TechSpot

Possible virus

By kingtaoist
Jul 16, 2016
  1. Hi, I think I have a virus in my computer but I can't confirm it yet.

    I created a google account yesterday to play a game but somehow I got disconnected, and so I went to my google account to check for recent activities and sure enough I found out that another computer logged in into my newly created account which is very suspicious.

    today, I have been searching for a way to remove that virus but nothing is detected by my AV program. I have also been searching for other ways to remove of it. any advice ??
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    I downloaded norton security yesterday and it didnt find any virus.I also have malwarebytes and got spybot yesterday for malware removal.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Re-read my previous reply.
     
  5. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-07-2016
    Ran by Administrator (administrator) on Dagami (17-07-2016 09:26:57)
    Running from C:\Users\Administrator\Downloads
    Loaded Profiles: Administrator (Available Profiles: Administrator)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
    () C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
    (Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashClient.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ns.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ns.exe
    (Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\conathst.exe
    (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
    (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-20] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-22] (Microsoft Corporation)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-21-378024836-819946511-3807712176-500\...\Run: [AdobeBridge] => [X]
    HKU\S-1-5-21-378024836-819946511-3807712176-500\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    HKU\S-1-5-21-378024836-819946511-3807712176-500\...\MountPoints2: {abde5863-cc6b-11e4-8d0d-d02788eb1764} - E:\LaunchU3.exe -a
    ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
    ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
    ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
    BootExecute: autocheck autochk * sdnclean64.exe
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
    Tcpip\..\Interfaces\{F0B4C6DB-3742-4A64-AEB5-C4AC1EC1C61D}: [DhcpNameServer] 192.168.254.254

    Internet Explorer:
    ==================
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-22] (Microsoft Corporation)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-17] (Microsoft Corporation)
    BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-22] (Microsoft Corporation)
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-17] (Microsoft Corporation)
    Handler-x32: mso-offdap11 - {32505114-5902-49b2-880A-1F7738E5A384} - C:\Windows\SysWow64\OWC11.DLL [2003-08-01] (Microsoft Corporation)

    FireFox:
    ========
    FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default
    FF Homepage: hxxps://www.google.com.ph/?gfe_rd=cr&ei=3jnZVMqMN-aK8QeuzIHoCA
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
    FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-02-15] (Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
    FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-08-06] (Adobe Systems)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
    FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-02-15] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
    FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-08-06] (Adobe Systems)
    FF Plugin HKU\S-1-5-21-378024836-819946511-3807712176-500: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)
    FF Extension: Easy Screenshot - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\extensions\easyscreenshot@mozillaonline.com [2015-12-01]
    FF Extension: Google Translator for Firefox - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\extensions\translator@zoli.bod.xpi [2016-04-29]
    FF Extension: PDF Viewer - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\Extensions\uriloader@pdf.js.xpi [2016-04-28]
    FF Extension: Adblock Plus - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-29]
    FF Extension: NeoBux AdAlert - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\Extensions\{eb80b076-a444-444c-a590-5aee5d977d80}.xpi [2016-04-17]
    FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.4.24\coFFAddon
    FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.4.24\coFFAddon [2016-07-17]
    FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.4.24\coFFAddon
    FF HKU\S-1-5-21-378024836-819946511-3807712176-500\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.google.com/
    CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.omniboxes.com/?type=hp&ts=1425269246&from=obw&uid=ST500LT012-9WS142_S0V77MW0XXXXS0V77MW0"
    CHR DefaultSearchURL: Default -> hxxp://dts.search.ask.com/web?q={searchTerms}
    CHR DefaultSearchKeyword: Default -> Ask Search
    CHR DefaultSuggestURL: Default -> hxxp://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
    CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-03-14]
    CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
    CHR Extension: (Norton Security Toolbar) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-07-16]
    CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
    CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
    CHR Extension: (Internet Speed Tracker) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdbaanobipilanpejljmogpnohjefplc [2015-08-02]
    CHR Extension: (Norton Identity Safe) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-07-16]
    CHR Extension: (Video HD Controls) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmhfcaikejhkkbbjnfamihppkjeoeknc [2015-04-12]
    CHR Extension: (Ask Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl [2016-07-16]
    CHR Extension: (iLivid) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf [2016-07-16]
    CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]
    CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\Exts\Chrome.crx [2016-07-16]
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\Exts\Chrome.crx [2016-07-16]
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

    Opera:
    =======
    OPR Extension: (CinemaP-1.9cV01.03) - C:\Users\Administrator\AppData\Roaming\Opera Software\Opera Stable\Extensions\kljbbcnooaklhpifalnihdiofoahmmjj [2015-03-02]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2021592 2016-04-05] (Adobe Systems, Incorporated)
    S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [437880 2015-08-19] (BlueStack Systems, Inc.)
    S3 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-08-19] (BlueStack Systems, Inc.)
    S3 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [839288 2015-08-19] (BlueStack Systems, Inc.)
    R2 DashClientService; C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe [251904 2013-01-17] () [File not signed]
    R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
    R2 NS; C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\NS.exe [289080 2016-02-26] (Symantec Corporation)
    S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-03-01] (Riverbed Technology, Inc.)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
    S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-20] (Adobe Systems Incorporated) [File not signed]
    R2 Themes; C:\Windows\system32\themeservice.dll [44544 2012-10-22] (Microsoft Corporation) [File not signed]

