, 2017 Hello Stanczyk, Apologies for the late reply, I never received a notification of your latest reply.... Continue please: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Let me see those logs in your next reply. also tell me if there are any remaining issues or concerns.... Thank you, Kevin.... fixlist.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165494 Share Posted September 20, 2017 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165634 Share Posted September 20, 2017 Topic reopened per request Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165644 Share Posted September 20, 2017 Logs from post #31: Fix result of Farbar Recovery Scan Tool (x64) Version: 19-09-2017 Ran by List (20-09-2017 10:31:44) Run:10 Running from C:\Users\List\Desktop\FINALFIX\_1 Loaded Profiles: List (Available Profiles: List) Boot Mode: Normal ============================================== fixlist content: ***************** Start CloseProcesses: CreateRestorePoint: HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\MountPoints2: {231b7c74-313a-11e7-8bc9-d017c2d264b1} - "H:\VerizonSWUpgradeAssistantLauncher.exe" HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\...\MountPoints2: {6ba43824-6f5c-11e6-a373-806e6f6e6963} - "E:\setup.exe" S3 MSPCLOCK; \SystemRoot\system32\DRIVERS\MSPCLOCK.sys [X] 2017-09-13 20:35 - 2017-09-13 20:35 - 000253888 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\527B3A51.sys 2017-09-13 20:35 - 2017-09-13 20:35 - 000113488 ____N C:\WINDOWS\system32\Drivers\terehknr.sys 2017-09-13 18:23 - 2017-09-13 18:23 - 000014040 ____N C:\WINDOWS\system32\Drivers\terbehko.sys 2017-09-13 18:19 - 2017-09-13 18:19 - 000253888 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\709B529C.sys 2017-09-12 16:00 - 2017-09-12 16:00 - 000194776 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\08981A07.sys 2017-09-12 15:02 - 2017-09-12 15:02 - 000000000 ____D C:\Users\List\AppData\Local\unikrpc - Copy 2017-09-05 04:02 - 2017-09-09 08:46 - 000000000 ____D C:\Users\List\AppData\Local\unikrpc C:\WINDOWS\system32\drivers\terehknr.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION CMD: ipconfig /flushdns EmptyTemp: end ***************** Processes closed successfully. Error: (0) Failed to create a restore point. HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{231b7c74-313a-11e7-8bc9-d017c2d264b1} => key removed successfully HKLM\Software\Classes\CLSID\{231b7c74-313a-11e7-8bc9-d017c2d264b1} => key not found. HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ba43824-6f5c-11e6-a373-806e6f6e6963} => key removed successfully HKLM\Software\Classes\CLSID\{6ba43824-6f5c-11e6-a373-806e6f6e6963} => key not found. HKLM\System\CurrentControlSet\Services\MSPCLOCK => key removed successfully MSPCLOCK => service removed successfully C:\WINDOWS\system32\Drivers\527B3A51.sys => moved successfully "C:\WINDOWS\system32\Drivers\terehknr.sys" => not found. C:\WINDOWS\system32\Drivers\terbehko.sys => moved successfully C:\WINDOWS\system32\Drivers\709B529C.sys => moved successfully C:\WINDOWS\system32\Drivers\08981A07.sys => moved successfully "C:\Users\List\AppData\Local\unikrpc - Copy" folder move: Could not move "C:\Users\List\AppData\Local\unikrpc - Copy" => Scheduled to move on reboot. "C:\Users\List\AppData\Local\unikrpc" folder move: Could not move "C:\Users\List\AppData\Local\unikrpc" => Scheduled to move on reboot. "C:\WINDOWS\system32\drivers\terehknr.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION" => not found. ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 7364608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 22681604 B Java, Flash, Steam htmlcache => 55940239 B Windows/system/drivers => 197382 B Edge => 51200 B Chrome => 0 B Firefox => 394388921 B Opera => 48231449 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 128 B LocalService => 12302 B NetworkService => 0 B List => 279812683 B RecycleBin => 0 B EmptyTemp: => 771.2 MB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-09-2017 10:37:23) "C:\Users\List\AppData\Local\unikrpc - Copy" => Could not move "C:\Users\List\AppData\Local\unikrpc" => Could not move ==== End of Fixlog 10:37:28 ==== 2017-09-13 23:33:25.760 Sophos Virus Removal Tool version 2.6.1 2017-09-13 23:33:25.760 Copyright (c) 2009-2017 Sophos Limited. All rights reserved. 