Jump to content

Malware Infection? Hijack.Hosts Found+Weird Behaviour


scut1

Recommended Posts

I am running a PC with Win Xp SP3 (32Bit) with Avast Free 17.8 as primary real-time AV, complemented by MBAE v45 and MBAM free 3.3.1 as an on-demand malware scanner.

Since yesterday my system has started behaving weirdly.

It started when Secunia PSI asked to check my internet connection, was not able to connect to the update server and was unable to scan files. After a couple of reboots, it came online again and now it's working fine.

Thinking it was an issue linked to the firewall permission, I tried to open the internet option tab in control panel and - here is the problem. Internet Options would not open, not even using the inetcpl.cpl command. A quick browse pointed to a malware infection.

I ran MBAM which found hijack.host, which I quarantined. A second scan showed zero infections. I also ran Avast which found VBS: Malware  generic, that I also quarantined. A second scan showed no issues. Reading through various forums, both viruses may be false positives.

I also tried a system restore, but after a first attempt at restoring to 2 days ago, it will not restore further ("restore incomplete"). Systems restore shows that this morning my PC installed Windows XP wdf01009. Another search pointed again to malware.

I tried to follow the MS-suggested protocol for malware infections, starting with MS Malicious Software Removal Tool, AdwCleaner and Rogue Killer. However, when trying to launch the programs I get the message that the "..........exe file is not a valid Win32 application". Again, a quick search with this query points to malware.

The situation has not improved. Current status as follows:

- MBAM shows no issues

- Avast shows no issues

- Emsisoft Emergency Kit shows no issues

- FRST shows no issues

- Junkware Removal Tools shows no issues

Apart from the snags mentioned above, the system is not slower than usual or using more resources than usual.

Any recommendations how to move forward?

Thanks

Link to post
Share on other sites

  • Root Admin

Hello @scut1

If there is an issue going on I would hope that FRST would find something. Just because there is not an entry saying DANGER / INFECTION etc. does not mean the log is clean. Almost all FRST logs show computer issues.

I'm sorry, but if you want help then I'll need to get some logs

 

Please run the following steps and post back the logs as an attachment when ready.


STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron

thanks for your reply.

Please find attached the logs requested:

- mbam - you will find 2 files: pre- and post malware detection

- adwcleaner

- frst (2 files)

A note on the FRST log. The file says that I have both Avast and BD up to date. However, I uninstalled BD more than 2 months ago (with both Windows Uninstall and BD's own uninstall tool). I double checked this using REVO, and it does not show BD as an installed program.

As mentioned, my main issue is the fact that I am unable to open Internet Options and System Restore seems in some ways compromised as it does not restore to dates prior to last week.

I am not sure if this is due to malware, as the AV scans appear to me inconclusive (but I do not consider myself an expert). I leave it to you to determine.

Thanks for your help.

mbam_scan_pre.txt

mbam_scan_post.txt

FRST.txt

Addition.txt

AdwCleaner[S1].txt

mbam_scan_post.txt

Link to post
Share on other sites

  • Root Admin

The logs show the computer is having some issues.

Application errors:
==================
Error: (12/14/2017 12:56:43 PM) (Source: MbaeSvc) (EventID: 0) (User: )
Description: Event-ID 0

Error: (12/05/2017 07:38:54 PM) (Source: MsiInstaller) (EventID: 10005) (User: SCPC002)
Description: Product: ProtonVPN -- ProtonVPN cannot be installed on the following Windows versions: Windows XP SP3 x86, Windows Server 2003 SP2 x86.

Error: (11/30/2017 07:29:23 PM) (Source: Google Update) (EventID: 20) (User: SCPC002)
Description: Event-ID 20

Error: (11/22/2017 09:02:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application acrord32.exe, version 11.0.23.22, faulting module acrord32.dll, version 11.0.23.22, fault address 0x00020640.
Processing media-specific event for [acrord32.exe!ws!]

Error: (11/16/2017 08:02:32 AM) (Source: Userenv) (EventID: 1041) (User: NT AUTHORITY)
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (11/16/2017 08:02:32 AM) (Source: Userenv) (EventID: 1041) (User: NT AUTHORITY)
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (11/16/2017 08:02:32 AM) (Source: Userenv) (EventID: 1041) (User: NT AUTHORITY)
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (11/16/2017 08:02:32 AM) (Source: Userenv) (EventID: 1041) (User: NT AUTHORITY)
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (11/16/2017 07:50:24 AM) (Source: Userenv) (EventID: 1041) (User: NT AUTHORITY)
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (11/16/2017 07:50:24 AM) (Source: Userenv) (EventID: 1041) (User: NT AUTHORITY)
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.