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 2310_00; C:\Windows\system32\drivers\2310_00.sys [170528 2009-06-12] (HighPoint Technologies, Inc.)
    S3 272x_1x; C:\Windows\system32\drivers\272x_1x.sys [612672 2012-04-25] (HighPoint Technologies, Inc.)
    S3 274x_3x; C:\Windows\system32\drivers\274x_3x.sys [240960 2012-04-25] (HighPoint Technologies, Inc.)
    S3 amdide64; C:\Windows\system32\drivers\amdide64.sys [11904 2011-12-18] (Advanced Micro Devices Inc.)
    S3 arcm_a64; C:\Windows\system32\drivers\arcm_a64.sys [52768 2009-11-09] (ARECA Technology Corporation)
    S3 asahci64; C:\Windows\system32\drivers\asahci64.sys [49048 2012-07-18] (Asmedia Technology)
    S3 b06diag; C:\Windows\system32\drivers\bxdiaga.sys [88104 2012-03-08] (Broadcom Corporation)
    S3 BFN7x64; C:\Windows\system32\drivers\Xeno7x64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
    S3 BFNVis64; C:\Windows\system32\drivers\XenoVa64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
    R1 BHDrvx64; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\BASHDefs\20160711.001\BHDrvx64.sys [1832176 2016-07-11] (Symantec Corporation)
    R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [146040 2015-08-19] (BlueStack Systems)
    S3 bxfcoe; C:\Windows\system32\drivers\bxfcoe.sys [178216 2012-02-23] (Broadcom Corporation)
    S3 bxois; C:\Windows\system32\drivers\bxois.sys [539176 2012-02-23] (Broadcom Corporation)
    S3 cbaf; C:\Windows\System32\Drivers\cbaf.sys [15872 2008-01-10] (Intel Corp.)
    R1 ccSet_NS; C:\Windows\system32\drivers\NSx64\1606000.08E\ccSetx64.sys [173808 2015-09-24] (Symantec Corporation)
    S3 cercsr6; C:\Windows\system32\drivers\cercsr6.sys [45616 2008-02-28] (Adaptec, Inc.)
    S3 DC133; C:\Windows\system32\drivers\DC133.sys [39320 2011-05-02] (Dawicontrol GmbH)
    S3 DC150; C:\Windows\system32\drivers\DC150.sys [39832 2011-05-02] (Dawicontrol GmbH)
    S3 DC154; C:\Windows\system32\drivers\DC154.sys [48136 2011-05-02] (Dawicontrol GmbH)
    S3 DC300e; C:\Windows\system32\drivers\DC300e.sys [40344 2011-05-02] (Dawicontrol GmbH)
    S3 DC324e; C:\Windows\system32\drivers\DC324e.sys [49752 2011-05-02] (Dawicontrol GmbH)
    R0 DC3410; C:\Windows\System32\drivers\DC3410.sys [48328 2011-05-02] (Dawicontrol GmbH)
    S3 DC4300; C:\Windows\system32\drivers\DC4300.sys [48360 2011-05-02] (Dawicontrol GmbH)
    S3 DC600e; C:\Windows\system32\drivers\DC600e.sys [40744 2011-05-02] (Dawicontrol GmbH)
    S3 dfuuwb; C:\Windows\System32\Drivers\DfuUWB.sys [503296 2008-09-12] (Intel Corp.)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3341904 2012-03-26] (Broadcom Corporation)
    R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-04-27] (Symantec Corporation)
    R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156912 2016-04-27] (Symantec Corporation)
    S3 EtronSTOR; C:\Windows\System32\Drivers\EtronSTOR.sys [32512 2012-08-07] (Etron Technology Inc)
    S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [77040 2012-11-02] (Fresco Logic)
    S3 hptiop; C:\Windows\system32\drivers\hptiop.sys [17440 2009-05-26] (HighPoint Technologies, Inc.)
    S3 hptmv; C:\Windows\system32\drivers\hptmv.sys [93472 2006-09-18] (HighPoint Technologies, Inc.)
    S3 hptmv6; C:\Windows\system32\drivers\hptmv6.sys [152096 2007-11-01] (HighPoint Technologies, Inc.)
    S3 HWA; C:\Windows\System32\Drivers\HWA.sys [61440 2008-09-29] (Intel Corp.)
    S3 IAMTVE; C:\Windows\system32\drivers\IAMTVE.sys [43416 2007-04-12] (Intel Corporation)
    S3 IAMTXPE; C:\Windows\system32\drivers\IAMTXPE.sys [51096 2007-04-12] (Intel Corporation)
    R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [26072 2012-06-30] (Intel Corporation)
    S3 iaStorS; C:\Windows\system32\drivers\iaStorS.sys [651224 2012-06-30] (Intel Corporation)
    R1 IDSVia64; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\IPSDefs\20160715.001\IDSvia64.sys [876760 2016-07-16] (Symantec Corporation)
    S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x64.sys [387344 2012-04-21] (Intel(R) Corporation)
    S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X64.sys [77584 2012-04-21] (Intel(R) Corporation)
    S3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [44992 2012-01-23] ()
    S3 iteatapi; C:\Windows\system32\drivers\iteatapi.sys [38680 2008-05-14] (ITE Tech. Inc.)
    S3 iteraid; C:\Windows\system32\drivers\iteraid.sys [32768 2007-05-02] (ITE Tech. Inc.)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
    R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-07-17] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
    S3 megasas2; C:\Windows\system32\drivers\megasas2.sys [51496 2012-02-29] (LSI Corporation)
    S3 megasr1; C:\Windows\system32\drivers\MegaSR1.sys [461320 2009-04-16] (LSI Corporation, Inc.)
    S3 mv61xx; C:\Windows\system32\drivers\mv61xx.sys [183144 2012-05-23] (Marvell Semiconductor, Inc.)
    S3 mvs94xx; C:\Windows\system32\drivers\mvs94xx.sys [367920 2010-12-01] (Marvell Semiconductor, Inc.)
    R3 NAVENG; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\VirusDefs\20160716.002\ENG64.SYS [138456 2016-05-06] (Symantec Corporation)
    R3 NAVEX15; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\VirusDefs\20160716.002\EX64.SYS [2148056 2016-05-06] (Symantec Corporation)
    R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
    S3 nvrd64; C:\Windows\system32\drivers\nvrd64.sys [175720 2010-04-09] (NVIDIA Corporation)
    S3 ocz10xx; C:\Windows\system32\drivers\ocz10xx.sys [139056 2012-04-06] (OCZ Technology Group, Inc.)
    S3 ocz12xx; C:\Windows\system32\drivers\ocz12xx.sys [138544 2011-09-15] (OCZ Technology Group, Inc.)
    S3 percsas2; C:\Windows\system32\drivers\percsas2.sys [40456 2010-05-07] (LSI Corporation)
    S3 Pnp680; C:\Windows\system32\drivers\pnp680.sys [80424 2007-11-13] (Silicon Image, Inc)
    S3 rr172x; C:\Windows\system32\drivers\rr172x.sys [124448 2007-11-01] (HighPoint Technologies, Inc.)
    S3 rr174x; C:\Windows\system32\drivers\rr174x.sys [159264 2007-11-01] (HighPoint Technologies, Inc.)
    S3 rr2210; C:\Windows\system32\drivers\rr2210.sys [153632 2007-11-01] (HighPoint Technologies, Inc.)
    S3 rr232x; C:\Windows\system32\drivers\rr232x.sys [152096 2008-05-06] (HighPoint Technologies, Inc.)
    S3 rr2340; C:\Windows\system32\drivers\rr2340.sys [162400 2010-01-01] (HighPoint Technologies, Inc.)
    S3 rr2522; C:\Windows\system32\drivers\rr2522.sys [168032 2010-01-01] (HighPoint Technologies, Inc.)
    S3 rr276x; C:\Windows\system32\drivers\rr276x.sys [241472 2012-04-25] (HighPoint Technologies, Inc.)
    S3 rr278x; C:\Windows\system32\drivers\rr278x.sys [240960 2012-04-25] (HighPoint Technologies, Inc.)
    S3 rr62x; C:\Windows\system32\drivers\rr62x.sys [156256 2010-06-17] (HighPoint Technologies, Inc.)
    R3 rtkio; C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\rtkio64.sys [16016 2013-01-05] (Windows (R) Codename Longhorn DDK provider)
    S3 rusb3hub; C:\Windows\system32\drivers\rusb3hub.sys [114568 2012-08-28] (Renesas Electronics Corporation)
    S3 rusb3xhc; C:\Windows\system32\drivers\rusb3xhc.sys [230280 2012-08-28] (Renesas Electronics Corporation)
    S3 SI3112r; C:\Windows\system32\drivers\SI3112r.sys [164656 2007-02-01] (Silicon Image, Inc)
    S3 SI3114; C:\Windows\system32\drivers\SI3114.sys [99120 2006-11-10] (Silicon Image, Inc.)
    S3 SI3114r; C:\Windows\system32\drivers\SI3114R.sys [163632 2007-04-11] (Silicon Image, Inc)
    S3 SI3124; C:\Windows\system32\drivers\SI3124.sys [113456 2006-11-02] (Silicon Image, Inc.)
    S3 Si3124r5; C:\Windows\system32\drivers\Si3124r5.sys [340008 2010-04-13] (Silicon Image, Inc)
    S3 SI3132; C:\Windows\system32\drivers\SI3132.sys [90664 2007-10-03] (Silicon Image, Inc)
    S3 Si3531; C:\Windows\system32\drivers\Si3531.sys [333864 2009-02-09] (Silicon Image, Inc)
    R0 SiFilter; C:\Windows\System32\drivers\SiWinAcc.sys [22056 2007-10-03] (Silicon Image, Inc)
    R0 SiRemFil; C:\Windows\System32\drivers\SiRemFil.sys [17448 2007-10-03] (Silicon Image, Inc)
    S3 SISAGP; C:\Windows\system32\drivers\SISAGPX.sys [67104 2009-08-02] (Silicon Integrated Systems Corporation)
    R3 SRTSP; C:\Windows\System32\Drivers\NSx64\1606000.08E\SRTSP64.SYS [928504 2016-02-24] (Symantec Corporation)
    R1 SRTSPX; C:\Windows\system32\drivers\NSx64\1606000.08E\SRTSPX64.SYS [50936 2015-09-24] (Symantec Corporation)
    R0 SymEFASI; C:\Windows\System32\drivers\NSx64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-24] (Symantec Corporation)
    R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2016-07-16] (Symantec Corporation)
    R1 SymIRON; C:\Windows\system32\drivers\NSx64\1606000.08E\Ironx64.SYS [295664 2016-02-24] (Symantec Corporation)
    R1 SymNetS; C:\Windows\System32\Drivers\NSx64\1606000.08E\SYMNETS.SYS [577768 2016-02-24] (Symantec Corporation)
    S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [67104 2009-08-02] (Silicon Integrated Systems Corporation)
    S3 uwbusb; C:\Windows\System32\Drivers\usbuwbmini.sys [13312 2008-09-15] (Intel Corp.)
    R1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [127432 2015-09-16] (BigNox Corporation)
    S3 viaagp1; C:\Windows\system32\drivers\viaagp1.sys [59392 2005-09-23] (VIA Technologies, Inc.)
    S3 viamrx64; C:\Windows\system32\drivers\viamrx64.sys [161904 2010-12-03] (VIA Technologies Inc.,Ltd)
    S3 videX64; C:\Windows\system32\drivers\videX64.sys [15000 2010-02-11] (VIA Technologies, Inc.)
    S3 VUSB3HUB; C:\Windows\system32\drivers\ViaHub3.sys [210944 2012-05-30] (VIA Technologies, Inc.)
    R0 xfiltx64; C:\Windows\System32\drivers\xfiltx64.sys [26776 2010-02-11] (VIA Technologies, Inc.)
    S3 xhcdrv; C:\Windows\system32\drivers\xhcdrv.sys [261120 2012-05-30] (VIA Technologies, Inc.)
    R1 XQHDrv; C:\Windows\System32\DRIVERS\XQHDrv.sys [253384 2015-09-16] (BigNox Corporation)
    R1 XQHDrv; C:\Windows\SysWOW64\DRIVERS\XQHDrv.sys [253384 2015-09-16] (BigNox Corporation)
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-17 09:26 - 2016-07-17 09:28 - 00025749 _____ C:\Users\Administrator\Downloads\FRST.txt
    2016-07-17 09:26 - 2016-07-17 09:26 - 00000000 ____D C:\FRST
    2016-07-17 09:25 - 2016-07-17 09:25 - 02391040 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
    2016-07-17 07:03 - 2016-07-17 07:03 - 00000000 ____D C:\Windows\System32\Tasks\Norton Security
    2016-07-17 06:57 - 2016-07-17 06:57 - 00003218 _____ C:\Windows\System32\Tasks\Norton WSC Integration
    2016-07-17 00:01 - 2016-07-17 00:14 - 00000000 ____D C:\Users\Administrator\vmlogs
    2016-07-17 00:01 - 2016-07-17 00:01 - 00000000 ____D C:\Users\Administrator\Nox_share
    2016-07-16 23:56 - 2016-07-16 23:57 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Nox
    2016-07-16 23:56 - 2016-07-16 23:56 - 00000958 _____ C:\Users\Administrator\Desktop\Multi-Drive.lnk
    2016-07-16 23:56 - 2016-07-16 23:56 - 00000877 _____ C:\Users\Administrator\Desktop\Nox.lnk
    2016-07-16 23:55 - 2016-07-17 00:14 - 00000000 ____D C:\Users\Administrator\.BigNox
    2016-07-16 23:54 - 2016-07-16 23:54 - 00000000 ____D C:\Program Files\DIFX
    2016-07-16 23:54 - 2015-09-16 14:07 - 00127432 _____ (BigNox Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
    2016-07-16 23:53 - 2015-09-16 11:29 - 00253384 _____ (BigNox Corporation) C:\Windows\system32\Drivers\XQHDrv.sys
    2016-07-16 23:48 - 2016-07-17 00:31 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Nox
    2016-07-16 23:47 - 2016-07-17 00:30 - 00000000 ____D C:\Users\Administrator\AppData\Local\Nox
    2016-07-16 23:15 - 2016-07-16 23:37 - 301720848 _____ (Duodian Technology Co. Ltd.) C:\Users\Administrator\Downloads\nox_setup_v3.7.0.0_full_En.exe
    2016-07-16 20:26 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
    2016-07-16 20:20 - 2016-07-16 20:20 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
    2016-07-16 20:18 - 2016-07-16 22:11 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-07-16 20:18 - 2016-07-16 20:26 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-07-16 20:18 - 2016-07-16 20:18 - 00001387 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
    2016-07-16 20:18 - 2016-07-16 20:18 - 00001375 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2016-07-16 20:18 - 2016-07-16 20:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
    2016-07-16 20:18 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
    2016-07-16 20:07 - 2016-07-16 20:14 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Administrator\Downloads\spybot-2.4.exe
    2016-07-16 18:22 - 2016-07-16 18:35 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Wireshark
    2016-07-16 18:16 - 2016-07-16 18:16 - 00001786 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
    2016-07-16 18:16 - 2016-07-16 18:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap
    2016-07-16 18:16 - 2016-07-16 18:16 - 00000000 ____D C:\Program Files (x86)\WinPcap
    2016-07-16 18:15 - 2016-07-16 18:15 - 00001613 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark Legacy.lnk
    2016-07-16 18:15 - 2016-07-16 18:15 - 00000000 ____D C:\ProgramData\Package Cache
    2016-07-16 18:14 - 2016-07-16 18:16 - 00000000 ____D C:\Program Files\Wireshark
    2016-07-16 18:03 - 2016-07-16 18:09 - 47578216 _____ (Wireshark development team) C:\Users\Administrator\Downloads\Wireshark-win64-2.0.4.exe
    2016-07-16 13:03 - 2016-07-16 13:03 - 00003248 _____ C:\Windows\System32\Tasks\{35EBE364-6A87-4A98-AB50-255A4DEE0B49}
    2016-07-16 12:00 - 2016-07-17 06:59 - 00000000 ____D C:\Windows\System32\Tasks\Remediation
    2016-07-16 12:00 - 2016-07-16 20:26 - 00000000 ____D C:\Program Files\Common Files\AV
    2016-07-16 11:48 - 2016-07-16 11:48 - 00007136 _____ C:\Users\Administrator\Desktop\virus.txt
    2016-07-16 11:46 - 2016-07-16 12:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\NPE
    2016-07-16 08:54 - 2016-07-16 08:54 - 00111344 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
    2016-07-16 08:54 - 2016-07-16 08:54 - 00008214 _____ C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
    2016-07-16 08:54 - 2016-07-16 08:54 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
    2016-07-16 08:53 - 2016-07-17 06:57 - 00002303 _____ C:\Users\Public\Desktop\Norton Security.LNK
    2016-07-16 08:51 - 2016-07-17 06:57 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security
    2016-07-16 08:51 - 2016-07-17 06:57 - 00000000 ____D C:\Windows\system32\Drivers\NSx64
    2016-07-16 08:51 - 2016-07-16 08:51 - 00000000 ____D C:\Program Files (x86)\Norton Security
    2016-07-16 08:47 - 2016-07-16 08:47 - 00000000 ____D C:\ProgramData\NortonInstaller
    2016-07-16 08:47 - 2016-07-16 08:47 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
    2016-07-16 08:31 - 2016-07-16 12:06 - 00000000 ____D C:\ProgramData\Norton
    2016-07-16 08:31 - 2016-07-16 08:56 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
    2016-07-16 08:31 - 2016-07-16 08:31 - 01089576 _____ (Symantec Corporation) C:\Users\Administrator\Downloads\NSDownloader.exe
    2016-07-16 08:31 - 2016-07-16 08:31 - 00001277 _____ C:\Users\Administrator\Desktop\Norton Installation Files.lnk
    2016-07-16 08:31 - 2016-07-16 08:31 - 00000000 ____D C:\Users\Public\Downloads\Norton
    2016-07-15 23:05 - 2016-07-15 23:05 - 01026735 _____ C:\Users\Administrator\Downloads\1245655.com.ar.apps.tool.developeroptionstool.apk
    2016-07-15 20:40 - 2016-07-15 20:40 - 00001816 _____ C:\Users\Public\Desktop\Apps.lnk
    2016-07-15 20:40 - 2016-07-15 20:40 - 00001807 _____ C:\Users\Public\Desktop\Start BlueStacks.lnk
    2016-07-15 20:39 - 2016-07-16 09:20 - 00000000 ____D C:\Program Files (x86)\BlueStacks
    2016-07-15 20:39 - 2016-07-15 20:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlueStacks
    2016-07-15 20:39 - 2016-07-15 20:39 - 00000000 ____D C:\ProgramData\BlueStacks
    2016-07-15 20:36 - 2016-07-15 20:38 - 14634624 _____ (BlueStack Systems Inc.) C:\Users\Administrator\Downloads\bluestacks-app-player-0-10-0-4321-multi-win.exe
    2016-07-15 16:08 - 2016-07-15 16:08 - 01097833 _____ C:\Users\Administrator\Downloads\Fake_GPS_Location_Spoofer_v4_0.apk
    2016-07-15 15:37 - 2016-07-15 15:38 - 04190317 _____ C:\Users\Administrator\Downloads\apkfiles.com_17629_Fake GPS Location Spoofer v4.0 (Paid Cracked).apk
    2016-07-15 13:53 - 2016-07-15 14:18 - 277575152 _____ (BlueStack Systems Inc.) C:\Users\Administrator\Downloads\bluestacks-app-player-2-3-35-6237.exe
    2016-07-15 13:41 - 2016-07-15 13:41 - 01065671 _____ C:\Users\Administrator\Downloads\com.incorporateapps.fakegps.v4.6-GlobalAPK.Co.apk
    2016-07-15 13:30 - 2016-07-15 13:31 - 13407150 _____ C:\Users\Administrator\Downloads\NewKingrootV4.95_C149_B283_en_release_2016_07_05_105203.apk
    2016-07-15 13:27 - 2016-07-15 13:33 - 60878833 _____ C:\Users\Administrator\Downloads\pokemon-go-0-29-2.apk
    2016-07-15 13:24 - 2016-07-15 13:25 - 06111601 _____ C:\Users\Administrator\Downloads\lucky-patcher-6-2-4.apk
    2016-07-15 12:52 - 2016-07-15 13:17 - 276892264 _____ (BlueStack Systems Inc.) C:\Users\Administrator\Downloads\bluestacks-app-player-2-3-32-6227.exe

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-17 09:00 - 2015-02-13 02:45 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2016-07-17 08:49 - 2015-02-21 10:54 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2016-07-17 08:49 - 2015-02-21 10:54 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2016-07-17 08:36 - 2009-07-14 12:45 - 00067408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-07-17 08:36 - 2009-07-14 12:45 - 00067408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-07-17 06:57 - 2015-07-12 23:13 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2016-07-17 06:56 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-07-17 06:55 - 2009-07-14 12:45 - 04940776 _____ C:\Windows\system32\FNTCACHE.DAT
    2016-07-17 00:01 - 2015-02-10 16:37 - 00000000 ____D C:\Users\Administrator
    2016-07-16 22:18 - 2015-02-10 16:38 - 00103352 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2016-07-16 20:41 - 2015-02-22 08:02 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
    2016-07-16 13:03 - 2015-02-11 07:20 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2016-07-16 13:01 - 2015-08-30 22:44 - 00063278 _____ C:\Windows\PeachWLog.XML
    2016-07-16 12:57 - 2015-08-30 23:09 - 00000000 ____D C:\Windows\Crystal
    2016-07-16 12:53 - 2015-08-30 23:00 - 00000023 _____ C:\Windows\ODBCINST.INI
    2016-07-16 12:50 - 2015-08-30 22:44 - 00000524 _____ C:\Windows\SysWOW64\Microsoft.VC90.CRT.manifest
    2016-07-16 12:49 - 2015-08-30 22:44 - 00000548 _____ C:\Windows\SysWOW64\Microsoft.VC90.MFC.manifest
    2016-07-16 12:30 - 2015-08-02 22:21 - 00314518 _____ C:\Windows\system32\Drivers\etc\hosts.bak
    2016-07-16 11:59 - 2015-02-10 23:16 - 00000000 ____D C:\Program Files (x86)\Steam
    2016-07-16 11:40 - 2015-01-26 00:12 - 00000365 _____ C:\Users\Administrator\AppData\Roaming\JZMYE
    2016-07-16 09:19 - 2015-07-12 18:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
    2016-07-16 08:50 - 2015-03-07 19:47 - 00001945 _____ C:\Windows\epplauncher.mif
    2016-07-16 08:46 - 2016-02-17 22:09 - 00000137 _____ C:\Users\Administrator\Desktop\notepad.txt
    2016-07-15 20:40 - 2009-07-14 11:20 - 00000000 __RHD C:\Users\Public\Libraries
    2016-07-15 20:38 - 2015-08-29 16:16 - 00000000 ____D C:\Users\Administrator\AppData\Local\Bluestacks
    2016-07-15 20:38 - 2015-08-15 21:56 - 00000000 ____D C:\ProgramData\BlueStacksSetup
    2016-07-15 15:46 - 2009-07-14 13:13 - 00789182 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-07-15 15:46 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
    2016-07-14 07:30 - 2015-03-18 22:39 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
    2016-07-14 07:29 - 2015-11-29 10:24 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
    2016-07-13 17:01 - 2015-02-13 02:46 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2016-07-13 17:01 - 2015-02-13 02:45 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-07-13 17:01 - 2015-02-13 02:45 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2016-07-13 17:00 - 2015-02-13 02:45 - 00000000 ____D C:\Windows\system32\Macromed
    2016-07-13 17:00 - 2015-02-12 05:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2016-07-07 08:39 - 2010-11-21 11:27 - 00485032 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
    2016-07-04 23:28 - 2015-02-12 23:09 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\vlc
    2016-06-18 06:54 - 2015-02-21 10:57 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2016-06-18 06:54 - 2015-02-21 10:57 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk

    ==================== Files in the root of some directories =======

    2015-07-06 06:27 - 2015-07-06 06:27 - 1415680 _____ (wj32) C:\Program Files\1PDX9XL5.exe
    2015-07-12 20:26 - 2015-07-12 20:26 - 1415680 _____ (wj32) C:\Program Files\6KAUI2MK.exe
    2015-07-12 21:50 - 2015-07-12 21:50 - 1415680 _____ (wj32) C:\Program Files\6KAYI2M6.exe
    2015-07-12 21:50 - 2015-07-12 21:50 - 1415680 _____ (wj32) C:\Program Files\8SG0O8WK.exe
    2015-07-10 07:01 - 2015-07-10 07:01 - 1415680 _____ (wj32) C:\Program Files\9TDXL5PD.exe
    2015-07-12 18:57 - 2015-07-12 18:57 - 1415680 _____ (wj32) C:\Program Files\AUI2M6UU.exe
    2015-06-27 06:25 - 2015-06-27 06:25 - 1415680 _____ (wj32) C:\Program Files\BVJ3N7VF.exe
    2015-07-12 20:20 - 2015-07-12 20:20 - 1415680 _____ (wj32) C:\Program Files\DXH1P9TH.exe
    2015-07-12 18:50 - 2015-07-12 18:50 - 1415680 _____ (wj32) C:\Program Files\E6KMA2U6.exe
    2015-07-12 18:57 - 2015-07-12 18:57 - 1415680 _____ (wj32) C:\Program Files\FR7FR3JF.exe
    2015-07-05 13:44 - 2015-07-05 13:44 - 1415680 _____ (wj32) C:\Program Files\H1L5TDXL.exe
    2015-07-11 03:11 - 2015-07-11 03:11 - 1415680 _____ (wj32) C:\Program Files\K2AIMYYY.exe
    2015-07-01 06:33 - 2015-07-01 06:33 - 1415680 _____ (wj32) C:\Program Files\KAUI2M6U.exe
    2015-07-10 14:17 - 2015-07-10 14:17 - 1415680 _____ (wj32) C:\Program Files\KAYI6KE2.exe
    2015-07-06 06:27 - 2015-07-06 06:27 - 1415680 _____ (wj32) C:\Program Files\LTHDHH5P.exe
    2015-07-12 21:50 - 2015-07-12 21:50 - 1415680 _____ (wj32) C:\Program Files\M6KEYI26.exe
    2015-07-02 06:29 - 2015-07-02 06:29 - 1415680 _____ (wj32) C:\Program Files\MAUEYM6A.exe
    2015-07-12 19:05 - 2015-07-12 19:05 - 1415680 _____ (wj32) C:\Program Files\MAUEYM6K.exe
    2015-07-11 03:11 - 2015-07-11 03:11 - 1415680 _____ (wj32) C:\Program Files\N7RBNB3J.exe
    2015-07-05 13:42 - 2015-07-05 13:42 - 1415680 _____ (wj32) C:\Program Files\O8WG4O8S.exe
    2015-07-03 05:55 - 2015-07-03 05:55 - 1415680 _____ (wj32) C:\Program Files\UE2KAYI2.exe
    2015-07-12 04:42 - 2015-07-12 04:42 - 1415680 _____ (wj32) C:\Program Files\VFZJ7RBF.exe
    2015-07-12 20:19 - 2015-07-12 20:19 - 1415680 _____ (wj32) C:\Program Files\XL5PDXHL.exe
    2015-06-26 06:12 - 2015-06-26 06:12 - 1415680 _____ (wj32) C:\Program Files\YE6YUIE2.exe
    2015-06-28 05:48 - 2015-06-28 05:48 - 1415680 _____ (wj32) C:\Program Files\YI6KAUIU.exe
    2015-07-10 14:17 - 2015-07-10 14:17 - 1415680 _____ (wj32) C:\Program Files\YM6UI2KK.exe
    2015-07-12 18:50 - 2015-07-12 18:50 - 1415680 _____ (wj32) C:\Program Files\ZN7VFZJN.exe
    2015-01-26 00:12 - 2015-01-26 00:12 - 0002086 _____ () C:\Users\Administrator\AppData\Roaming\HUVI
    2015-01-26 00:12 - 2016-07-16 11:40 - 0000365 _____ () C:\Users\Administrator\AppData\Roaming\JZMYE

    Some files in TEMP:
    ====================
    C:\Users\Administrator\AppData\Local\Temp\RTINSTCHK64.EXE
    C:\Users\Administrator\AppData\Local\Temp\RTIoLib64.dll


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe
    [2013-01-10 12:47] - [2010-11-21 11:24] - 2389504 ____A (Microsoft Corporation) 0FEF117801269BA26F1D63B2F1CDC6AA

    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-07-17 07:53

    ==================== End of FRST.txt ============================
     
  6. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-07-2016
    Ran by Administrator (2016-07-17 09:28:37)
    Running from C:\Users\Administrator\Downloads
    Windows 7 Ultimate Service Pack 1 (X64) (2015-02-10 08:36:19)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-378024836-819946511-3807712176-500 - Administrator - Enabled) => C:\Users\Administrator
    Guest (S-1-5-21-378024836-819946511-3807712176-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-378024836-819946511-3807712176-1002 - Limited - Enabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Norton Security (Enabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
    AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    AS: Norton Security (Enabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
    FW: Norton Security (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    µTorrent (HKU\S-1-5-21-378024836-819946511-3807712176-500\...\uTorrent) (Version: 3.4.6.42094 - BitTorrent Inc.)
    Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.017.20050 - Adobe Systems Incorporated)
    Adobe After Effects CS6 (HKLM-x32\...\{4817D846-700B-474E-A31B-80892B3E92E3}) (Version: 11 - Adobe Systems Incorporated)
    Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
    Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
    Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
    Adobe Premiere Pro CS6 (HKLM-x32\...\{7176B973-6011-43C1-AEBC-2D73FE7C6982}) (Version: 6.0 - Adobe Systems Incorporated)
    Adobe Premiere Pro CS6 Functional Content (HKLM-x32\...\{614020C8-2E16-4E16-A5F0-04DE2AB96097}) (Version: 6.0.0 - Adobe Systems Incorporated)
    Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
    AuditPro Enterprise (HKLM-x32\...\AuditPro Enterprise4.0.0) (Version: 4.0.0 - NII Consulting Pvt Ltd.)
    bl (x32 Version: 1.0.0 - Your Company Name) Hidden
    BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.10.0.4321 - BlueStack Systems, Inc.)
    BlueStacks Notification Center (HKLM-x32\...\{473E82D7-79E2-43DF-8FA0-025407C93191}) (Version: 0.10.0.4321 - BlueStack Systems, Inc.)
    Crystal Reports 2008 Runtime SP1 (HKLM-x32\...\{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}) (Version: 12.1.0.882 - Business Objects)
    Dota 2 (HKLM-x32\...\Steam App 570) (Version: - Valve)
    ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
    File Audit Version 1 (HKLM-x32\...\File Audit_is1) (Version: - Adaptive Technology (M))
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.103 - Google Inc.)
    Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
    IDM Patch 6.25 build 03 (HKLM-x32\...\IDM Patch 6.25 build 03) (Version: build 03 - SandySeedings Team)
    Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
    Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
    ManageMore Auditor's Edition (HKLM-x32\...\{8840E960-F3C1-11DC-4823-0BBCFDB50029}) (Version: 8.0 - Intellisoft, Inc.)
    Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
    Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
    Mozilla Firefox 47.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.0.5999 - Mozilla)
    NCLauncher (NCSOFT) (HKLM-x32\...\NCLauncher_NCJapan) (Version: - NCSOFT)
    Norton Security (HKLM-x32\...\NS) (Version: 22.6.0.142 - Symantec Corporation)
    Peachtree Signature Ready Forms (x32 Version: 6.14.24 - Sage Software SB, Inc.) Hidden
    ph (x32 Version: 1.0.0 - Your Company Name) Hidden
    Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 7.61.612.2012 - Realtek)
    Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.28099 - Realtek Semiconductor Corp.)
    RtkWin7(8)DashClientInstaller (HKLM-x32\...\{36C6FC3D-B3BC-4F21-B164-5A903B752267}) (Version: 2.0.3 - Realtek)
    Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
    Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
    Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
    TeraCopy 2.3 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
    Unity Web Player (HKU\S-1-5-21-378024836-819946511-3807712176-500\...\UnityWebPlayer) (Version: 5.0.3f2 - Unity Technologies ApS)
    Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
    Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
    VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
    WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
    WinRAR 5.21 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
    Wireshark 2.0.4 (64-bit) (HKLM-x32\...\Wireshark) (Version: 2.0.4 - The Wireshark developer community, hxxps://www.wireshark.org)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {08319DA1-CF60-4FE0-A7F7-EEFAAA08CEF6} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2016-02-26] (Symantec Corporation)
    Task: {116329DE-8CDE-46F4-B582-BFBDB0D0911C} - System32\Tasks\{35EBE364-6A87-4A98-AB50-255A4DEE0B49} => pcalua.exe -a "C:\Windows\AuditPro Enterprise\uninstall.exe" -c "/U:C:\Program Files (x86)\AuditPro Enterprise\Uninstall\uninstall.xml"
    Task: {5C337825-F967-4D44-8259-B14B398035A1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
    Task: {951C9E08-D7AC-4987-AA46-9A263F3BE4B3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-21] (Google Inc.)
    Task: {A242EEB6-DDFC-40B5-8FFA-34803242E702} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\WSCStub.exe [2016-02-26] (Symantec Corporation)
    Task: {A3AD48E6-7838-419A-B847-E6CC6FC36F9C} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
    Task: {B51A1BEE-268E-461A-8A94-064B94E8B298} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-06-25] (Adobe Systems Incorporated)
    Task: {D303DBA1-0327-4095-8A19-C05CE69C8CC2} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-21] (Google Inc.)
    Task: {D9AA59C5-ED7F-4C18-BCD8-EB9ACCA0BD9A} - System32\Tasks\Norton Security\Norton Error Processor => C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\SymErr.exe [2016-02-11] (Symantec Corporation)
    Task: {DB94F18E-8D2F-48A1-B941-584B0D15F06A} - System32\Tasks\Norton Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\SymErr.exe [2016-02-11] (Symantec Corporation)
    Task: {E0FAE342-1E9D-4AFA-9BED-E475FE2A3CE1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
    Task: {EF9B0DFE-1D7D-4919-B37D-09A92091505C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-13] (Adobe Systems Incorporated)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2013-01-17 21:00 - 2013-01-17 21:00 - 00251904 _____ () C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe
    2010-01-10 12:17 - 2010-01-10 12:17 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
    2010-01-21 17:40 - 2010-01-21 17:40 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2010-01-10 12:18 - 2010-01-10 12:18 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    2010-01-21 17:34 - 2010-01-21 17:34 - 08793952 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2016-07-16 20:18 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
    2016-07-16 20:18 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
    2016-07-16 20:18 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
    2016-07-16 20:18 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
    2016-07-16 20:18 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
    2016-07-13 17:01 - 2016-07-13 17:01 - 19483328 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)

    AlternateDataStreams: C:\Program Files\Common Files\System:jUe8hl2Qt5MpvNxY5l340G [2228]
    AlternateDataStreams: C:\Users\Administrator\Cookies:US9ee7JcLK328BhRmOjL [2110]
    AlternateDataStreams: C:\ProgramData\Microsoft:004UGENrNjI5O8CoPJnEgxivc [2164]
    AlternateDataStreams: C:\ProgramData\Microsoft:VsrgNWzY454FBkIkmCPIiTNgE [1932]
    AlternateDataStreams: C:\ProgramData\TEMP:4B244549 [278]

    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-14 10:34 - 2016-07-16 12:30 - 00000054 ____A C:\Windows\system32\Drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-378024836-819946511-3807712176-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    DNS Servers: 192.168.254.254
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files (x86)\Bluestacks\HD-Agent.exe
    MSCONFIG\startupreg: IDMan => C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [{1FF8FCDF-A0BF-488B-9313-3C64218CA763}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{50D82775-DE8F-4A58-AC29-E8664295240B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{B8D4CDC6-CC61-42A8-9F4D-033E1C40AF1A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
    FirewallRules: [{86302615-91F4-457E-AAAC-5F3DAA87C0C6}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
    FirewallRules: [{F4696E47-ECB4-449F-92BD-A3FA167BDA1B}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    FirewallRules: [{EE48FAB1-5D5B-487F-B4FE-9D82E27FB8E1}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    FirewallRules: [{74B899F9-E14D-40E0-80F5-E31F250E2494}] => (Allow) C:\Users\Administrator\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{26171E3B-55DB-4B60-9BAB-6E2C6EBC7EB0}] => (Allow) C:\Users\Administrator\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{8A874FAE-AE61-41F0-8B0B-507D6D308FDF}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
    FirewallRules: [{42BEA990-A89E-4B1D-9DE9-0A5A7F1910FA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
    FirewallRules: [TCP Query User{D3C795DD-21C7-4B55-989C-9CF4F0DD9242}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
    FirewallRules: [UDP Query User{C4A3E106-3A65-4A75-9CD5-2A6C71BCB397}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
    FirewallRules: [{9884350C-4171-4F5A-8FCA-B077FBD6E250}] => (Allow) C:\Users\Administrator\AppData\Local\Temp\QQGameDownloader\bns_1429866144_16471\MiniQQDL.exe
    FirewallRules: [{C248E500-8DFC-4592-B126-EA6BEDE588BD}] => (Allow) C:\Users\Administrator\AppData\Local\Temp\QQGameDownloader\bns_1429866144_16471\MiniQQDL.exe
    FirewallRules: [TCP Query User{B3762EE7-9B0E-47DB-9B06-9DFF24547066}C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe] => (Allow) C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe
    FirewallRules: [UDP Query User{07A8FD06-7A5F-490C-9D60-0AEAFEE03BDA}C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe] => (Allow) C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe
    FirewallRules: [{8E2C79DE-A9A0-4708-B3ED-217CD02F6384}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
    FirewallRules: [{FCE23EDC-4A7D-4806-99BA-6EBE7DFF3CE9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
    FirewallRules: [{D6521918-07E8-4B41-86CF-E365979CD2D0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2cfg.exe
    FirewallRules: [{25A480B2-5D11-4344-8C50-0E0594F7E306}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2cfg.exe
    FirewallRules: [{BACBFDB4-FF71-47D6-9D69-83AA3169C103}] => (Allow) LPort=1583
    FirewallRules: [{89BE1639-F493-4C1C-A324-988200D4E3F8}] => (Allow) LPort=3351
    FirewallRules: [{2E4595D2-C164-4880-A671-2B63DCD5C04A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
    FirewallRules: [{7C0A4654-8EE7-472E-B473-85ED4FC32521}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
    FirewallRules: [TCP Query User{4704F9DC-A9DC-4C12-800E-440602C94FC2}C:\program files (x86)\youwave android\vb\vboxsdl.exe] => (Allow) C:\program files (x86)\youwave android\vb\vboxsdl.exe
    FirewallRules: [UDP Query User{1F1BB775-B0C6-43F4-B357-0242875EE2AB}C:\program files (x86)\youwave android\vb\vboxsdl.exe] => (Allow) C:\program files (x86)\youwave android\vb\vboxsdl.exe
    FirewallRules: [{49D965CD-E9A7-43C3-9FF6-ADB357666D89}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{270A9CC0-F13A-4655-8E87-B5026CAAABA1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [TCP Query User{C8256E21-2105-4879-B49D-95B2741452AD}C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe] => (Allow) C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe
    FirewallRules: [UDP Query User{3B23AE62-790D-4FF4-86E2-DA0AD97D8E10}C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe] => (Allow) C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe
    FirewallRules: [{B316C7F8-982C-404A-BD93-B951018C347B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    FirewallRules: [{36EFF10A-82EB-4E55-8672-43224CF2BB2C}] => (Allow) C:\Users\Administrator\AppData\Roaming\Nox\bin\Nox.exe
    FirewallRules: [{E36A9365-8ACD-41E1-8081-11B1FBE1519D}] => (Allow) C:\Program Files\Bignox\BigNoxVM\RTNoxVMHandle.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    ==================== Restore Points =========================