2017-09-13 23:33:25.760 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-09-13 23:33:25.760 Windows version 6.2 SP 0.0 build 9200 SM=0x300 PT=0x1 WOW64 2017-09-13 23:33:25.761 Checking for updates... 2017-09-13 23:33:25.806 Update progress: proxy server not available 2017-09-13 23:33:31.607 Option all = no 2017-09-13 23:33:31.607 Option recurse = yes 2017-09-13 23:33:31.608 Option archive = no 2017-09-13 23:33:31.608 Option service = yes 2017-09-13 23:33:31.608 Option confirm = yes 2017-09-13 23:33:31.608 Option sxl = yes 2017-09-13 23:33:31.608 Option max-data-age = 35 2017-09-13 23:33:31.608 Option vdl-logging = yes 2017-09-13 23:33:31.612 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-09-13 23:33:31.612 Machine ID: bcf910b213fe40b0b98bd605fc4e1bff 2017-09-13 23:33:31.613 Component SVRTcli.exe version 2.6.1 2017-09-13 23:33:31.613 Component control.dll version 2.6.1 2017-09-13 23:33:31.613 Component SVRTservice.exe version 2.6.1 2017-09-13 23:33:31.613 Component engine\osdp.dll version 1.44.1.2286 2017-09-13 23:33:31.613 Component engine\veex.dll version 3.68.6.2286 2017-09-13 23:33:31.613 Component engine\savi.dll version 9.0.7.2286 2017-09-13 23:33:31.613 Component rkdisk.dll version 1.5.31.1 2017-09-13 23:33:31.613 Version info: Product version 2.6.1 2017-09-13 23:33:31.614 Version info: Detection engine 3.68.6 2017-09-13 23:33:31.614 Version info: Detection data 5.42 2017-09-13 23:33:31.614 Version info: Build date 7/25/2017 2017-09-13 23:33:31.614 Version info: Data files added 389 2017-09-13 23:33:31.614 Version info: Last successful update (not yet updated) 2017-09-13 23:33:36.256 Downloading updates... 2017-09-13 23:33:36.257 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-09-13 23:33:36.257 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-13 23:33:36.257 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-13 23:33:36.257 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-09-13 23:33:36.257 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-09-13 23:33:36.257 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-09-13 23:33:36.257 Update progress: [I49502] sdds.data0910.xml: found supplement IDE543 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE543 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE543 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I49502] sdds.data0910.xml: found supplement IDE544 LATEST path= baseVersion= [included from product IDE543 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE544 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE544 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I49502] sdds.data0910.xml: found supplement IDE545 LATEST path= baseVersion= [included from product IDE544 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE545 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE545 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I49502] sdds.data0910.xml: found supplement IDE546 LATEST path= baseVersion= [included from product IDE545 LATEST path=] 2017-09-13 23:33:36.258 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE546 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE546 LATEST path= 2017-09-13 23:33:36.258 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-13 23:33:36.353 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-09-13 23:33:36.353 Update progress: [I19463] Product download size 170129587 bytes 2017-09-13 23:33:37.499 Update progress: [I19463] Syncing product IDE543 LATEST path= 2017-09-13 23:33:37.499 Update progress: [I19463] Product download size 2650459 bytes 2017-09-13 23:33:37.704 Update progress: [I19463] Syncing product IDE544 LATEST path= 2017-09-13 23:33:37.704 Update progress: [I19463] Product download size 2139985 bytes 2017-09-13 23:33:37.875 Update progress: [I19463] Syncing product IDE545 LATEST path= 2017-09-13 23:33:37.875 Update progress: [I19463] Product download size 2135034 bytes 2017-09-13 23:33:37.989 Update progress: [I19463] Syncing product IDE546 LATEST path= 2017-09-13 23:33:38.005 Installing updates... 