System errors:
=============
Error: (12/17/2017 03:18:20 PM) (Source: 0) (EventID: 8003) (User: )
Description: Event-ID 8003

Error: (12/17/2017 09:24:41 AM) (Source: 0) (EventID: 8003) (User: )
Description: Event-ID 8003

Error: (12/16/2017 05:01:44 PM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E26FC572-A2D6-41A3-8259-DB69F4590EC1}.
The backup browser is stopping.

Error: (12/16/2017 04:52:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Zoolz Backup Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (12/16/2017 04:52:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The WindscribeService service terminated unexpectedly.  It has done this 1 time(s).

Error: (12/16/2017 04:52:31 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Secunia PSI Agent service terminated unexpectedly.  It has done this 1 time(s).

Error: (12/16/2017 04:52:31 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MSCamSvc service terminated unexpectedly.  It has done this 1 time(s).

Error: (12/16/2017 04:52:31 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Machine Debug Manager service terminated unexpectedly.  It has done this 1 time(s).

Error: (12/16/2017 04:52:30 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (12/16/2017 04:52:30 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The ABBYY PDF Transformer 3.0 Licensing Service service terminated unexpectedly.  It has done this 1 time(s).

 

Let me have you run the following please. Make sure to temporarily disable your antivirus while this tool runs.

 

 

Please visit this web page and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

 

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron

thanks for your help.

I ran combofix as instructed. The log is attached.

Please note that I will go on leave from tomorrow and will be unable to log in to this PC for the next 2 weeks.

Please post your reply to this log and please make your recommendation for the next step, but please be informed that I won't be able to operate on the PC until w/c 8th January.

Thanks again for your help.