    ATTENTION: System Restore is disabled
    21-06-2016 14:36:08 Scheduled Checkpoint
    29-06-2016 07:25:52 Scheduled Checkpoint
    06-07-2016 12:44:28 Scheduled Checkpoint
    14-07-2016 13:01:20 Scheduled Checkpoint

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (07/17/2016 06:56:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/16/2016 08:41:34 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: plugin-container.exe, version: 47.0.0.5999, time stamp: 0x5753660e
    Faulting module name: mozglue.dll, version: 47.0.0.5999, time stamp: 0x57535438
    Exception code: 0x80000003
    Fault offset: 0x0000f3ad
    Faulting process id: 0xc14
    Faulting application start time: 0xplugin-container.exe0
    Faulting application path: plugin-container.exe1
    Faulting module path: plugin-container.exe2
    Report Id: plugin-container.exe3

    Error: (07/16/2016 08:36:46 PM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program Wireshark-gtk.exe version 2.0.4.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: b08

    Start Time: 01d1df4edff736b3

    Termination Time: 537

    Application Path: C:\Program Files\Wireshark\Wireshark-gtk.exe

    Report Id: e85336c9-4b51-11e6-9644-d02788eb1764

    Error: (07/16/2016 12:47:36 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/16/2016 11:58:18 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/16/2016 11:54:27 AM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
    Description: Failed to shut down service. The error that occurred was: System.InvalidOperationException: UpdatePendingStatus can only be called during the handling of Start, Stop, Pause and Continue commands.
    at System.ServiceProcess.ServiceBase.RequestAdditionalTime(Int32 milliseconds)
    at BlueStacks.hyperDroid.Service.Service.OnStop()
    at BlueStacks.hyperDroid.Service.Service.OnShutdown()
    at System.ServiceProcess.ServiceBase.DeferredShutdown().

    Error: (07/16/2016 08:13:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/16/2016 03:40:18 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/15/2016 11:54:11 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
    Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile C:\Program Files (x86)\BlueStacks\HD-CreateSymlink.exe because this image is a 64bit assembly; try using 64bit ngen instead.

    Error: (07/15/2016 02:23:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


    System errors:
    =============
    Error: (07/17/2016 12:37:12 AM) (Source: NetBT) (EventID: 4300) (User: )
    Description: The driver could not be created.

    Error: (07/17/2016 12:37:12 AM) (Source: NetBT) (EventID: 4300) (User: )
    Description: The driver could not be created.

    Error: (07/17/2016 12:35:56 AM) (Source: DCOM) (EventID: 10010) (User: )
    Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

    Error: (07/16/2016 08:19:48 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
    %%1053 = The service did not respond to the start or control request in a timely fashion.


    Error: (07/16/2016 08:19:48 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
    Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

    Error: (07/16/2016 04:58:15 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

    Error: (07/16/2016 04:57:56 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The BlueStacks Updater Service service terminated unexpectedly. It has done this 1 time(s).

    Error: (07/16/2016 04:57:49 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The BlueStacks Log Rotator Service service terminated unexpectedly. It has done this 1 time(s).

    Error: (07/16/2016 11:59:07 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
    Description: Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

    Error: (07/16/2016 08:12:00 AM) (Source: EventLog) (EventID: 6008) (User: )
    Description: The previous system shutdown at 3:54:42 AM on ‎7/‎16/‎2016 was unexpected.


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM) i3-2377M CPU @ 1.50GHz
    Percentage of memory in use: 81%
    Total physical RAM: 1914.03 MB
    Available physical RAM: 349.29 MB
    Total Virtual: 6914.03 MB
    Available Virtual: 4746.11 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:465.42 GB) (Free:322.23 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 55363B78)
    Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=465.4 GB) - (Type=07 NTFS)

    ==================== End of Addition.txt ============================
     
  7. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    [​IMG] FRST reports:
    ATTENTION: System Restore is disabled
    Did you disable system restore for whatever reason?

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2
    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
    [​IMG] Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
    NOTE. If you already have MBAM 2.0 installed scroll down.
    • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
    • Click Finish.
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    If you already have MBAM 2.0 installed:
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    How to get logs:
    (Export log to save as txt)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Export'.
    • Click 'Text file (*.txt)'
    • In the Save File dialog box which appears, click on Desktop.
    • In the File name: box type a name for your scan log.
    • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
    • Click Ok
    • Attach that saved log to your next reply.
    (Copy to clipboard for pasting into forum replies or tickets)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Copy to Clipboard'
    • Paste the contents of the clipboard into your reply.
    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
     
  8. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    There is no pre-scan in the rougekiller program. it says scan customization is not available for free users.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Just click on "Start scan" button. Nothing to customize
     
  10. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    I scanned my computer using rougekiller 3 times and my computer hangs up when it starts scanning 1 particular file and I had to force shut down my computer because it wont work anymore. so I manually went to the file location and found that file. I tried to delete it but there is no delete and cut option when I right clicked the file and so, I had to create a new folder and move the file to that folder. Then, I deleted the folder in order to delete the file inside it. do you think that was a virus? it is very suspicious.

    anyway, I completed the scan and ill post the report below.







    RogueKiller V12.3.8.0 (x64) [Jul 11 2016] (Free) by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/download/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Administrator [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Mode : Delete -- Date : 07/17/2016 12:49:26

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 16 ¤¤¤
    [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\90-61-0c-12-71-fe -> Deleted
    [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBCBF178-2552-456C-80E7-8167725DF855} -> Deleted
    [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\90-61-0c-12-71-fe -> Deleted
    [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBCBF178-2552-456C-80E7-8167725DF855} -> Deleted
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\90-61-0c-12-71-fe -> Deleted
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBCBF178-2552-456C-80E7-8167725DF855} -> Deleted
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\90-61-0c-12-71-fe -> Deleted
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBCBF178-2552-456C-80E7-8167725DF855} -> Deleted
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\90-61-0c-12-71-fe -> Deleted
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBCBF178-2552-456C-80E7-8167725DF855} -> Deleted
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\90-61-0c-12-71-fe -> Deleted
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBCBF178-2552-456C-80E7-8167725DF855} -> Deleted
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Replaced (2)
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Replaced (2)
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0 -> Replaced (1)
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0 -> Replaced (1)

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST500LT012-9WS142 ATA Device +++++
    --- User ---
    [MBR] 7832d062e9cb1e9102fe7e6526e274e4
    [BSP] 51b686c0be8f3f976443faba8bb26bf9 : Windows Vista/7/8|VT.Unknown MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 476588 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
     
  11. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 7/17/2016
    Scan Time: 1:09 PM
    Logfile: ttttttttttt.txt
    Administrator: Yes

    Version: 2.2.1.1043
    Malware Database: v2016.07.17.03
    Rootkit Database: v2016.05.27.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: Administrator

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 295992
    Time Elapsed: 16 min, 40 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 6
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf, Quarantined, [c453ad7803971c1a7c9576408d75dd23],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf\1.1_0, Quarantined, [c453ad7803971c1a7c9576408d75dd23],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf\1.1_0\_metadata, Quarantined, [c453ad7803971c1a7c9576408d75dd23],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl, Quarantined, [f324a67f4555ee480176833f33cf11ef],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl\1.1_0, Quarantined, [f324a67f4555ee480176833f33cf11ef],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl\1.1_0\_metadata, Quarantined, [f324a67f4555ee480176833f33cf11ef],

    Files: 4
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf\1.1_0\_metadata\computed_hashes.json, Quarantined, [c453ad7803971c1a7c9576408d75dd23],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf\1.1_0\_metadata\verified_contents.json, Quarantined, [c453ad7803971c1a7c9576408d75dd23],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl\1.1_0\_metadata\computed_hashes.json, Quarantined, [f324a67f4555ee480176833f33cf11ef],
    PUP.Optional.Ilivid, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl\1.1_0\_metadata\verified_contents.json, Quarantined, [f324a67f4555ee480176833f33cf11ef],

    Physical Sectors: 0
    (No malicious items detected)


    (end)
     
  12. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    # AdwCleaner v5.201 - Logfile created 17/07/2016 at 14:36:46
    # Updated 30/06/2016 by ToolsLib
    # Database : 2016-07-16.1 [Server]
    # Operating system : Windows 7 Ultimate Service Pack 1 (X64)
    # Username : Administrator - Dagami
    # Running from : C:\Users\Administrator\Downloads\adwcleaner_5.201.exe
    # Option : Clean
    # Support : https://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****

    [-] Folder Deleted : C:\ProgramData\{cef99ecb-bd18-2f6d-cef9-99ecbbd17b2e}
    [#] Folder Deleted : C:\ProgramData\Application Data\{cef99ecb-bd18-2f6d-cef9-99ecbbd17b2e}
    [-] Folder Deleted : C:\Users\Administrator\AppData\Roaming\tencent
    [-] Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppnoffgpafgpgbaigljliadgbnhljfl
    [-] Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafaimnnclfjfedmmabolbppcngeolgf
    [-] Folder Deleted : C:\Users\Administrator\AppData\Roaming\Opera Software\Opera Stable\Extensions\kljbbcnooaklhpifalnihdiofoahmmjj

    ***** [ Files ] *****

    [-] File Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
    [-] File Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal

    ***** [ DLLs ] *****


    ***** [ WMI ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****

    [-] Key Deleted : HKLM\SOFTWARE\Classes\s
    [-] Key Deleted : HKLM\SOFTWARE\Classes\metnsd
    [-] Key Deleted : HKCU\Software\WEBAPP

    ***** [ Web browsers ] *****

    [-] [C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
    [-] [C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
    [-] [C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.omniboxes.com/?type=hp&ts=1425269246&from=obw&uid=ST500LT012-9WS142_S0V77MW0XXXXS0V77MW0
    [-] [C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : mppnoffgpafgpgbaigljliadgbnhljfl
    [-] [C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : nafaimnnclfjfedmmabolbppcngeolgf

    *************************

    :: "Tracing" keys deleted
    :: Winsock settings cleared

    *************************

    C:\AdwCleaner\AdwCleaner[C1].txt - [2568 bytes] - [17/07/2016 14:36:46]
    C:\AdwCleaner\AdwCleaner[R0].txt - [2222 bytes] - [20/02/2015 02:28:47]
    C:\AdwCleaner\AdwCleaner[R1].txt - [17011 bytes] - [02/03/2015 13:00:58]
    C:\AdwCleaner\AdwCleaner[S0].txt - [2321 bytes] - [20/02/2015 02:31:14]
    C:\AdwCleaner\AdwCleaner[S1].txt - [11278 bytes] - [02/03/2015 13:03:39]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2935 bytes] ##########
     
  13. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.7 (07.03.2016)
    Operating System: Windows 7 Ultimate x64
    Ran by Administrator (Administrator) on Sun 07/17/2016 at 14:45:43.76
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 53

    Successfully deleted: C:\Program Files\1PDX9XL5.exe (File)
    Successfully deleted: C:\Program Files\6KAUI2MK.exe (File)
    Successfully deleted: C:\Program Files\6KAYI2M6.exe (File)
    Successfully deleted: C:\Program Files\8SG0O8WK.exe (File)
    Successfully deleted: C:\Program Files\9TDXL5PD.exe (File)
    Successfully deleted: C:\Program Files\AUI2M6UU.exe (File)
    Successfully deleted: C:\Program Files\BVJ3N7VF.exe (File)
    Successfully deleted: C:\Program Files\DXH1P9TH.exe (File)
    Successfully deleted: C:\Program Files\E6KMA2U6.exe (File)
    Successfully deleted: C:\Program Files\FR7FR3JF.exe (File)
    Successfully deleted: C:\Program Files\H1L5TDXL.exe (File)
    Successfully deleted: C:\Program Files\K2AIMYYY.exe (File)
    Successfully deleted: C:\Program Files\KAUI2M6U.exe (File)
    Successfully deleted: C:\Program Files\KAYI6KE2.exe (File)
    Successfully deleted: C:\Program Files\LTHDHH5P.exe (File)
    Successfully deleted: C:\Program Files\M6KEYI26.exe (File)
    Successfully deleted: C:\Program Files\MAUEYM6A.exe (File)
    Successfully deleted: C:\Program Files\MAUEYM6K.exe (File)
    Successfully deleted: C:\Program Files\N7RBNB3J.exe (File)
    Successfully deleted: C:\Program Files\O8WG4O8S.exe (File)
    Successfully deleted: C:\Program Files\UE2KAYI2.exe (File)
    Successfully deleted: C:\Program Files\VFZJ7RBF.exe (File)
    Successfully deleted: C:\Program Files\XL5PDXHL.exe (File)
    Successfully deleted: C:\Program Files\YE6YUIE2.exe (File)
    Successfully deleted: C:\Program Files\YI6KAUIU.exe (File)
    Successfully deleted: C:\Program Files\YM6UI2KK.exe (File)
    Successfully deleted: C:\Program Files\ZN7VFZJN.exe (File)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\47VKAMC3 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5AWOG0W8 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\94PYNZ33 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\94PYNZ33 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AH2HQ0BP (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJ2AFW4I (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MSWHQ6P9 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UVBXMEI7 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X07YI91R (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\47VKAMC3 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5AWOG0W8 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\94PYNZ33 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\94PYNZ33 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AH2HQ0BP (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJ2AFW4I (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MSWHQ6P9 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UVBXMEI7 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X07YI91R (Temporary Internet Files Folder)