2017-09-13 23:33:38.611 Error level 1 2017-09-13 23:33:40.984 Update successful 2017-09-13 23:33:46.990 Option all = no 2017-09-13 23:33:46.990 Option recurse = yes 2017-09-13 23:33:46.990 Option archive = no 2017-09-13 23:33:46.990 Option service = yes 2017-09-13 23:33:46.990 Option confirm = yes 2017-09-13 23:33:46.990 Option sxl = yes 2017-09-13 23:33:46.991 Option max-data-age = 35 2017-09-13 23:33:46.991 Option vdl-logging = yes 2017-09-13 23:33:46.994 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-09-13 23:33:46.994 Machine ID: bcf910b213fe40b0b98bd605fc4e1bff 2017-09-13 23:33:46.995 Component SVRTcli.exe version 2.6.1 2017-09-13 23:33:46.996 Component control.dll version 2.6.1 2017-09-13 23:33:46.996 Component SVRTservice.exe version 2.6.1 2017-09-13 23:33:46.996 Component engine\osdp.dll version 1.44.1.2286 2017-09-13 23:33:46.996 Component engine\veex.dll version 3.68.6.2286 2017-09-13 23:33:46.996 Component engine\savi.dll version 9.0.7.2286 2017-09-13 23:33:46.996 Component rkdisk.dll version 1.5.31.1 2017-09-13 23:33:46.996 Version info: Product version 2.6.1 2017-09-13 23:33:46.997 Version info: Detection engine 3.68.6 2017-09-13 23:33:46.997 Version info: Detection data 5.42 2017-09-13 23:33:46.997 Version info: Build date 7/25/2017 2017-09-13 23:33:46.997 Version info: Data files added 389 2017-09-13 23:33:46.997 Version info: Last successful update 9/13/2017 7:33:40 PM 2017-09-13 23:40:21.858 >>> Virus 'Mal/Generic-S' found in file C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe 2017-09-13 23:40:21.858 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-09-13 23:40:21.858 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-2489865123-2485827485-1206147462-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-09-13 23:40:22.022 Could not open C:\found.000\dir0001.chk\System32\imekqde\msaabbo.sys 2017-09-13 23:40:22.886 Could not open C:\hiberfil.sys 2017-09-13 23:40:27.162 Could not open C:\pagefile.sys 2017-09-13 23:47:53.129 Could not open C:\swapfile.sys 2017-09-13 23:52:07.109 Could not open C:\Windows\System32\config\BBI 2017-09-13 23:52:07.142 Could not open C:\Windows\System32\config\DRIVERS 2017-09-13 23:52:07.144 Could not open C:\Windows\System32\config\HARDWARE 2017-09-13 23:52:07.146 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-09-13 23:52:07.146 Could not open C:\Windows\System32\config\RegBack\SAM 2017-09-13 23:52:07.147 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-09-13 23:52:07.147 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-09-13 23:52:07.148 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-09-13 23:52:30.454 Could not open C:\Windows\System32\drivers\teroruxb.sys 2017-09-14 00:17:36.233 Could not open LOGICAL:0006:00000000 2017-09-14 00:17:36.233 Could not open G:\ 2017-09-14 00:17:36.233 Could not open LOGICAL:0007:00000000 2017-09-14 00:17:36.234 Could not open H:\ 2017-09-14 00:17:36.234 Could not open LOGICAL:0008:00000000 2017-09-14 00:17:36.234 Could not open I:\ 2017-09-14 00:17:36.470 Could not open LOGICAL:000A:00000000 2017-09-14 00:17:36.470 Could not open K:\ 2017-09-14 00:17:36.669 The following items will be cleaned up: 2017-09-14 00:17:36.669 Mal/Generic-S 2017-09-14 00:25:46.071 Threat 'Mal/Generic-S' needs a reboot to complete cleanup. 2017-09-14 00:25:46.071 File "C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe" belongs to malware 'Mal/Generic-S'. 2017-09-14 00:25:46.071 File "C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe" has been cleaned up. 2017-09-14 00:25:46.071 Removal successful 2017-09-14 00:25:46.529 Error level 0 2017-09-14 00:27:20.014 Scan completed. 2017-09-14 00:27:20.014 ------------------------------------------------------------ 2017-09-20 14:39:42.619 Sophos Virus Removal Tool version 2.6.1 2017-09-20 14:39:42.619 Copyright (c) 2009-2017 Sophos Limited. All rights reserved. 2017-09-20 14:39:42.619 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-09-20 14:39:42.619 Windows version 6.2 SP 0.0 build 9200 SM=0x300 PT=0x1 WOW64 2017-09-20 14:39:42.619 Checking for updates... 2017-09-20 14:39:42.635 Update progress: proxy server not available 2017-09-20 14:39:45.260 Downloading updates... 