=============================

ComboFix 17-12-11.01 - sc 20/12/2017   8:40.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2037.1091 [GMT 1:00]
Running from: c:\documents and settings\sc\Desktop\ComboFix.exe
AV: Avast Antivirus *Disabled/Updated* {7591db91-41f0-48a3-b128-1a293fd8233d}
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_ctypes.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_elementtree.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_hashlib.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_multiprocessing.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_psutil_windows.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_socket.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_ssl.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\_yappi.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\common.time34.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\hashobjs_ext.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\PIL._imaging.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pyexpat.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pysqlite2._sqlite.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\python27.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pythoncom27.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\pywintypes27.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\select.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\thumbnails_ext.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\unicodedata.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\usb_ext.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32api.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32com.shell.shell.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32crypt.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32event.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32file.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32gui.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32inet.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32pdh.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32pipe.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32process.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32profile.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32security.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\win32ts.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows._lib_cacheinvalidation.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows.device_monitor.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows.volumes.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\windows.winwrap.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\winxpgui.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._controls_.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._core_.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._gdi_.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._html2.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._misc_.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wx._windows_.pyd
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxbase30u_net_vc90.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxbase30u_vc90.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_adv_vc90.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_core_vc90.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_html_vc90.dll
c:\docume~1\sc\LOCALS~1\Temp\_MEI17682\wxmsw30u_webview_vc90.dll
c:\documents and settings\All Users\Application Data\1440322332.bdinstall.bin
c:\documents and settings\All Users\Application Data\1442839455.bdinstall.bin
c:\documents and settings\All Users\Application Data\1442839457.4676.bin
c:\documents and settings\All Users\Application Data\1442839457.5048.bin
c:\documents and settings\All Users\Application Data\1442839457.5720.bin
c:\documents and settings\All Users\Application Data\1442839457.6044.bin
c:\documents and settings\All Users\Application Data\1442839626.bdinstall.bin
c:\documents and settings\All Users\Application Data\1442839955.bdinstall.bin
c:\documents and settings\All Users\Application Data\1442840128.bdinstall.bin
c:\documents and settings\All Users\Application Data\1442840514.bdinstall.bin
c:\documents and settings\All Users\Application Data\1481724763.bdinstall.bin
c:\documents and settings\All Users\Application Data\1481724766.bdinstall.bin
c:\documents and settings\All Users\Application Data\1504685804.bdinstall.bin
c:\documents and settings\All Users\Application Data\1504685814.bdinstall.bin
c:\documents and settings\All Users\Application Data\1504686152.2312.bin
c:\documents and settings\All Users\Application Data\1504686152.2524.bin
c:\documents and settings\All Users\Application Data\1504686152.2740.bin
c:\documents and settings\All Users\Application Data\1504686152.928.bin
c:\documents and settings\All Users\Application Data\1504696396.bdinstall.bin
c:\documents and settings\All Users\Application Data\1504696409.4480.bin
c:\documents and settings\All Users\Application Data\1504696409.5476.bin
c:\documents and settings\All Users\Application Data\1504696409.5768.bin
c:\documents and settings\All Users\Application Data\1504696409.6116.bin
c:\documents and settings\All Users\Application Data\1505656557.bdinstall.bin
c:\documents and settings\All Users\Application Data\1505656560.1052.bin
c:\documents and settings\All Users\Application Data\1505656560.2408.bin
c:\documents and settings\All Users\Application Data\1505656560.3596.bin
c:\documents and settings\All Users\Application Data\1505656560.4268.bin
c:\documents and settings\sc\Application Data\inst.exe