    Registry: 0





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Sun 07/17/2016 at 14:48:51.99
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
  14. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  15. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    ComboFix 16-07-16.01 - Administrator 07/18/2016 8:38.1.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.63.1033.18.1914.925 [GMT 8:00]
    Running from: c:\users\Administrator\Downloads\ComboFix.exe
    AV: Norton Security *Disabled/Updated* {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
    FW: Norton Security *Enabled* {6BFC5632-188D-B806-D13E-C607121B42A0}
    SP: Norton Security *Disabled/Updated* {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
    SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\DEBUG.log
    c:\windows\wininit.ini
    .
    Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-06-18 to 2016-07-18 )))))))))))))))))))))))))))))))
    .
    .
    2016-07-18 00:48 . 2016-07-18 00:48 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-07-17 01:55 . 2016-07-17 01:55 -------- d-----w- c:\program files\RogueKiller
    2016-07-17 01:26 . 2016-07-17 01:30 -------- d-----w- C:\FRST
    2016-07-16 16:01 . 2016-07-16 16:01 -------- d-----w- c:\users\Administrator\Nox_share
    2016-07-16 16:01 . 2016-07-16 16:14 -------- d-----w- c:\users\Administrator\vmlogs
    2016-07-16 15:55 . 2016-07-16 16:14 -------- d-----w- c:\users\Administrator\.BigNox
    2016-07-16 15:54 . 2015-09-16 06:07 127432 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
    2016-07-16 15:54 . 2016-07-16 15:54 -------- d-----w- c:\program files\DIFX
    2016-07-16 15:53 . 2015-09-16 03:29 253384 ----a-w- c:\windows\system32\drivers\XQHDrv.sys
    2016-07-16 15:53 . 2016-07-16 16:29 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-07-16 15:48 . 2016-07-16 16:31 -------- d-----w- c:\users\Administrator\AppData\Roaming\Nox
    2016-07-16 15:47 . 2016-07-16 16:30 -------- d-----w- c:\users\Administrator\AppData\Local\Nox
    2016-07-16 12:18 . 2016-07-18 00:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2016-07-16 12:18 . 2016-07-18 00:51 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
    2016-07-16 10:22 . 2016-07-16 10:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\Wireshark
    2016-07-16 10:16 . 2016-07-16 10:16 -------- d-----w- c:\program files (x86)\WinPcap
    2016-07-16 10:15 . 2016-07-16 10:15 -------- d-----w- c:\programdata\Package Cache
    2016-07-16 10:14 . 2016-07-16 10:16 -------- d-----w- c:\program files\Wireshark
    2016-07-16 04:00 . 2016-07-16 12:26 -------- d-----w- c:\program files\Common Files\AV
    2016-07-16 03:46 . 2016-07-16 04:48 -------- d-----w- c:\users\Administrator\AppData\Local\NPE
    2016-07-16 00:59 . 2016-07-16 00:59 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
    2016-07-16 00:54 . 2016-07-16 00:54 111344 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
    2016-07-16 00:54 . 2016-07-16 00:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2016-07-16 00:51 . 2016-07-16 22:57 -------- d-----w- c:\windows\system32\drivers\NSx64
    2016-07-16 00:51 . 2016-07-16 00:51 -------- d-----w- c:\program files (x86)\Norton Security
    2016-07-16 00:47 . 2016-07-16 00:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-07-16 00:31 . 2016-07-16 04:06 -------- d-----w- c:\programdata\Norton
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-07-18 00:52 . 2015-07-12 15:13 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-07-17 04:24 . 2015-02-19 18:39 28272 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2016-07-13 09:01 . 2015-02-12 18:45 796352 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-07-13 09:01 . 2015-02-12 18:45 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-07-07 00:39 . 2010-11-21 03:27 485032 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2013-01-10 . 332FEAB1435662FC6C672E25BEB37BE3 . 2871808 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
    [7] 2013-01-10 . 3B69712041F3D63605529BD66DC00C48 . 2871808 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
    [-] 2010-11-21 . 0FEF117801269BA26F1D63B2F1CDC6AA . 2389504 . . [6.1.7600.16385] .. c:\windows\explorer.exe
    [7] 2010-11-21 . AC4C51EB24AA95B77F705AB159189E24 . 2872320 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
    "SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-22 91520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "TaskbarNoNotification"= 1 (0x1)
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    R3 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys;c:\windows\SYSNATIVE\drivers\2310_00.sys [x]
    R3 272x_1x;272x_1x;c:\windows\system32\drivers\272x_1x.sys;c:\windows\SYSNATIVE\drivers\272x_1x.sys [x]
    R3 274x_3x;274x_3x;c:\windows\system32\drivers\274x_3x.sys;c:\windows\SYSNATIVE\drivers\274x_3x.sys [x]
    R3 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys;c:\windows\SYSNATIVE\drivers\ahcix64s.sys [x]
    R3 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys;c:\windows\SYSNATIVE\drivers\amd_sata.sys [x]
    R3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\drivers\amdhub30.sys;c:\windows\SYSNATIVE\drivers\amdhub30.sys [x]
    R3 amdide64;amdide64;c:\windows\system32\drivers\amdide64.sys;c:\windows\SYSNATIVE\drivers\amdide64.sys [x]
    R3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\drivers\amdxhc.sys;c:\windows\SYSNATIVE\drivers\amdxhc.sys [x]
    R3 arcm_a64;arcm_a64;c:\windows\system32\drivers\arcm_a64.sys;c:\windows\SYSNATIVE\drivers\arcm_a64.sys [x]
    R3 asahci64;asahci64;c:\windows\system32\drivers\asahci64.sys;c:\windows\SYSNATIVE\drivers\asahci64.sys [x]
    R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys;c:\windows\SYSNATIVE\drivers\asmthub3.sys [x]
    R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys;c:\windows\SYSNATIVE\drivers\asmtxhci.sys [x]
    R3 b06diag;Broadcom NetXtreme II Diag Driver;c:\windows\system32\drivers\bxdiaga.sys;c:\windows\SYSNATIVE\drivers\bxdiaga.sys [x]
    R3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\drivers\Xeno7x64.sys;c:\windows\SYSNATIVE\drivers\Xeno7x64.sys [x]
    R3 BFNVis64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\drivers\XenoVa64.sys;c:\windows\SYSNATIVE\drivers\XenoVa64.sys [x]
    R3 bxfcoe;bxfcoe;c:\windows\system32\drivers\bxfcoe.sys;c:\windows\SYSNATIVE\drivers\bxfcoe.sys [x]
    R3 bxois;bxois;c:\windows\system32\drivers\bxois.sys;c:\windows\SYSNATIVE\drivers\bxois.sys [x]
    R3 cbaf;UWB Cable Based Association Framework Driver;c:\windows\System32\Drivers\cbaf.sys;c:\windows\SYSNATIVE\Drivers\cbaf.sys [x]
    R3 DC133;DC133;c:\windows\system32\drivers\DC133.sys;c:\windows\SYSNATIVE\drivers\DC133.sys [x]
    R3 DC150;DC150;c:\windows\system32\drivers\DC150.sys;c:\windows\SYSNATIVE\drivers\DC150.sys [x]
    R3 DC154;DC154;c:\windows\system32\drivers\DC154.sys;c:\windows\SYSNATIVE\drivers\DC154.sys [x]
    R3 DC300e;DC300e;c:\windows\system32\drivers\DC300e.sys;c:\windows\SYSNATIVE\drivers\DC300e.sys [x]
    R3 DC324e;DC324e;c:\windows\system32\drivers\DC324e.sys;c:\windows\SYSNATIVE\drivers\DC324e.sys [x]
    R3 DC4300;DC4300;c:\windows\system32\drivers\DC4300.sys;c:\windows\SYSNATIVE\drivers\DC4300.sys [x]
    R3 DC600e;DC600e;c:\windows\system32\drivers\DC600e.sys;c:\windows\SYSNATIVE\drivers\DC600e.sys [x]
    R3 dfuuwb;Intel Wireless UWB Link 1480M Device Firmware Utility;c:\windows\System32\Drivers\DfuUWB.sys;c:\windows\SYSNATIVE\Drivers\DfuUWB.sys [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\System32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys [x]
    R3 EtronSTOR;Etron Enhance USB BOT/UASP Mass Storage Driver;c:\windows\System32\Drivers\EtronSTOR.sys;c:\windows\SYSNATIVE\Drivers\EtronSTOR.sys [x]
    R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\System32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys [x]
    R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\drivers\FLxHCIc.sys;c:\windows\SYSNATIVE\drivers\FLxHCIc.sys [x]
    R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\drivers\FLxHCIh.sys;c:\windows\SYSNATIVE\drivers\FLxHCIh.sys [x]
    R3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys;c:\windows\SYSNATIVE\drivers\HECIx64.sys [x]
    R3 hptiop;hptiop;c:\windows\system32\drivers\hptiop.sys;c:\windows\SYSNATIVE\drivers\hptiop.sys [x]
    R3 hptmv;hptmv;c:\windows\system32\drivers\hptmv.sys;c:\windows\SYSNATIVE\drivers\hptmv.sys [x]
    R3 hptmv6;hptmv6;c:\windows\system32\drivers\hptmv6.sys;c:\windows\SYSNATIVE\drivers\hptmv6.sys [x]
    R3 HWA;Intel(R) Wireless USB Host Adapter;c:\windows\System32\Drivers\HWA.sys;c:\windows\SYSNATIVE\Drivers\HWA.sys [x]
    R3 IAMTVE;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTVE.sys;c:\windows\SYSNATIVE\drivers\IAMTVE.sys [x]
    R3 IAMTXPE;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXPE.sys;c:\windows\SYSNATIVE\drivers\IAMTXPE.sys [x]
    R3 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
    R3 iaStorS;iaStorS;c:\windows\system32\drivers\iaStorS.sys;c:\windows\SYSNATIVE\drivers\iaStorS.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM60x64.sys;c:\windows\SYSNATIVE\drivers\ifM60x64.sys [x]
    R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP60X64.sys;c:\windows\SYSNATIVE\drivers\ifP60X64.sys [x]
    R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys;c:\windows\SYSNATIVE\Drivers\qd162x64.sys [x]
    R3 ioatdma2;Intel(R) QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys;c:\windows\SYSNATIVE\Drivers\qd262x64.sys [x]
    R3 ISCT;Intel(R) Smart Connect Technology Device Driver;c:\windows\system32\drivers\ISCTD64.sys;c:\windows\SYSNATIVE\drivers\ISCTD64.sys [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 megasas2;megasas2;c:\windows\system32\drivers\megasas2.sys;c:\windows\SYSNATIVE\drivers\megasas2.sys [x]
    R3 megasr1;megasr1;c:\windows\system32\drivers\MegaSR1.sys;c:\windows\SYSNATIVE\drivers\MegaSR1.sys [x]
    R3 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys;c:\windows\SYSNATIVE\drivers\mv61xx.sys [x]
    R3 mv91cons;mv91cons;c:\windows\system32\drivers\mv91cons.sys;c:\windows\SYSNATIVE\drivers\mv91cons.sys [x]
    R3 mvs94xx;mvs94xx;c:\windows\system32\drivers\mvs94xx.sys;c:\windows\SYSNATIVE\drivers\mvs94xx.sys [x]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
    R3 ocz10xx;ocz10xx;c:\windows\system32\drivers\ocz10xx.sys;c:\windows\SYSNATIVE\drivers\ocz10xx.sys [x]
    R3 ocz12xx;ocz12xx;c:\windows\system32\drivers\ocz12xx.sys;c:\windows\SYSNATIVE\drivers\ocz12xx.sys [x]
    R3 percsas2;percsas2;c:\windows\system32\drivers\percsas2.sys;c:\windows\SYSNATIVE\drivers\percsas2.sys [x]
    R3 Pnp680;Pnp680;c:\windows\system32\drivers\pnp680.sys;c:\windows\SYSNATIVE\drivers\pnp680.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 rr172x;rr172x;c:\windows\system32\drivers\rr172x.sys;c:\windows\SYSNATIVE\drivers\rr172x.sys [x]
    R3 rr174x;rr174x;c:\windows\system32\drivers\rr174x.sys;c:\windows\SYSNATIVE\drivers\rr174x.sys [x]
    R3 rr2210;rr2210;c:\windows\system32\drivers\rr2210.sys;c:\windows\SYSNATIVE\drivers\rr2210.sys [x]
    R3 rr232x;rr232x;c:\windows\system32\drivers\rr232x.sys;c:\windows\SYSNATIVE\drivers\rr232x.sys [x]
    R3 rr2340;rr2340;c:\windows\system32\drivers\rr2340.sys;c:\windows\SYSNATIVE\drivers\rr2340.sys [x]
    R3 rr2522;rr2522;c:\windows\system32\drivers\rr2522.sys;c:\windows\SYSNATIVE\drivers\rr2522.sys [x]
    R3 rr276x;rr276x;c:\windows\system32\drivers\rr276x.sys;c:\windows\SYSNATIVE\drivers\rr276x.sys [x]
    R3 rr278x;rr278x;c:\windows\system32\drivers\rr278x.sys;c:\windows\SYSNATIVE\drivers\rr278x.sys [x]
    R3 rr62x;rr62x;c:\windows\system32\drivers\rr62x.sys;c:\windows\SYSNATIVE\drivers\rr62x.sys [x]
    R3 rusb3hub;Renesas Electronics USB 3.0 Hub Driver (Version 3.0);c:\windows\system32\drivers\rusb3hub.sys;c:\windows\SYSNATIVE\drivers\rusb3hub.sys [x]
    R3 rusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver (Version 3.0);c:\windows\system32\drivers\rusb3xhc.sys;c:\windows\SYSNATIVE\drivers\rusb3xhc.sys [x]
    R3 SI3112r;SI3112r;c:\windows\system32\drivers\SI3112r.sys;c:\windows\SYSNATIVE\drivers\SI3112r.sys [x]
    R3 SI3114;SI3114;c:\windows\system32\drivers\SI3114.sys;c:\windows\SYSNATIVE\drivers\SI3114.sys [x]
    R3 SI3124;SI3124;c:\windows\system32\drivers\SI3124.sys;c:\windows\SYSNATIVE\drivers\SI3124.sys [x]
    R3 Si3124r5;Si3124r5;c:\windows\system32\drivers\Si3124r5.sys;c:\windows\SYSNATIVE\drivers\Si3124r5.sys [x]
    R3 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys;c:\windows\SYSNATIVE\drivers\Si3531.sys [x]
    R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys;c:\windows\SYSNATIVE\drivers\silabenm.sys [x]
    R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys;c:\windows\SYSNATIVE\drivers\silabser.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 tihub3;TI USB3 Hub Service;c:\windows\system32\drivers\tihub3.sys;c:\windows\SYSNATIVE\drivers\tihub3.sys [x]
    R3 tixhci;TI XHCI Service;c:\windows\system32\drivers\tixhci.sys;c:\windows\SYSNATIVE\drivers\tixhci.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R3 uwbusb;UWB Bus Control USB-Miniport Driver;c:\windows\System32\Drivers\usbuwbmini.sys;c:\windows\SYSNATIVE\Drivers\usbuwbmini.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
    R3 viamrx64;viamrx64;c:\windows\system32\drivers\viamrx64.sys;c:\windows\SYSNATIVE\drivers\viamrx64.sys [x]
    R3 videX64;videX64;c:\windows\system32\drivers\videX64.sys;c:\windows\SYSNATIVE\drivers\videX64.sys [x]
    R3 vmci;vmci;c:\windows\system32\drivers\vmci.sys;c:\windows\SYSNATIVE\drivers\vmci.sys [x]
    R3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\drivers\ViaHub3.sys;c:\windows\SYSNATIVE\drivers\ViaHub3.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\drivers\xhcdrv.sys;c:\windows\SYSNATIVE\drivers\xhcdrv.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys;c:\windows\SYSNATIVE\drivers\amd_xata.sys [x]
    S0 DC3410;DC3410;c:\windows\system32\drivers\DC3410.sys;c:\windows\SYSNATIVE\drivers\DC3410.sys [x]
    S0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys;c:\windows\SYSNATIVE\drivers\iaStorF.sys [x]
    S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys;c:\windows\SYSNATIVE\drivers\iusb3hcs.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
    S0 SymEFASI;Symantec Extended File Attributes (SI);c:\windows\system32\drivers\NSx64\1606000.08E\SYMEFASI64.SYS;c:\windows\SYSNATIVE\drivers\NSx64\1606000.08E\SYMEFASI64.SYS [x]
    S0 xfiltx64;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfiltx64.sys;c:\windows\SYSNATIVE\drivers\xfiltx64.sys [x]
    S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\BASHDefs\20160711.001\BHDrvx64.sys;c:\program files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\BASHDefs\20160711.001\BHDrvx64.sys [x]
    S1 ccSet_NS;NS Settings Manager;c:\windows\system32\drivers\NSx64\1606000.08E\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NSx64\1606000.08E\ccSetx64.sys [x]
    S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\IPSDefs\20160715.001\IDSvia64.sys;c:\program files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\IPSDefs\20160715.001\IDSvia64.sys [x]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NSx64\1606000.08E\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NSx64\1606000.08E\Ironx64.SYS [x]
    S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NSx64\1606000.08E\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NSx64\1606000.08E\SYMNETS.SYS [x]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
    S1 XQHDrv;BigNox Service;c:\windows\system32\DRIVERS\XQHDrv.sys;c:\windows\SYSNATIVE\DRIVERS\XQHDrv.sys [x]
    S2 AGSService;Adobe Genuine Software Integrity Service;c:\program files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe;c:\program files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [x]
    S2 DashClientService;DashClientService;c:\program files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe;c:\program files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe [x]
    S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
    S2 NS;Norton Security;c:\program files (x86)\Norton Security\Engine\22.6.0.142\NS.exe;c:\program files (x86)\Norton Security\Engine\22.6.0.142\NS.exe [x]
    S2 RtDashPt;Realtek DASH Protocol Driver;c:\windows\system32\DRIVERS\RtDashPt.sys;c:\windows\SYSNATIVE\DRIVERS\RtDashPt.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
    S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
    S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
    S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
    S3 rtkio;rtkio;c:\program files (x86)\Realtek\RtkWin7(8)DashClientInstaller\rtkio64.sys;c:\program files (x86)\Realtek\RtkWin7(8)DashClientInstaller\rtkio64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys;c:\windows\SYSNATIVE\drivers\usbfilter.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - RTKIO
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2016-06-17 22:51 1245848 ----a-w- c:\program files (x86)\Google\Chrome\Application\51.0.2704.103\Installer\chrmstp.exe
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
    2016-06-30 11:55 322232 ----a-w- c:\program files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2016-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-12 09:01]
    .
    2016-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-02-21 02:53]
    .
    2016-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-02-21 02:53]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.254.254
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com.ph/?gfe_rd=cr&ei=3jnZVMqMN-aK8QeuzIHoCA
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-AdobeBridge - (no file)
    Wow6432Node-HKCU-Run-BlueStacks Agent - c:\program files (x86)\BlueStacks\HD-Agent.exe
    HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
    AddRemove-File Audit_is1 - c:\program files (x86)\File Audit\unins000.exe
    AddRemove-IDM Patch 6.25 build 03 - c:\program files (x86)\Internet Download Manager\Uninstall.exe
    AddRemove-{8840E960-F3C1-11DC-4823-0BBCFDB50029} - c:\intellisoft\MMAE\Uninst_ae.exe
    AddRemove-uTorrent - c:\users\Administrator\AppData\Roaming\uTorrent\uTorrent.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NS]
    "ImagePath"="\"c:\program files (x86)\Norton Security\Engine\22.6.0.142\NS.exe\" /s \"NS\" /m \"c:\program files (x86)\Norton Security\Engine\22.6.0.142\diMaster.dll\" /prefetch:1"
    "ImagePath"="\SystemRoot\System32\Drivers\NSx64\1606000.08E\SYMNETS.SYS"
    "TrustedImagePaths"="c:\program files (x86)\Norton Security\Engine\22.6.0.142;c:\program files (x86)\Norton Security\Engine64\22.6.0.142"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (Administrator)
    "Timestamp"=hex:dd,a6,fb,8c,3e,45,d0,01
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,c4,fd,e4,92,ca,9f,43,aa,c5,b0,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,c4,fd,e4,92,ca,9f,43,aa,c5,b0,\
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.3G2"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.3GP"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.3G2"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.3GP"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ADTS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ADTS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ADTS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.avi"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.CDA"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2T\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M2TS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M2TS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.m3u"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M4A"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP4"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MOV"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP3"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP3"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP4"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MP4"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M2TS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="AcroExch.Document.DC"
    "Hash"="cGPTYUlwAyE="
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pptx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\Prezi.exe"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.TTS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.TTS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAV"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAX"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMA"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMD"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMS"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMV"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMZ"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WPL"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WVX"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "scansk"=hex(0):a0,4b,1b,cc,59,aa,eb,a7,fb,76,d1,c8,4d,9e,11,e2,49,5e,b0,0d,aa,
    0b,68,75,68,0b,cf,b4,82,43,c9,e3,34,6c,b5,8e,64,81,94,3a,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):5d,a8,d2,bc,ff,c0,b4,d8,c7,ac,6a,46,2c,a8,eb,9a,61,7f,e1,1e,75,
    d5,79,8b,b2,2f,2f,8f,47,a9,78,aa,eb,8c,51,1f,73,58,70,bf,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500_Classes\Wow6432Node\CLSID\{83ed2cc3-6dfd-40d6-b9fe-21cf68cc8557}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:0000009a
    "Therad"=dword:0000000f
    .
    [HKEY_USERS\S-1-5-21-378024836-819946511-3807712176-500_Classes\Wow6432Node\CLSID\{e05c6977-3a1d-463a-bb44-3663a6fb00ba}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:00000046
    "Therad"=dword:0000001e
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,5e,82,77,36,a1,de,e3,5e,54,29,86,0c,2f,8c,7e,87,15,19,98,a7,c2,04,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
    "Version"=hex:e3,ec,c7,c6,5c,42,77,47,25,83,58,5d,3b,1f,0a,db,41,7e,f0,2b,12,
    ca,c7,63,0a,cc,90,03,45,fa,b2,19,6c,cf,30,24,fb,13,f5,4d,b6,04,d2,12,95,f2,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
    "Version"=hex:e3,ec,c7,c6,5c,42,77,47,25,83,58,5d,3b,1f,0a,db,41,7e,f0,2b,12,
    ca,c7,63,0a,cc,90,03,45,fa,b2,19,6c,cf,30,24,fb,13,f5,4d,b6,04,d2,12,95,f2,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2016-07-18 08:59:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2016-07-18 00:59
    .
    Pre-Run: 347,299,221,504 bytes free
    Post-Run: 348,669,181,952 bytes free
    .
    - - End Of File - - F3C8E1CD74F7B9E70BAC88495F28ADCB
    A36C5E4F47E84449FF07ED3517B43A31
     