2017-09-20 14:39:45.260 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-20 14:39:45.260 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I49502] sdds.data0910.xml: found supplement IDE543 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE543 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE543 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I49502] sdds.data0910.xml: found supplement IDE544 LATEST path= baseVersion= [included from product IDE543 LATEST path=] 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE544 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE544 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I49502] sdds.data0910.xml: found supplement IDE545 LATEST path= baseVersion= [included from product IDE544 LATEST path=] 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE545 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE545 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I49502] sdds.data0910.xml: found supplement IDE546 LATEST path= baseVersion= [included from product IDE545 LATEST path=] 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE546 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE546 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I49502] sdds.data0910.xml: found supplement IDE547 LATEST path= baseVersion= [included from product IDE546 LATEST path=] 2017-09-20 14:39:45.260 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE547 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE547 LATEST path= 2017-09-20 14:39:45.260 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-09-20 14:39:45.291 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-09-20 14:39:45.323 Update progress: [I19463] Syncing product IDE543 LATEST path= 2017-09-20 14:39:45.354 Update progress: [I19463] Syncing product IDE544 LATEST path= 2017-09-20 14:39:45.401 Update progress: [I19463] Syncing product IDE545 LATEST path= 2017-09-20 14:39:45.401 Update progress: [I19463] Product download size 449968 bytes 2017-09-20 14:39:45.870 Update progress: [I19463] Syncing product IDE546 LATEST path= 2017-09-20 14:39:45.870 Update progress: [I19463] Product download size 46279 bytes 2017-09-20 14:39:46.057 Update progress: [I19463] Syncing product IDE547 LATEST path= 2017-09-20 14:39:46.073 Installing updates... 2017-09-20 14:39:49.979 Option all = no 2017-09-20 14:39:50.604 Option recurse = yes 2017-09-20 14:39:50.604 Option archive = no 2017-09-20 14:39:50.604 Option service = yes 2017-09-20 14:39:50.604 Option confirm = yes 2017-09-20 14:39:50.604 Option sxl = yes 2017-09-20 14:39:50.604 Option max-data-age = 35 2017-09-20 14:39:50.604 Option vdl-logging = yes 2017-09-20 14:39:50.604 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-09-20 14:39:50.604 Machine ID: bcf910b213fe40b0b98bd605fc4e1bff 2017-09-20 14:39:50.604 Component SVRTcli.exe version 2.6.1 2017-09-20 14:39:50.604 Component control.dll version 2.6.1 2017-09-20 14:39:50.604 Component SVRTservice.exe version 2.6.1 2017-09-20 14:39:50.604 Component engine\osdp.dll version 1.44.1.2286 2017-09-20 14:39:50.604 Component engine\veex.dll version 3.68.6.2286 2017-09-20 14:39:50.604 Component engine\savi.dll version 9.0.7.2286 2017-09-20 14:39:50.604 Component rkdisk.dll version 1.5.31.1 2017-09-20 14:39:50.604 Version info: Product version 2.6.1 2017-09-20 14:39:50.604 Version info: Detection engine 3.68.6 2017-09-20 14:39:50.604 Version info: Detection data 5.42 2017-09-20 14:39:50.604 Version info: Build date 7/25/2017 2017-09-20 14:39:50.604 Version info: Data files added 389 2017-09-20 14:39:50.604 Version info: Last successful update 9/13/2017 7:33:40 PM 2017-09-20 14:39:50.604 Error level 1 2017-09-20 14:39:50.823 Update successful 2017-09-20 14:39:57.699 Option all = no 2017-09-20 14:39:57.699 Option recurse = yes 2017-09-20 14:39:57.699 Option archive = no 2017-09-20 14:39:57.699 Option service = yes 2017-09-20 14:39:57.699 Option confirm = yes 2017-09-20 14:39:57.699 Option sxl = yes 2017-09-20 14:39:57.699 Option max-data-age = 35 2017-09-20 14:39:57.699 Option vdl-logging = yes 2017-09-20 14:39:57.699 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-09-20 14:39:57.699 Machine ID: bcf910b213fe40b0b98bd605fc4e1bff 