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_ctypes.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_elementtree.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_hashlib.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_multiprocessing.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_psutil_windows.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_socket.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_ssl.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\_yappi.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\common.time34.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\hashobjs_ext.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\PIL._imaging.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pyexpat.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pysqlite2._sqlite.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\python27.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pythoncom27.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\pywintypes27.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\select.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\thumbnails_ext.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\unicodedata.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\usb_ext.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32api.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32com.shell.shell.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32crypt.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32event.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32file.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32gui.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32inet.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32pdh.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32pipe.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32process.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32profile.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32security.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\win32ts.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows._lib_cacheinvalidation.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows.device_monitor.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows.volumes.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\windows.winwrap.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\winxpgui.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._controls_.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._core_.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._gdi_.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._html2.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._misc_.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wx._windows_.pyd
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxbase30u_net_vc90.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxbase30u_vc90.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_adv_vc90.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_core_vc90.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_html_vc90.dll
c:\documents and settings\sc\Local Settings\Temp\_MEI17682\wxmsw30u_webview_vc90.dll
c:\windows\$msi31uninstall_kb893803v2$
c:\windows\$msi31uninstall_kb893803v2$\msi.dll
c:\windows\$msi31uninstall_kb893803v2$\msiexec.exe
c:\windows\$msi31uninstall_kb893803v2$\msihnd.dll
c:\windows\$msi31uninstall_kb893803v2$\msimsg.dll
c:\windows\$msi31uninstall_kb893803v2$\msisip.dll
c:\windows\$msi31uninstall_kb893803v2$\reg00013
c:\windows\$msi31uninstall_kb893803v2$\reg00014
c:\windows\$msi31uninstall_kb893803v2$\reg00015
c:\windows\$msi31uninstall_kb893803v2$\reg00016
c:\windows\$msi31uninstall_kb893803v2$\reg00017
c:\windows\$msi31uninstall_kb893803v2$\reg00018
c:\windows\$msi31uninstall_kb893803v2$\reg00019
c:\windows\$msi31uninstall_kb893803v2$\reg00020
c:\windows\$msi31uninstall_kb893803v2$\reg00021
c:\windows\$msi31uninstall_kb893803v2$\reg00022
c:\windows\$msi31uninstall_kb893803v2$\reg00023
c:\windows\$msi31uninstall_kb893803v2$\reg00024
c:\windows\$msi31uninstall_kb893803v2$\reg00025
c:\windows\$msi31uninstall_kb893803v2$\reg00026
c:\windows\$msi31uninstall_kb893803v2$\reg00027
c:\windows\$msi31uninstall_kb893803v2$\reg00028
c:\windows\$msi31uninstall_kb893803v2$\reg00029
c:\windows\$msi31uninstall_kb893803v2$\reg00030
c:\windows\$msi31uninstall_kb893803v2$\reg00031
c:\windows\$msi31uninstall_kb893803v2$\reg00032
c:\windows\$msi31uninstall_kb893803v2$\reg00033
c:\windows\$msi31uninstall_kb893803v2$\reg00034
c:\windows\$msi31uninstall_kb893803v2$\reg00035
c:\windows\$msi31uninstall_kb893803v2$\reg00036
c:\windows\$msi31uninstall_kb893803v2$\reg00037
c:\windows\$msi31uninstall_kb893803v2$\reg00038
c:\windows\$msi31uninstall_kb893803v2$\reg00039
c:\windows\$msi31uninstall_kb893803v2$\reg00040
c:\windows\$msi31uninstall_kb893803v2$\reg00041
c:\windows\$msi31uninstall_kb893803v2$\reg00042
c:\windows\$msi31uninstall_kb893803v2$\reg00043
c:\windows\$msi31uninstall_kb893803v2$\reg00044
c:\windows\$msi31uninstall_kb893803v2$\reg00045
c:\windows\$msi31uninstall_kb893803v2$\reg00046
c:\windows\$msi31uninstall_kb893803v2$\reg00047
c:\windows\$msi31uninstall_kb893803v2$\reg00048
c:\windows\$msi31uninstall_kb893803v2$\reg00051
c:\windows\$msi31uninstall_kb893803v2$\reg00052
c:\windows\$msi31uninstall_kb893803v2$\reg00053
c:\windows\$msi31uninstall_kb893803v2$\reg00054
c:\windows\$msi31uninstall_kb893803v2$\reg00055
c:\windows\$msi31uninstall_kb893803v2$\reg00056
c:\windows\$msi31uninstall_kb893803v2$\reg00057
c:\windows\$msi31uninstall_kb893803v2$\reg00058
c:\windows\$msi31uninstall_kb893803v2$\reg00059
c:\windows\$msi31uninstall_kb893803v2$\reg00060
c:\windows\$msi31uninstall_kb893803v2$\reg00061
c:\windows\$msi31uninstall_kb893803v2$\reg00062
c:\windows\$msi31uninstall_kb893803v2$\reg00063
c:\windows\$msi31uninstall_kb893803v2$\reg00064
c:\windows\$msi31uninstall_kb893803v2$\reg00065
c:\windows\$msi31uninstall_kb893803v2$\reg00066
c:\windows\$msi31uninstall_kb893803v2$\reg00067
c:\windows\$msi31uninstall_kb893803v2$\reg00068
c:\windows\$msi31uninstall_kb893803v2$\reg00069