  16. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

    • Double click to run it.
    • Make sure you checkmark Addition.txt box.
    • Press Scan button.
    • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.
     
  17. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-07-2016
    Ran by Administrator (administrator) on Dagami (19-07-2016 08:53:25)
    Running from C:\Users\Administrator\Downloads
    Loaded Profiles: Administrator (Available Profiles: Administrator)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
    (BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
    (BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
    () C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe
    (Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashClient.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ns.exe
    (Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
    (Symantec Corporation) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ns.exe
    (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
    (BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
    (Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
    (Microsoft Corporation) C:\Windows\System32\taskmgr.exe
    (BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Service.exe
    (BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-Network.exe
    (BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-BlockDevice.exe
    (BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-SharedFolder.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-20] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-22] (Microsoft Corporation)
    HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [904824 2015-08-19] (BlueStack Systems, Inc.)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-21-378024836-819946511-3807712176-500\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
    ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
    ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
    BootExecute: autocheck autochk * sdnclean64.exe
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
    Tcpip\..\Interfaces\{F0B4C6DB-3742-4A64-AEB5-C4AC1EC1C61D}: [DhcpNameServer] 192.168.254.254

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-378024836-819946511-3807712176-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
    HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-378024836-819946511-3807712176-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-22] (Microsoft Corporation)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-17] (Microsoft Corporation)
    BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-22] (Microsoft Corporation)
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-17] (Microsoft Corporation)
    Handler-x32: mso-offdap11 - {32505114-5902-49b2-880A-1F7738E5A384} - C:\Windows\SysWow64\OWC11.DLL [2003-08-01] (Microsoft Corporation)