2017-09-20 14:39:57.699 Component SVRTcli.exe version 2.6.1 2017-09-20 14:39:57.699 Component control.dll version 2.6.1 2017-09-20 14:39:57.699 Component SVRTservice.exe version 2.6.1 2017-09-20 14:39:57.699 Component engine\osdp.dll version 1.44.1.2286 2017-09-20 14:39:57.699 Component engine\veex.dll version 3.68.6.2286 2017-09-20 14:39:57.699 Component engine\savi.dll version 9.0.7.2286 2017-09-20 14:39:57.699 Component rkdisk.dll version 1.5.31.1 2017-09-20 14:39:57.699 Version info: Product version 2.6.1 2017-09-20 14:39:57.699 Version info: Detection engine 3.68.6 2017-09-20 14:39:57.699 Version info: Detection data 5.42 2017-09-20 14:39:57.699 Version info: Build date 7/25/2017 2017-09-20 14:39:57.699 Version info: Data files added 420 2017-09-20 14:39:57.699 Version info: Last successful update 9/20/2017 10:39:50 AM 2017-09-20 14:45:41.318 >>> Virus 'Mal/Generic-S' found in file C:\found.000\dir0000.chk\Users\List\AppData\Local\winwovj\vmtmuoc.exe 2017-09-20 14:45:41.453 Could not open C:\found.000\dir0001.chk\System32\imekqde\msaabbo.sys 2017-09-20 14:45:42.356 Could not open C:\hiberfil.sys 2017-09-20 14:45:45.771 Could not open C:\pagefile.sys 2017-09-20 14:52:54.695 Could not open C:\swapfile.sys 2017-09-20 14:57:11.368 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2017-09-20 14:57:11.368 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2017-09-20 14:57:13.308 Could not open C:\Windows\System32\config\BBI 2017-09-20 14:57:13.354 Could not open C:\Windows\System32\config\HARDWARE 2017-09-20 14:57:13.354 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-09-20 14:57:13.354 Could not open C:\Windows\System32\config\RegBack\SAM 2017-09-20 14:57:13.354 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-09-20 14:57:13.354 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-09-20 14:57:13.354 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-09-20 14:57:41.114 Could not open C:\Windows\System32\drivers\terruxbe.sys 2017-09-20 15:24:46.620 Could not open LOGICAL:0005:00000000 2017-09-20 15:24:46.620 Could not open F:\ 2017-09-20 15:24:46.620 Could not open LOGICAL:0006:00000000 2017-09-20 15:24:46.620 Could not open G:\ 2017-09-20 15:24:46.620 Could not open LOGICAL:0007:00000000 2017-09-20 15:24:46.620 Could not open H:\ 2017-09-20 15:24:46.620 Could not open LOGICAL:0008:00000000 2017-09-20 15:24:46.620 Could not open I:\ 2017-09-20 15:24:46.620 Could not open LOGICAL:0009:00000000 2017-09-20 15:24:46.620 Could not open J:\ 2017-09-20 15:24:46.620 Could not open LOGICAL:000A:00000000 2017-09-20 15:24:46.620 Could not open K:\ 2017-09-20 15:24:46.620 Could not open LOGICAL:000B:00000000 2017-09-20 15:24:46.620 Could not open L:\ 2017-09-20 15:24:46.698 The following items will be cleaned up: 2017-09-20 15:24:46.698 Mal/Generic-S Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165658 Share Posted September 20, 2017 (edited) Thanks for those logs, I want you to run another FRST fix via the recovery environment. Boot to the RE as you did before from the Windows 10 Recovery DVD. Download and save the attached file fixlist.txt (end of reply) and save it to your USB Flashdrive alongside FRST. plug into your PC... Boot to the Choose an Option Window: From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following: In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button just once and wait. FRST will run make a log (fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach fixlog.txt to your reply. Next, Reboot to normal windows and run another threat scan with Malwarebytes.... Thank you, Kevin... fixlist.txt Edited September 20, 2017 by kevinf80 typo Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165664 Share Posted September 20, 2017 I should mention that the folders FRST tried to move are still there. Malwarebytes found no threats. Fix result of Farbar Recovery Scan Tool (x64) Version: 19-09-2017 Ran by SYSTEM (20-09-2017 13:22:34) Run:11 Running from E:\ Boot Mode: Recovery ============================================== fixlist content: ***************** Start C:\Users\List\AppData\Local\unikrpc - Copy C:\Users\List\AppData\Local\unikrpc end ***************** C:\Users\List\AppData\Local\unikrpc - Copy => moved successfully C:\Users\List\AppData\Local\unikrpc => moved successfully ==== End of Fixlog 13:22:40 ==== Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165665 Share Posted September 20, 2017 Quote C:\Users\List\AppData\Local\unikrpc - Copy => moved successfully C:\Users\List\AppData\Local\unikrpc => moved successfully Are those entries still present... Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165666 Share Posted September 20, 2017 Yes. I accidentally created a copy of the offending folder and can't access or change it, just like the original. Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165682 Share Posted September 20, 2017 mmm very odd, see if this fix will work from normal windows.... Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. fixlist.txt Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165688 Share Posted September 20, 2017 FRST rebooted the computer but couldn't delete those entries. All of the issues associated with the infection (those folders, processes blocked, Windows toolbar issues) are still present. The fixes seem to be doing something, but after a couple of reboots the malware 'regenerates.' Fix result of Farbar Recovery Scan Tool (x64) Version: 20-09-2017 Ran by List (20-09-2017 14:26:42) Run:12 Running from C:\Users\List\Desktop\FINALFIX\_1 Loaded Profiles: List (Available Profiles: List) Boot Mode: Normal ============================================== fixlist content: ***************** Start closeprocesses: Unlock: C:\Users\List\AppData\Local\unikrpc C:\Users\List\AppData\Local\unikrpc Unlock: C:\Users\List\AppData\Local\unikrpc - Copy C:\Users\List\AppData\Local\unikrpc - Copy end ***************** Processes closed successfully. "C:\Users\List\AppData\Local\unikrpc" => was unlocked "C:\Users\List\AppData\Local\unikrpc" folder move: Could not move "C:\Users\List\AppData\Local\unikrpc" => Scheduled to move on reboot. "C:\Users\List\AppData\Local\unikrpc - Copy" => was unlocked "C:\Users\List\AppData\Local\unikrpc - Copy" folder move: Could not move "C:\Users\List\AppData\Local\unikrpc - Copy" => Scheduled to move on reboot. Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165689 Share Posted September 20, 2017 Can you open the folder, what is inside.... C:\Users\List\AppData\Local\unikrpc Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165692 Share Posted September 20, 2017 (edited) Thousands of folders and files inside. The folders are named 'data601' to 'data700.' It looks mostly like my browser data and random junk. I can browse it with the command prompt and that's it - windows denies me access and I can't modify anything inside it. The folder (unikrpc) showed up after I deleted an older infection folder, before I opened this topic. It was also inaccessible (I used a bootable file manager.) For some reason, 'unikrpc' has lost 3,000 files and 500MB, compared to the 'unikrpc - Copy' I accidentally made. Edited September 20, 2017 by Stanczyk Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165693 Share Posted September 20, 2017 Try this fix from normal windows.... Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165697 Share Posted September 20, 2017 Fix result of Farbar Recovery Scan Tool (x64) Version: 20-09-2017 Ran by List (20-09-2017 15:07:49) Run:13 Running from C:\Users\List\Desktop\FINALFIX\_1 Loaded Profiles: List (Available Profiles: List) Boot Mode: Normal ============================================== fixlist content: ***************** Start closeprocesses: Unlock: C:\Windows\System32\drivers\terruxbe.sys C:\Windows\System32\drivers\terruxbe.sys Unlock: C:\Users\List\AppData\Local\unikrpc C:\Users\List\AppData\Local\unikrpc Unlock: C:\Users\List\AppData\Local\unikrpc - Copy C:\Users\List\AppData\Local\unikrpc - Copy end ***************** Processes closed successfully. "C:\Windows\System32\drivers\terruxbe.sys" => not found. "C:\Windows\System32\drivers\terruxbe.sys" => not found. "C:\Users\List\AppData\Local\unikrpc" => was unlocked "C:\Users\List\AppData\Local\unikrpc" folder move: Could not move "C:\Users\List\AppData\Local\unikrpc" => Scheduled to move on reboot. "C:\Users\List\AppData\Local\unikrpc - Copy" => was unlocked "C:\Users\List\AppData\Local\unikrpc - Copy" folder move: Could not move "C:\Users\List\AppData\Local\unikrpc - Copy" => Scheduled to move on reboot. Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-09-2017 15:11:38) "C:\Users\List\AppData\Local\unikrpc" => Could not move "C:\Users\List\AppData\Local\unikrpc - Copy" => Could not move ==== End of Fixlog 15:11:42 ==== Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165699 Share Posted September 20, 2017 This frustrating for sure, try the following: Download BlitzBlank from here: http://www.bleepingcomputer.com/download/blitzblank/dl/108/ and save it to your desktop. Right click on Blitzblank.exe select "Run as Administrator" Click OK at the warning (and take note of it, this is a VERY powerful tool!). Click the Script tab and copy/paste the following text there: DeleteFolder: C:\Users\List\AppData\Local\unikrpc DeleteFolder: C:\Users\List\AppData\Local\unikrpc - Copy Click Execute Now. An alert will ask "You are about to delete files, are you sure to proceed" Select OK to proceed A system reboot warning will open, it will say "Please close all running applicatons to avoid data loss" Select OK to proceed Your computer will need to reboot in order to do the fixes When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\ Thanks, Kevin... Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165702 Share Posted September 20, 2017 BlitzBlank 1.0.0.32 File/Registry Modification Engine native application MoveDirectoryOnReboot: sourceDirectory = "\??\c:\users\list\appdata\local\unikrpc", destinationDirectory = "(null)", replaceWithDummy = 0 MoveDirectoryOnReboot: sourceDirectory = "\??\c:\users\list\appdata\local\unikrpc\data601", destinationDirectory = "(null)", replaceWithDummy = 0 MoveFileOnReboot: sourceFile = "\??\c:\users\list\appdata\local\unikrpc\data601\Cookies", destinationFile = "(null)", replaceWithDummy = 0 RemoveFile: ZwDeleteFile failed: status = c0000022 MoveDirectoryOnReboot: ProcessElement failed: status = c0000022 MoveDirectoryOnReboot: ProcessElement failed: status = c0000022 MoveDirectoryOnReboot: sourceDirectory = "\??\c:\users\list\appdata\local\unikrpc - copy", destinationDirectory = "(null)", replaceWithDummy = 0 MoveDirectoryOnReboot: sourceDirectory = "\??\c:\users\list\appdata\local\unikrpc - copy\data601", destinationDirectory = "(null)", replaceWithDummy = 0 MoveFileOnReboot: sourceFile = "\??\c:\users\list\appdata\local\unikrpc - copy\data601\Cookies", destinationFile = "(null)", replaceWithDummy = 0 RemoveFile: ZwDeleteFile failed: status = c0000022 MoveDirectoryOnReboot: ProcessElement failed: status = c0000022 MoveDirectoryOnReboot: ProcessElement failed: status = c0000022 Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165710 Share Posted September 20, 2017 Navigate to this folder C:\Users\List\AppData\Local\unikrpc right click on the folder unikrpc then select "Properties" From the Properties window select "Security" then select the Admin account, what do you see under the permissions. I`ve attached an image of google folder for reference... Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165717 Share Posted September 20, 2017 There is no 'Administrators' entry on the list, only user 'List' (which has full control,) and SYSTEM. Link to post Share on other sites More sharing options...
kevinf80 Posted September 20, 2017 ID:1165719 Share Posted September 20, 2017 Quote Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-09-2017 02Ran by List (administrator) on DESKTOP-HO5U8KA (13-09-2017 20:36:22) Running from C:\Users\List\Desktop\FINALFIX\_1Loaded Profiles: List (Available Profiles: List) Platform: Windows 10 Home Version 1703 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Normal "List" is the user with Administrator status, it is the only available profile. Did you not set up that profile...? Link to post Share on other sites More sharing options...
Stanczyk Posted September 20, 2017 Author ID:1165720 Share Posted September 20, 2017 Yes. 'Administrators (DESKTOP...)' wasn't there, if it makes a difference. Link to post Share on other sites More sharing options...
Recommended Posts