c:\windows\$msi31uninstall_kb893803v2$\reg00070
c:\windows\$msi31uninstall_kb893803v2$\reg00071
c:\windows\$msi31uninstall_kb893803v2$\reg00072
c:\windows\$msi31uninstall_kb893803v2$\reg00073
c:\windows\$msi31uninstall_kb893803v2$\reg00074
c:\windows\$msi31uninstall_kb893803v2$\reg00075
c:\windows\$msi31uninstall_kb893803v2$\reg00076
c:\windows\$msi31uninstall_kb893803v2$\reg00077
c:\windows\$msi31uninstall_kb893803v2$\reg00078
c:\windows\$msi31uninstall_kb893803v2$\reg00079
c:\windows\$msi31uninstall_kb893803v2$\reg00080
c:\windows\$msi31uninstall_kb893803v2$\reg00081
c:\windows\$msi31uninstall_kb893803v2$\reg00082
c:\windows\$msi31uninstall_kb893803v2$\reg00083
c:\windows\$msi31uninstall_kb893803v2$\reg00084
c:\windows\$msi31uninstall_kb893803v2$\reg00085
c:\windows\$msi31uninstall_kb893803v2$\reg00086
c:\windows\$msi31uninstall_kb893803v2$\reg00087
c:\windows\$msi31uninstall_kb893803v2$\reg00088
c:\windows\$msi31uninstall_kb893803v2$\reg00089
c:\windows\$msi31uninstall_kb893803v2$\reg00090
c:\windows\$msi31uninstall_kb893803v2$\reg00091
c:\windows\$msi31uninstall_kb893803v2$\reg00092
c:\windows\$msi31uninstall_kb893803v2$\reg00093
c:\windows\$msi31uninstall_kb893803v2$\reg00094
c:\windows\$msi31uninstall_kb893803v2$\reg00095
c:\windows\$msi31uninstall_kb893803v2$\reg00096
c:\windows\$msi31uninstall_kb893803v2$\reg00097
c:\windows\$msi31uninstall_kb893803v2$\reg00098
c:\windows\$msi31uninstall_kb893803v2$\reg00099
c:\windows\$msi31uninstall_kb893803v2$\reg00100
c:\windows\$msi31uninstall_kb893803v2$\reg00101
c:\windows\$msi31uninstall_kb893803v2$\reg00102
c:\windows\$msi31uninstall_kb893803v2$\reg00103
c:\windows\$msi31uninstall_kb893803v2$\reg00104
c:\windows\$msi31uninstall_kb893803v2$\reg00105
c:\windows\$msi31uninstall_kb893803v2$\reg00106
c:\windows\$msi31uninstall_kb893803v2$\reg00107
c:\windows\$msi31uninstall_kb893803v2$\reg00108
c:\windows\$msi31uninstall_kb893803v2$\reg00109
c:\windows\$msi31uninstall_kb893803v2$\reg00110
c:\windows\$msi31uninstall_kb893803v2$\reg00111
c:\windows\$msi31uninstall_kb893803v2$\reg00112
c:\windows\$msi31uninstall_kb893803v2$\reg00113
c:\windows\$msi31uninstall_kb893803v2$\reg00114
c:\windows\$msi31uninstall_kb893803v2$\reg00115
c:\windows\$msi31uninstall_kb893803v2$\reg00116
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.exe
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.inf
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.txt
c:\windows\$msi31uninstall_kb893803v2$\spuninst\updspapi.dll
.
.
(((((((((((((((((((((((((   Files Created from 2017-11-20 to 2017-12-20  )))))))))))))))))))))))))))))))
.
.
2017-12-19 07:13 . 2017-12-19 07:13    --------    d-----w-    c:\program files\VS Revo Group
2017-12-17 12:55 . 2017-12-17 12:55    24688    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2017-12-17 12:54 . 2017-12-17 13:48    --------    d-----w-    c:\documents and settings\All Users\Application Data\RogueKiller
2017-12-16 15:42 . 2017-12-16 15:42    --------    d-----w-    c:\documents and settings\Administrator
2017-12-16 14:18 . 2017-12-16 14:18    --------    d-----w-    c:\windows\Performance
2017-12-16 14:18 . 2017-12-16 14:18    --------    d-----w-    c:\documents and settings\sc\Local Settings\Application Data\Microsoft Corporation
2017-12-16 09:46 . 2017-11-10 06:54    305328    ----a-w-    c:\windows\system32\aswBoot.exe
2017-12-16 09:42 . 2017-12-16 09:42    --------    d-----w-    c:\windows\system32\wbem\Repository
2017-12-14 08:16 . 2017-12-19 19:27    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes Anti-Exploit
2017-12-14 08:16 . 2017-12-16 16:06    --------    d-----w-    c:\program files\Malwarebytes Anti-Exploit
2017-12-14 08:10 . 2017-12-19 13:40    221112    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-12-14 08:10 . 2017-12-14 08:10    --------    d-----w-    c:\program files\Malwarebytes
2017-12-14 08:10 . 2017-12-14 08:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\MB2Migration
2017-12-14 07:59 . 2017-12-14 08:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2017-12-12 06:57 . 2017-12-06 19:42    873392    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
2017-12-12 06:57 . 2017-12-06 19:42    66000    ----a-w-    c:\program files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll
2017-12-11 08:13 . 2017-12-17 15:55    --------    d-----w-    C:\FRST
2017-12-05 18:38 . 2017-12-05 18:38    --------    d-----w-    c:\documents and settings\sc\Application Data\ProtonVPN AG
2017-11-28 14:05 . 2017-12-04 06:55    0    ----a-w-    c:\windows\system32\TempWmicBatchFile.bat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-12-13 09:36 . 2016-01-06 20:21    803328    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2017-12-13 09:36 . 2016-01-06 20:21    144896    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2017-11-29 08:11 . 2017-10-13 08:22    59896    ----a-w-    c:\windows\system32\drivers\mbae.sys
2017-11-16 07:26 . 2017-09-06 07:41    388760    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2017-11-10 06:55 . 2017-09-06 07:41    205392    ----a-w-    c:\windows\system32\drivers\aswStmXP.sys
2017-11-10 06:54 . 2017-11-10 06:55    157176    ----a-w-    c:\windows\system32\drivers\aswArPot.sys
2017-11-10 06:54 . 2017-09-06 07:41    298360    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2017-11-10 06:54 . 2017-09-06 07:41    70864    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2017-11-10 06:54 . 2017-09-06 07:41    42848    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2017-11-10 06:54 . 2017-09-06 07:41    124952    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2017-11-10 06:54 . 2017-09-06 07:41    70112    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2017-11-10 06:54 . 2017-09-06 07:41    783136    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2017-11-10 06:54 . 2017-09-06 07:41    50376    ----a-w-    c:\windows\system32\drivers\aswbunivx.sys