    FireFox:
    ========
    FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default
    FF Homepage: hxxps://www.google.com.ph/?gfe_rd=cr&ei=3jnZVMqMN-aK8QeuzIHoCA
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
    FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-02-15] (Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
    FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-08-06] (Adobe Systems)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
    FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-02-15] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
    FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-08-06] (Adobe Systems)
    FF Plugin HKU\S-1-5-21-378024836-819946511-3807712176-500: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)
    FF Extension: Easy Screenshot - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\extensions\easyscreenshot@mozillaonline.com [2015-12-01]
    FF Extension: Google Translator for Firefox - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\extensions\translator@zoli.bod.xpi [2016-04-29]
    FF Extension: PDF Viewer - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\Extensions\uriloader@pdf.js.xpi [2016-04-28]
    FF Extension: Adblock Plus - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-29]
    FF Extension: NeoBux AdAlert - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j809lgaq.default\Extensions\{eb80b076-a444-444c-a590-5aee5d977d80}.xpi [2016-04-17]
    FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.4.24\coFFAddon
    FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.4.24\coFFAddon [2016-07-17]
    FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NS_22.5.4.24\coFFAddon
    FF HKU\S-1-5-21-378024836-819946511-3807712176-500\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.google.com/
    CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.omniboxes.com/?type=hp&ts=1425269246&from=obw&uid=ST500LT012-9WS142_S0V77MW0XXXXS0V77MW0"
    CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-03-14]
    CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
    CHR Extension: (Norton Security Toolbar) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-07-16]
    CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
    CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
    CHR Extension: (Internet Speed Tracker) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdbaanobipilanpejljmogpnohjefplc [2015-08-02]
    CHR Extension: (Norton Identity Safe) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-07-16]
    CHR Extension: (Video HD Controls) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmhfcaikejhkkbbjnfamihppkjeoeknc [2015-04-12]
    CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]
    CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\Exts\Chrome.crx [2016-07-16]
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\Exts\Chrome.crx [2016-07-16]
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2021592 2016-04-05] (Adobe Systems, Incorporated)
    R3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [437880 2015-08-19] (BlueStack Systems, Inc.)
    R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-08-19] (BlueStack Systems, Inc.)
    R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [839288 2015-08-19] (BlueStack Systems, Inc.)
    R2 DashClientService; C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe [251904 2013-01-17] () [File not signed]
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
    R2 NS; C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\NS.exe [289080 2016-02-26] (Symantec Corporation)
    S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-03-01] (Riverbed Technology, Inc.)
    S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-20] (Adobe Systems Incorporated) [File not signed]
    R2 Themes; C:\Windows\system32\themeservice.dll [44544 2012-10-22] (Microsoft Corporation) [File not signed]
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 2310_00; C:\Windows\system32\drivers\2310_00.sys [170528 2009-06-12] (HighPoint Technologies, Inc.)
    S3 272x_1x; C:\Windows\system32\drivers\272x_1x.sys [612672 2012-04-25] (HighPoint Technologies, Inc.)
    S3 274x_3x; C:\Windows\system32\drivers\274x_3x.sys [240960 2012-04-25] (HighPoint Technologies, Inc.)
    S3 amdide64; C:\Windows\system32\drivers\amdide64.sys [11904 2011-12-18] (Advanced Micro Devices Inc.)
    S3 arcm_a64; C:\Windows\system32\drivers\arcm_a64.sys [52768 2009-11-09] (ARECA Technology Corporation)
    S3 asahci64; C:\Windows\system32\drivers\asahci64.sys [49048 2012-07-18] (Asmedia Technology)
    S3 b06diag; C:\Windows\system32\drivers\bxdiaga.sys [88104 2012-03-08] (Broadcom Corporation)
    S3 BFN7x64; C:\Windows\system32\drivers\Xeno7x64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
    S3 BFNVis64; C:\Windows\system32\drivers\XenoVa64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
    R1 BHDrvx64; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\BASHDefs\20160711.001\BHDrvx64.sys [1832176 2016-07-11] (Symantec Corporation)
    R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [146040 2015-08-19] (BlueStack Systems)
    S3 bxfcoe; C:\Windows\system32\drivers\bxfcoe.sys [178216 2012-02-23] (Broadcom Corporation)
    S3 bxois; C:\Windows\system32\drivers\bxois.sys [539176 2012-02-23] (Broadcom Corporation)
    S3 cbaf; C:\Windows\System32\Drivers\cbaf.sys [15872 2008-01-10] (Intel Corp.)
    R1 ccSet_NS; C:\Windows\system32\drivers\NSx64\1606000.08E\ccSetx64.sys [173808 2015-09-24] (Symantec Corporation)
    S3 cercsr6; C:\Windows\system32\drivers\cercsr6.sys [45616 2008-02-28] (Adaptec, Inc.)
    S3 DC133; C:\Windows\system32\drivers\DC133.sys [39320 2011-05-02] (Dawicontrol GmbH)
    S3 DC150; C:\Windows\system32\drivers\DC150.sys [39832 2011-05-02] (Dawicontrol GmbH)
    S3 DC154; C:\Windows\system32\drivers\DC154.sys [48136 2011-05-02] (Dawicontrol GmbH)
    S3 DC300e; C:\Windows\system32\drivers\DC300e.sys [40344 2011-05-02] (Dawicontrol GmbH)
    S3 DC324e; C:\Windows\system32\drivers\DC324e.sys [49752 2011-05-02] (Dawicontrol GmbH)
    R0 DC3410; C:\Windows\System32\drivers\DC3410.sys [48328 2011-05-02] (Dawicontrol GmbH)
    S3 DC4300; C:\Windows\system32\drivers\DC4300.sys [48360 2011-05-02] (Dawicontrol GmbH)
    S3 DC600e; C:\Windows\system32\drivers\DC600e.sys [40744 2011-05-02] (Dawicontrol GmbH)
    S3 dfuuwb; C:\Windows\System32\Drivers\DfuUWB.sys [503296 2008-09-12] (Intel Corp.)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3341904 2012-03-26] (Broadcom Corporation)
    R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-04-27] (Symantec Corporation)
    R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156912 2016-04-27] (Symantec Corporation)
    S3 EtronSTOR; C:\Windows\System32\Drivers\EtronSTOR.sys [32512 2012-08-07] (Etron Technology Inc)
    S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [77040 2012-11-02] (Fresco Logic)
    S3 hptiop; C:\Windows\system32\drivers\hptiop.sys [17440 2009-05-26] (HighPoint Technologies, Inc.)
    S3 hptmv; C:\Windows\system32\drivers\hptmv.sys [93472 2006-09-18] (HighPoint Technologies, Inc.)
    S3 hptmv6; C:\Windows\system32\drivers\hptmv6.sys [152096 2007-11-01] (HighPoint Technologies, Inc.)
    S3 HWA; C:\Windows\System32\Drivers\HWA.sys [61440 2008-09-29] (Intel Corp.)
    S3 IAMTVE; C:\Windows\system32\drivers\IAMTVE.sys [43416 2007-04-12] (Intel Corporation)
    S3 IAMTXPE; C:\Windows\system32\drivers\IAMTXPE.sys [51096 2007-04-12] (Intel Corporation)
    R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [26072 2012-06-30] (Intel Corporation)
    S3 iaStorS; C:\Windows\system32\drivers\iaStorS.sys [651224 2012-06-30] (Intel Corporation)
    R1 IDSVia64; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\IPSDefs\20160715.001\IDSvia64.sys [876760 2016-07-16] (Symantec Corporation)
    S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x64.sys [387344 2012-04-21] (Intel(R) Corporation)
    S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X64.sys [77584 2012-04-21] (Intel(R) Corporation)
    S3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [44992 2012-01-23] ()
    S3 iteatapi; C:\Windows\system32\drivers\iteatapi.sys [38680 2008-05-14] (ITE Tech. Inc.)
    S3 iteraid; C:\Windows\system32\drivers\iteraid.sys [32768 2007-05-02] (ITE Tech. Inc.)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
    S3 megasas2; C:\Windows\system32\drivers\megasas2.sys [51496 2012-02-29] (LSI Corporation)
    S3 megasr1; C:\Windows\system32\drivers\MegaSR1.sys [461320 2009-04-16] (LSI Corporation, Inc.)
    S3 mv61xx; C:\Windows\system32\drivers\mv61xx.sys [183144 2012-05-23] (Marvell Semiconductor, Inc.)
    S3 mvs94xx; C:\Windows\system32\drivers\mvs94xx.sys [367920 2010-12-01] (Marvell Semiconductor, Inc.)
    S3 NAVENG; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\VirusDefs\20160717.001\ENG64.SYS [138456 2016-05-06] (Symantec Corporation)
    S3 NAVEX15; C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\VirusDefs\20160717.001\EX64.SYS [2148056 2016-05-06] (Symantec Corporation)
    R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
    S3 nvrd64; C:\Windows\system32\drivers\nvrd64.sys [175720 2010-04-09] (NVIDIA Corporation)
    S3 ocz10xx; C:\Windows\system32\drivers\ocz10xx.sys [139056 2012-04-06] (OCZ Technology Group, Inc.)
    S3 ocz12xx; C:\Windows\system32\drivers\ocz12xx.sys [138544 2011-09-15] (OCZ Technology Group, Inc.)
    S3 percsas2; C:\Windows\system32\drivers\percsas2.sys [40456 2010-05-07] (LSI Corporation)
    S3 Pnp680; C:\Windows\system32\drivers\pnp680.sys [80424 2007-11-13] (Silicon Image, Inc)
    S3 rr172x; C:\Windows\system32\drivers\rr172x.sys [124448 2007-11-01] (HighPoint Technologies, Inc.)
    S3 rr174x; C:\Windows\system32\drivers\rr174x.sys [159264 2007-11-01] (HighPoint Technologies, Inc.)
    S3 rr2210; C:\Windows\system32\drivers\rr2210.sys [153632 2007-11-01] (HighPoint Technologies, Inc.)
    S3 rr232x; C:\Windows\system32\drivers\rr232x.sys [152096 2008-05-06] (HighPoint Technologies, Inc.)
    S3 rr2340; C:\Windows\system32\drivers\rr2340.sys [162400 2010-01-01] (HighPoint Technologies, Inc.)
    S3 rr2522; C:\Windows\system32\drivers\rr2522.sys [168032 2010-01-01] (HighPoint Technologies, Inc.)
    S3 rr276x; C:\Windows\system32\drivers\rr276x.sys [241472 2012-04-25] (HighPoint Technologies, Inc.)
    S3 rr278x; C:\Windows\system32\drivers\rr278x.sys [240960 2012-04-25] (HighPoint Technologies, Inc.)
    S3 rr62x; C:\Windows\system32\drivers\rr62x.sys [156256 2010-06-17] (HighPoint Technologies, Inc.)
    R3 rtkio; C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\rtkio64.sys [16016 2013-01-05] (Windows (R) Codename Longhorn DDK provider)
    S3 rusb3hub; C:\Windows\system32\drivers\rusb3hub.sys [114568 2012-08-28] (Renesas Electronics Corporation)
    S3 rusb3xhc; C:\Windows\system32\drivers\rusb3xhc.sys [230280 2012-08-28] (Renesas Electronics Corporation)
    S3 SI3112r; C:\Windows\system32\drivers\SI3112r.sys [164656 2007-02-01] (Silicon Image, Inc)
    S3 SI3114; C:\Windows\system32\drivers\SI3114.sys [99120 2006-11-10] (Silicon Image, Inc.)
    S3 SI3114r; C:\Windows\system32\drivers\SI3114R.sys [163632 2007-04-11] (Silicon Image, Inc)
    S3 SI3124; C:\Windows\system32\drivers\SI3124.sys [113456 2006-11-02] (Silicon Image, Inc.)
    S3 Si3124r5; C:\Windows\system32\drivers\Si3124r5.sys [340008 2010-04-13] (Silicon Image, Inc)
    S3 SI3132; C:\Windows\system32\drivers\SI3132.sys [90664 2007-10-03] (Silicon Image, Inc)
    S3 Si3531; C:\Windows\system32\drivers\Si3531.sys [333864 2009-02-09] (Silicon Image, Inc)
    R0 SiFilter; C:\Windows\System32\drivers\SiWinAcc.sys [22056 2007-10-03] (Silicon Image, Inc)
    R0 SiRemFil; C:\Windows\System32\drivers\SiRemFil.sys [17448 2007-10-03] (Silicon Image, Inc)
    S3 SISAGP; C:\Windows\system32\drivers\SISAGPX.sys [67104 2009-08-02] (Silicon Integrated Systems Corporation)
    S3 SRTSP; C:\Windows\System32\Drivers\NSx64\1606000.08E\SRTSP64.SYS [928504 2016-02-24] (Symantec Corporation)
    R1 SRTSPX; C:\Windows\system32\drivers\NSx64\1606000.08E\SRTSPX64.SYS [50936 2015-09-24] (Symantec Corporation)
    R0 SymEFASI; C:\Windows\System32\drivers\NSx64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-24] (Symantec Corporation)
    R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2016-07-16] (Symantec Corporation)
    R1 SymIRON; C:\Windows\system32\drivers\NSx64\1606000.08E\Ironx64.SYS [295664 2016-02-24] (Symantec Corporation)
    R1 SymNetS; C:\Windows\System32\Drivers\NSx64\1606000.08E\SYMNETS.SYS [577768 2016-02-24] (Symantec Corporation)
    U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2016-07-17] ()
    S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [67104 2009-08-02] (Silicon Integrated Systems Corporation)
    S3 uwbusb; C:\Windows\System32\Drivers\usbuwbmini.sys [13312 2008-09-15] (Intel Corp.)
    R1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [127432 2015-09-16] (BigNox Corporation)
    S3 viaagp1; C:\Windows\system32\drivers\viaagp1.sys [59392 2005-09-23] (VIA Technologies, Inc.)
    S3 viamrx64; C:\Windows\system32\drivers\viamrx64.sys [161904 2010-12-03] (VIA Technologies Inc.,Ltd)
    S3 videX64; C:\Windows\system32\drivers\videX64.sys [15000 2010-02-11] (VIA Technologies, Inc.)
    S3 VUSB3HUB; C:\Windows\system32\drivers\ViaHub3.sys [210944 2012-05-30] (VIA Technologies, Inc.)
    R0 xfiltx64; C:\Windows\System32\drivers\xfiltx64.sys [26776 2010-02-11] (VIA Technologies, Inc.)
    S3 xhcdrv; C:\Windows\system32\drivers\xhcdrv.sys [261120 2012-05-30] (VIA Technologies, Inc.)
    R1 XQHDrv; C:\Windows\System32\DRIVERS\XQHDrv.sys [253384 2015-09-16] (BigNox Corporation)
    R1 XQHDrv; C:\Windows\SysWOW64\DRIVERS\XQHDrv.sys [253384 2015-09-16] (BigNox Corporation)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-18 09:34 - 2016-07-18 09:35 - 01026735 _____ C:\Users\Administrator\Downloads\1245655.com.ar.apps.tool.developeroptionstool.apk
    2016-07-18 09:20 - 2016-07-18 09:22 - 06111601 _____ C:\Users\Administrator\Downloads\lucky-patcher-6-2-4.apk
    2016-07-18 09:07 - 2016-07-18 09:07 - 00001816 _____ C:\Users\Public\Desktop\Apps.lnk
    2016-07-18 09:07 - 2016-07-18 09:07 - 00001807 _____ C:\Users\Public\Desktop\Start BlueStacks.lnk
    2016-07-18 09:06 - 2016-07-18 09:07 - 00000000 ____D C:\ProgramData\BlueStacks
    2016-07-18 09:06 - 2016-07-18 09:06 - 00000000 ____D C:\Program Files (x86)\BlueStacks
    2016-07-18 08:35 - 2011-06-26 14:45 - 00256000 _____ C:\Windows\PEV.exe
    2016-07-18 08:35 - 2010-11-08 01:20 - 00208896 _____ C:\Windows\MBR.exe
    2016-07-18 08:35 - 2009-04-20 12:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2016-07-18 08:35 - 2000-08-31 08:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2016-07-18 08:35 - 2000-08-31 08:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2016-07-18 08:35 - 2000-08-31 08:00 - 00098816 _____ C:\Windows\sed.exe
    2016-07-18 08:35 - 2000-08-31 08:00 - 00080412 _____ C:\Windows\grep.exe
    2016-07-18 08:35 - 2000-08-31 08:00 - 00068096 _____ C:\Windows\zip.exe
    2016-07-18 08:31 - 2016-07-18 08:59 - 00000000 ____D C:\Qoobox
    2016-07-18 08:24 - 2016-07-18 08:24 - 05659291 ____R (Swearware) C:\Users\Administrator\Downloads\ComboFix.exe
    2016-07-17 19:03 - 2016-07-17 19:11 - 00000000 ____D C:\Users\Administrator\Downloads\window 7
    2016-07-17 14:48 - 2016-07-17 14:48 - 00006582 _____ C:\Users\Administrator\Desktop\JRT.txt
    2016-07-17 14:42 - 2016-07-17 14:42 - 01610560 _____ (Malwarebytes) C:\Users\Administrator\Downloads\JRT.exe
    2016-07-17 13:43 - 2016-07-17 13:43 - 00003054 _____ C:\Users\Administrator\Desktop\wtf.txt
    2016-07-17 13:10 - 2016-07-17 13:10 - 03712064 _____ C:\Users\Administrator\Downloads\adwcleaner_5.201.exe
    2016-07-17 09:55 - 2016-07-17 09:55 - 00000858 _____ C:\Users\Public\Desktop\RogueKiller.lnk
    2016-07-17 09:55 - 2016-07-17 09:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
    2016-07-17 09:55 - 2016-07-17 09:55 - 00000000 ____D C:\Program Files\RogueKiller
    2016-07-17 09:52 - 2016-07-17 09:54 - 31211544 _____ (Adlice Software ) C:\Users\Administrator\Downloads\setup.exe
    2016-07-17 09:28 - 2016-07-17 09:30 - 00027211 _____ C:\Users\Administrator\Downloads\Addition.txt
    2016-07-17 09:26 - 2016-07-19 08:55 - 00024474 _____ C:\Users\Administrator\Downloads\FRST.txt
    2016-07-17 09:26 - 2016-07-19 08:53 - 00000000 ____D C:\FRST
    2016-07-17 09:25 - 2016-07-17 09:25 - 02391040 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
    2016-07-17 07:03 - 2016-07-17 07:03 - 00000000 ____D C:\Windows\System32\Tasks\Norton Security
    2016-07-17 06:57 - 2016-07-17 06:57 - 00003218 _____ C:\Windows\System32\Tasks\Norton WSC Integration
    2016-07-17 00:01 - 2016-07-17 00:14 - 00000000 ____D C:\Users\Administrator\vmlogs
    2016-07-17 00:01 - 2016-07-17 00:01 - 00000000 ____D C:\Users\Administrator\Nox_share
    2016-07-16 23:56 - 2016-07-16 23:57 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Nox
    2016-07-16 23:56 - 2016-07-16 23:56 - 00000958 _____ C:\Users\Administrator\Desktop\Multi-Drive.lnk
    2016-07-16 23:56 - 2016-07-16 23:56 - 00000877 _____ C:\Users\Administrator\Desktop\Nox.lnk
    2016-07-16 23:55 - 2016-07-17 00:14 - 00000000 ____D C:\Users\Administrator\.BigNox
    2016-07-16 23:54 - 2016-07-16 23:54 - 00000000 ____D C:\Program Files\DIFX
    2016-07-16 23:54 - 2015-09-16 14:07 - 00127432 _____ (BigNox Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
    2016-07-16 23:53 - 2015-09-16 11:29 - 00253384 _____ (BigNox Corporation) C:\Windows\system32\Drivers\XQHDrv.sys
    2016-07-16 23:48 - 2016-07-17 00:31 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Nox
    2016-07-16 23:47 - 2016-07-17 00:30 - 00000000 ____D C:\Users\Administrator\AppData\Local\Nox
    2016-07-16 23:15 - 2016-07-16 23:37 - 301720848 _____ (Duodian Technology Co. Ltd.) C:\Users\Administrator\Downloads\nox_setup_v3.7.0.0_full_En.exe
    2016-07-16 20:26 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
    2016-07-16 20:20 - 2016-07-16 20:20 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
    2016-07-16 20:18 - 2016-07-18 08:51 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-07-16 20:18 - 2016-07-18 08:34 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-07-16 20:07 - 2016-07-16 20:14 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Administrator\Downloads\spybot-2.4.exe
    2016-07-16 18:22 - 2016-07-16 18:35 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Wireshark
    2016-07-16 18:16 - 2016-07-16 18:16 - 00001786 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
    2016-07-16 18:16 - 2016-07-16 18:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap
    2016-07-16 18:16 - 2016-07-16 18:16 - 00000000 ____D C:\Program Files (x86)\WinPcap
    2016-07-16 18:15 - 2016-07-16 18:15 - 00001613 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark Legacy.lnk
    2016-07-16 18:15 - 2016-07-16 18:15 - 00000000 ____D C:\ProgramData\Package Cache
    2016-07-16 18:14 - 2016-07-16 18:16 - 00000000 ____D C:\Program Files\Wireshark
    2016-07-16 18:03 - 2016-07-16 18:09 - 47578216 _____ (Wireshark development team) C:\Users\Administrator\Downloads\Wireshark-win64-2.0.4.exe
    2016-07-16 13:03 - 2016-07-16 13:03 - 00003248 _____ C:\Windows\System32\Tasks\{35EBE364-6A87-4A98-AB50-255A4DEE0B49}
    2016-07-16 12:00 - 2016-07-18 08:25 - 00000000 ____D C:\Windows\System32\Tasks\Remediation
    2016-07-16 12:00 - 2016-07-16 20:26 - 00000000 ____D C:\Program Files\Common Files\AV
    2016-07-16 11:48 - 2016-07-16 11:48 - 00007136 _____ C:\Users\Administrator\Desktop\virus.txt
    2016-07-16 11:46 - 2016-07-16 12:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\NPE
    2016-07-16 08:54 - 2016-07-16 08:54 - 00111344 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
    2016-07-16 08:54 - 2016-07-16 08:54 - 00008214 _____ C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
    2016-07-16 08:54 - 2016-07-16 08:54 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
    2016-07-16 08:53 - 2016-07-17 06:57 - 00002303 _____ C:\Users\Public\Desktop\Norton Security.LNK
    2016-07-16 08:51 - 2016-07-17 06:57 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security
    2016-07-16 08:51 - 2016-07-17 06:57 - 00000000 ____D C:\Windows\system32\Drivers\NSx64
    2016-07-16 08:51 - 2016-07-16 08:51 - 00000000 ____D C:\Program Files (x86)\Norton Security
    2016-07-16 08:47 - 2016-07-16 08:47 - 00000000 ____D C:\ProgramData\NortonInstaller
    2016-07-16 08:47 - 2016-07-16 08:47 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
    2016-07-16 08:31 - 2016-07-16 12:06 - 00000000 ____D C:\ProgramData\Norton
    2016-07-16 08:31 - 2016-07-16 08:56 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
    2016-07-16 08:31 - 2016-07-16 08:31 - 01089576 _____ (Symantec Corporation) C:\Users\Administrator\Downloads\NSDownloader.exe
    2016-07-16 08:31 - 2016-07-16 08:31 - 00001277 _____ C:\Users\Administrator\Desktop\Norton Installation Files.lnk
    2016-07-16 08:31 - 2016-07-16 08:31 - 00000000 ____D C:\Users\Public\Downloads\Norton
    2016-07-15 20:39 - 2016-07-18 09:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlueStacks
    2016-07-15 20:36 - 2016-07-15 20:38 - 14634624 _____ (BlueStack Systems Inc.) C:\Users\Administrator\Downloads\bluestacks-app-player-0-10-0-4321-multi-win.exe
    2016-07-15 16:08 - 2016-07-15 16:08 - 01097833 _____ C:\Users\Administrator\Downloads\Fake_GPS_Location_Spoofer_v4_0.apk
    2016-07-15 15:37 - 2016-07-15 15:38 - 04190317 _____ C:\Users\Administrator\Downloads\apkfiles.com_17629_Fake GPS Location Spoofer v4.0 (Paid Cracked).apk
    2016-07-15 13:53 - 2016-07-15 14:18 - 277575152 _____ (BlueStack Systems Inc.) C:\Users\Administrator\Downloads\bluestacks-app-player-2-3-35-6237.exe
    2016-07-15 13:41 - 2016-07-15 13:41 - 01065671 _____ C:\Users\Administrator\Downloads\com.incorporateapps.fakegps.v4.6-GlobalAPK.Co.apk
    2016-07-15 13:30 - 2016-07-15 13:31 - 13407150 _____ C:\Users\Administrator\Downloads\NewKingrootV4.95_C149_B283_en_release_2016_07_05_105203.apk
    2016-07-15 13:27 - 2016-07-15 13:33 - 60878833 _____ C:\Users\Administrator\Downloads\pokemon-go-0-29-2.apk
    2016-07-15 12:52 - 2016-07-15 13:17 - 276892264 _____ (BlueStack Systems Inc.) C:\Users\Administrator\Downloads\bluestacks-app-player-2-3-32-6227.exe