2017-11-10 06:54 . 2017-09-06 07:41    276728    ----a-w-    c:\windows\system32\drivers\aswblogx.sys
2017-11-10 06:54 . 2017-09-06 07:41    255616    ----a-w-    c:\windows\system32\drivers\aswbidsdriverx.sys
2017-11-10 06:54 . 2017-09-06 07:41    157408    ----a-w-    c:\windows\system32\drivers\aswbidshx.sys
2017-10-21 20:09 . 2017-09-24 19:54    34864    ----a-w-    c:\windows\system32\drivers\tapwindscribe0901.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveBlacklisted]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2017-09-15 07:49    576408    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveSynced]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2017-09-15 07:49    576408    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveSyncing]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2017-09-15 07:49    576408    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00asw]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2017-11-10 06:54    1396816    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-BackedupIcon]
@="{9DB6687B-FDB2-4284-AF2A-4562D4EB371D}"
[HKEY_CLASSES_ROOT\CLSID\{9DB6687B-FDB2-4284-AF2A-4562D4EB371D}]
2017-07-30 12:05    148992    ----a-w-    c:\program files\Genie9\Zoolz2\Overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-BackedUpModifiedIcon]
@="{9DB6687D-FDB2-4284-AF2A-4562D4EB371D}"
[HKEY_CLASSES_ROOT\CLSID\{9DB6687D-FDB2-4284-AF2A-4562D4EB371D}]
2017-07-30 12:05    148992    ----a-w-    c:\program files\Genie9\Zoolz2\Overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-ColdStorageIcon]
@="{9DB6687F-FDB2-4284-AF2A-4562D4EB371D}"
[HKEY_CLASSES_ROOT\CLSID\{9DB6687F-FDB2-4284-AF2A-4562D4EB371D}]
2017-07-30 12:05    148992    ----a-w-    c:\program files\Genie9\Zoolz2\Overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-FolderInCloudIcon]
@="{9DB6687E-FDB2-4284-AF2A-4562D4EB371D}"
[HKEY_CLASSES_ROOT\CLSID\{9DB6687E-FDB2-4284-AF2A-4562D4EB371D}]
2017-07-30 12:05    148992    ----a-w-    c:\program files\Genie9\Zoolz2\Overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0Genie9 Zoolz-NotBackedUpIcon]
@="{9DB6687C-FDB2-4284-AF2A-4562D4EB371D}"
[HKEY_CLASSES_ROOT\CLSID\{9DB6687C-FDB2-4284-AF2A-4562D4EB371D}]
2017-07-30 12:05    148992    ----a-w-    c:\program files\Genie9\Zoolz2\Overlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet 5740 series (NET)"="c:\program files\HP\HP Officejet 5740 series\Bin\ScanToPCActivationApp.exe" [2014-08-22 2424840]
"Zoolz Tray"="c:\program files\Genie9\Zoolz2\ZoolzLauncher.exe" [2017-07-31 395920]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2017-09-15 40258552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"V0420Mon.exe"="c:\windows\V0420Mon.exe" [2007-04-29 32768]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvLaunch.exe" [2017-11-10 253344]
"NetWorx"="c:\program files\NetWorx\networx.exe" [2016-09-22 5219144]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2017-07-27 1160408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Malwarebytes Anti-Exploit.lnk - c:\program files\Malwarebytes Anti-Exploit\mbae.exe [2017-12-14 2480584]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2016-2-2 605400]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2017-07-27 05:29    1160408    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2015-03-20 15:12    60712    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 02:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08    1259376    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2014-11-06 08:24    138096    ----atw-    c:\documents and settings\sc\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-01-21 03:20    166912    ----a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-01-21 03:20    134656    ----a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2015-09-12 02:25    157456    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-01-21 03:18    134656    ----a-w-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2017-05-05 14:43    27716568    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Freemake Improver"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\sc\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\NetWorx\\networx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windscribe\\wsappcontrol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Slimjet\\slimjet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5357:TCP"= 5357:TCP:WS-Eventing TCP Port 5357
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R0 aswbidsh;aswbidsh;c:\windows\system32\drivers\aswbidshx.sys [06/09/2017 08:41 157408]
R0 aswblog;aswblog;c:\windows\system32\drivers\aswblogx.sys [06/09/2017 08:41 276728]
R0 aswbuniv;aswbuniv;c:\windows\system32\drivers\aswbunivx.sys [06/09/2017 08:41 50376]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [06/09/2017 08:41 70864]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [06/09/2017 08:41 298360]
R1 aswArPot;aswArPot;c:\windows\system32\drivers\aswArPot.sys [10/11/2017 07:55 157176]
R1 aswbidsdriver;aswbidsdriver;c:\windows\system32\drivers\aswbidsdriverx.sys [06/09/2017 08:41 255616]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [06/09/2017 08:41 783136]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [06/09/2017 08:41 388760]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [14/12/2017 09:16 59896]
R1 networx;networx;c:\windows\system32\drivers\networx.sys [18/09/2016 09:20 67640]
R2 ABBYY.Licensing.PDFTransformer.Classic.3.0;ABBYY PDF Transformer 3.0 Licensing Service;c:\program files\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe [14/05/2009 17:07 759048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [06/09/2017 08:41 124952]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [14/12/2017 09:16 139776]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [02/02/2016 13:45 1570520]
R2 WindscribeService;WindscribeService;c:\program files\Windscribe\WindscribeService.exe [24/09/2017 20:54 356968]
R2 Zoolz 2 Service;Zoolz Backup Service;c:\program files\Genie9\Zoolz2\ZoolzService.exe [30/07/2017 13:06 475792]
R3 aswbIDSAgent;aswbIDSAgent;c:\program files\AVAST Software\Avast\aswidsagent.exe [10/11/2017 07:54 5904136]
R3 aswStmXP;aswStmXP;c:\windows\system32\drivers\aswStmXP.sys [06/09/2017 08:41 205392]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [04/09/2010 19:39 44032]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [16/05/2013 18:43 30576]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [02/02/2016 13:45 16024]
R3 tapwindscribe0901;Windscribe VPN;c:\windows\system32\drivers\tapwindscribe0901.sys [24/09/2017 20:54 34864]
S1 BAPIDRV;BAPIDRV;c:\windows\system32\DRIVERS\BAPIDRV.sys --> c:\windows\system32\DRIVERS\BAPIDRV.sys [?]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [02/02/2016 13:45 837848]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [05/04/2017 15:09 317400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [04/09/2010 19:33 1684736]
S3 aswHwid;aswHwid;c:\windows\system32\drivers\aswHwid.sys [06/09/2017 08:41 42848]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys --> c:\windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys --> c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys --> c:\windows\system32\DRIVERS\ew_jucdcacm.sys [?]
S3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys --> c:\windows\system32\DRIVERS\ew_jucdcecm.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys --> c:\windows\system32\DRIVERS\ew_juextctrl.sys [?]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\MBAMService.exe [14/12/2017 09:10 4563920]
S3 V0420VID;Live! Cam Vista IM (VF0420);c:\windows\system32\drivers\V0420Vid.sys [05/09/2010 10:27 99648]
S4 Freemake Improver;Freemake Improver;c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [06/05/2015 16:57 108032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-04-12 06:22    1106072    ----a-w-    c:\program files\Google\Chrome\Application\49.0.2623.112\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2017-12-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-01-06 09:36]
.
2017-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2017-02-14 15:54]
.
2017-12-20 c:\windows\Tasks\Avast Emergency Update.job
- c:\program files\AVAST Software\Avast\AvEmUpdate.exe [2017-11-10 06:54]
.
2017-12-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1202660629-1035525444-682003330-1003Core.job
- c:\documents and settings\sc\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-11-06 08:24]
.
2017-12-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1202660629-1035525444-682003330-1003UA.job
- c:\documents and settings\sc\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2014-11-06 08:24]
.
2017-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-30 12:56]
.
2017-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-30 12:56]
.
2017-11-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-14 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
TCP: Interfaces\{01FC6E01-A598-468A-9B58-779F5EF062DB}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{2D6F0057-ECC6-4EA2-AB33-ED564A8C94AD}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{7056DC40-C8E6-4F4A-A0DA-9763B7DF46EA}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{713E59D1-7A69-4EAE-BDAC-FA8E23A6689C}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{8745FD36-125F-43EA-B107-7586B438C8BB}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{91C57662-15D9-4F3B-B4E3-4A8C15835586}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{CE2F0623-0FD6-42DB-BF03-450473E889D2}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{D498E0B0-F3EA-4643-81C8-A12726D1D964}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{D664E313-6BE6-497A-8F18-B1BFEE898D18}: NameServer = 205.171.2.65,195.175.39.40,195.175.39.39
TCP: Interfaces\{E26FC572-A2D6-41A3-8259-DB69F4590EC1}: NameServer = 8.8.8.8,8.8.4.4,195.175.39.39
DPF: {2E8655A5-AF65-4BAC-8207-A17C6AF2987C} - hxxp://www.ttnet.com.tr/ZeroTouch/TTNETMD.cab
FF - ProfilePath - c:\documents and settings\sc\Application Data\Mozilla\Firefox\Profiles\4p26ie4p.default-1504680299156\
.
.
------- File Associations -------
.
inifile="%SystemRoot%\system32\NOTEPAD.EXE" %1
txtfile="%SystemRoot%\system32\NOTEPAD.EXE" %1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-EaseUS TB Tray Agent - c:\program files\EaseUS\TrayPopup\TrayTipAgent.exe
MSConfigStartUp-ProductUpdater - c:\program files\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-TRKY-DnsAyar - c:\program files\TRKY-DnsAyar\TRKY-DnsAyar.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2017-12-20 08:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_28_0_0_126_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_28_0_0_126_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\WININET.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
c:\program files\Genie9\Zoolz2\Overlay.dll
c:\program files\Genie9\Zoolz2\Communicator.dll
c:\program files\Genie9\Zoolz2\GSLogging.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Google\Update\1.3.33.7\GoogleCrashHandler.exe
c:\windows\RTHDCPL.EXE
c:\program files\AVAST Software\Avast\AvastUI.exe
c:\program files\HP\HP Officejet 5740 series\Bin\HPNetworkCommunicatorCom.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Genie9\Zoolz2\Zoolz.exe
.
**************************************************************************
.
Completion time: 2017-12-20  09:03:00 - machine was rebooted
ComboFix-quarantined-files.txt  2017-12-20 08:02
ComboFix2.txt  2013-01-19 16:46
ComboFix3.txt  2013-01-19 16:40
.
Pre-Run: 102,718,873,600 bytes free
Post-Run: 105,616,908,288 bytes free
.
- - End Of File - - 9FFE3A84C865EF30C26A11DC63139AE5
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

  • Root Admin

That log looks great. It was able to find and remove a lot of junk.

I'd recommend you run a new Malwarebytes Threat Scan and another AdwCleaner scan and make sure both of them are coming up clean. Remove anything found and post back the logs.

Then let me know what other issues you're still seeing.

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron

MBAM and AdwCleaner scans are clean now. The PC looks ok now - thanks for your help.

Logs below.

========================

MBAM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/20/17
Scan Time: 9:42 AM
Log File: aea0954b-e561-11e7-a8d0-00ffa57e66d1.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3525
License: Free

-System Information-
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: SCPC002\sc

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 216329
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 32 min, 56 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

 

AdwCleaner

# AdwCleaner v6.046 - Logfile created 20/12/2017 at 10:17:53
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-04-24.1 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : sc - SCPC002
# Running from : C:\Documents and Settings\sc\My Documents\Downloads\Malware_Tools\adwcleaner_6.046.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2812 Bytes] - [19/12/2017 08:06:17]
C:\AdwCleaner\AdwCleaner[R0].txt - [2127 Bytes] - [22/09/2013 19:47:17]
C:\AdwCleaner\AdwCleaner[R1].txt - [938 Bytes] - [22/09/2013 20:03:32]
C:\AdwCleaner\AdwCleaner[S0].txt - [2246 Bytes] - [22/09/2013 19:52:24]
C:\AdwCleaner\AdwCleaner[S1].txt - [2810 Bytes] - [19/12/2017 08:03:02]
C:\AdwCleaner\AdwCleaner[S2].txt - [1411 Bytes] - [20/12/2017 10:17:53]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1484 Bytes] ##########
 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.