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-19 08:49 - 2015-02-21 10:54 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2016-07-19 08:49 - 2015-02-21 10:54 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2016-07-19 08:02 - 2015-02-13 02:45 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2016-07-19 07:01 - 2009-07-14 12:45 - 00067408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-07-19 07:01 - 2009-07-14 12:45 - 00067408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-07-19 06:53 - 2015-07-12 23:13 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2016-07-19 06:52 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-07-18 09:07 - 2009-07-14 11:20 - 00000000 __RHD C:\Users\Public\Libraries
    2016-07-18 09:06 - 2015-08-15 21:56 - 00000000 ____D C:\ProgramData\BlueStacksSetup
    2016-07-18 08:55 - 2015-07-12 20:25 - 00000000 ____D C:\Windows\erdnt
    2016-07-18 08:51 - 2009-07-14 10:34 - 00000215 _____ C:\Windows\system.ini
    2016-07-17 23:43 - 2015-02-12 05:33 - 00000000 ____D C:\Users\Administrator\Documents\Adobe
    2016-07-17 14:53 - 2015-02-12 03:02 - 00000000 ____D C:\Users\Administrator\Downloads\Compressed
    2016-07-17 14:36 - 2015-02-20 02:27 - 00000000 ____D C:\AdwCleaner
    2016-07-17 12:24 - 2015-02-20 02:39 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
    2016-07-17 12:00 - 2015-06-25 15:05 - 00000000 ____D C:\Users\Administrator\Downloads\MOVIES
    2016-07-17 11:57 - 2015-02-12 02:43 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\uTorrent
    2016-07-17 06:55 - 2009-07-14 12:45 - 04940776 _____ C:\Windows\system32\FNTCACHE.DAT
    2016-07-17 00:01 - 2015-02-10 16:37 - 00000000 ____D C:\Users\Administrator
    2016-07-16 22:18 - 2015-02-10 16:38 - 00103352 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2016-07-16 20:41 - 2015-02-22 08:02 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
    2016-07-16 13:03 - 2015-02-11 07:20 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2016-07-16 13:01 - 2015-08-30 22:44 - 00063278 _____ C:\Windows\PeachWLog.XML
    2016-07-16 12:57 - 2015-08-30 23:09 - 00000000 ____D C:\Windows\Crystal
    2016-07-16 12:53 - 2015-08-30 23:00 - 00000023 _____ C:\Windows\ODBCINST.INI
    2016-07-16 12:50 - 2015-08-30 22:44 - 00000524 _____ C:\Windows\SysWOW64\Microsoft.VC90.CRT.manifest
    2016-07-16 12:49 - 2015-08-30 22:44 - 00000548 _____ C:\Windows\SysWOW64\Microsoft.VC90.MFC.manifest
    2016-07-16 12:30 - 2015-08-02 22:21 - 00314518 _____ C:\Windows\system32\Drivers\etc\hosts.bak
    2016-07-16 11:59 - 2015-02-10 23:16 - 00000000 ____D C:\Program Files (x86)\Steam
    2016-07-16 11:40 - 2015-01-26 00:12 - 00000365 _____ C:\Users\Administrator\AppData\Roaming\JZMYE
    2016-07-16 09:19 - 2015-07-12 18:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
    2016-07-16 08:50 - 2015-03-07 19:47 - 00001945 _____ C:\Windows\epplauncher.mif
    2016-07-16 08:46 - 2016-02-17 22:09 - 00000137 _____ C:\Users\Administrator\Desktop\notepad.txt
    2016-07-15 20:38 - 2015-08-29 16:16 - 00000000 ____D C:\Users\Administrator\AppData\Local\Bluestacks
    2016-07-15 15:46 - 2009-07-14 13:13 - 00789182 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-07-15 15:46 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
    2016-07-14 07:30 - 2015-03-18 22:39 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
    2016-07-14 07:29 - 2015-11-29 10:24 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
    2016-07-13 17:01 - 2015-02-13 02:46 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2016-07-13 17:01 - 2015-02-13 02:45 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-07-13 17:01 - 2015-02-13 02:45 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2016-07-13 17:00 - 2015-02-13 02:45 - 00000000 ____D C:\Windows\system32\Macromed
    2016-07-13 17:00 - 2015-02-12 05:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2016-07-07 08:39 - 2010-11-21 11:27 - 00485032 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
    2016-07-04 23:28 - 2015-02-12 23:09 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\vlc

    ==================== Files in the root of some directories =======

    2015-01-26 00:12 - 2015-01-26 00:12 - 0002086 _____ () C:\Users\Administrator\AppData\Roaming\HUVI
    2015-01-26 00:12 - 2016-07-16 11:40 - 0000365 _____ () C:\Users\Administrator\AppData\Roaming\JZMYE

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe
    [2013-01-10 12:47] - [2010-11-21 11:24] - 2389504 ____A (Microsoft Corporation) 0FEF117801269BA26F1D63B2F1CDC6AA

    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-07-17 07:53

    ==================== End of FRST.txt ============================
     
  18. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-07-2016
    Ran by Administrator (2016-07-19 08:55:57)
    Running from C:\Users\Administrator\Downloads
    Windows 7 Ultimate Service Pack 1 (X64) (2015-02-10 08:36:19)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-378024836-819946511-3807712176-500 - Administrator - Enabled) => C:\Users\Administrator
    Guest (S-1-5-21-378024836-819946511-3807712176-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-378024836-819946511-3807712176-1002 - Limited - Enabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Norton Security (Disabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
    AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Norton Security (Disabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
    FW: Norton Security (Disabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.017.20050 - Adobe Systems Incorporated)
    Adobe After Effects CS6 (HKLM-x32\...\{4817D846-700B-474E-A31B-80892B3E92E3}) (Version: 11 - Adobe Systems Incorporated)
    Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
    Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
    Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
    Adobe Premiere Pro CS6 (HKLM-x32\...\{7176B973-6011-43C1-AEBC-2D73FE7C6982}) (Version: 6.0 - Adobe Systems Incorporated)
    Adobe Premiere Pro CS6 Functional Content (HKLM-x32\...\{614020C8-2E16-4E16-A5F0-04DE2AB96097}) (Version: 6.0.0 - Adobe Systems Incorporated)
    Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
    AuditPro Enterprise (HKLM-x32\...\AuditPro Enterprise4.0.0) (Version: 4.0.0 - NII Consulting Pvt Ltd.)
    bl (x32 Version: 1.0.0 - Your Company Name) Hidden
    BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.10.0.4321 - BlueStack Systems, Inc.)
    BlueStacks Notification Center (HKLM-x32\...\{473E82D7-79E2-43DF-8FA0-025407C93191}) (Version: 0.10.0.4321 - BlueStack Systems, Inc.)
    Crystal Reports 2008 Runtime SP1 (HKLM-x32\...\{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}) (Version: 12.1.0.882 - Business Objects)
    Dota 2 (HKLM-x32\...\Steam App 570) (Version: - Valve)
    ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
    File Audit Version 1 (HKLM-x32\...\File Audit_is1) (Version: - Adaptive Technology (M))
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.103 - Google Inc.)
    Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
    IDM Patch 6.25 build 03 (HKLM-x32\...\IDM Patch 6.25 build 03) (Version: build 03 - SandySeedings Team)
    Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
    Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
    ManageMore Auditor's Edition (HKLM-x32\...\{8840E960-F3C1-11DC-4823-0BBCFDB50029}) (Version: 8.0 - Intellisoft, Inc.)
    Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
    Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
    Mozilla Firefox 47.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.0.5999 - Mozilla)
    NCLauncher (NCSOFT) (HKLM-x32\...\NCLauncher_NCJapan) (Version: - NCSOFT)
    Norton Security (HKLM-x32\...\NS) (Version: 22.6.0.142 - Symantec Corporation)
    Peachtree Signature Ready Forms (x32 Version: 6.14.24 - Sage Software SB, Inc.) Hidden
    ph (x32 Version: 1.0.0 - Your Company Name) Hidden
    Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 7.61.612.2012 - Realtek)
    Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.28099 - Realtek Semiconductor Corp.)
    RogueKiller version 12 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12 - Adlice Software)
    RtkWin7(8)DashClientInstaller (HKLM-x32\...\{36C6FC3D-B3BC-4F21-B164-5A903B752267}) (Version: 2.0.3 - Realtek)
    Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
    Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
    TeraCopy 2.3 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
    Unity Web Player (HKU\S-1-5-21-378024836-819946511-3807712176-500\...\UnityWebPlayer) (Version: 5.0.3f2 - Unity Technologies ApS)
    Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
    Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
    VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
    WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
    WinRAR 5.21 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
    Wireshark 2.0.4 (64-bit) (HKLM-x32\...\Wireshark) (Version: 2.0.4 - The Wireshark developer community, hxxps://www.wireshark.org)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {116329DE-8CDE-46F4-B582-BFBDB0D0911C} - System32\Tasks\{35EBE364-6A87-4A98-AB50-255A4DEE0B49} => pcalua.exe -a "C:\Windows\AuditPro Enterprise\uninstall.exe" -c "/U:C:\Program Files (x86)\AuditPro Enterprise\Uninstall\uninstall.xml"
    Task: {951C9E08-D7AC-4987-AA46-9A263F3BE4B3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-21] (Google Inc.)
    Task: {A242EEB6-DDFC-40B5-8FFA-34803242E702} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\WSCStub.exe [2016-02-26] (Symantec Corporation)
    Task: {B51A1BEE-268E-461A-8A94-064B94E8B298} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-06-25] (Adobe Systems Incorporated)
    Task: {C028F8A8-9CD4-4EB6-B618-16D605DFC7AC} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2016-02-26] (Symantec Corporation)
    Task: {D303DBA1-0327-4095-8A19-C05CE69C8CC2} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-21] (Google Inc.)
    Task: {D9AA59C5-ED7F-4C18-BCD8-EB9ACCA0BD9A} - System32\Tasks\Norton Security\Norton Error Processor => C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\SymErr.exe [2016-02-11] (Symantec Corporation)
    Task: {DB94F18E-8D2F-48A1-B941-584B0D15F06A} - System32\Tasks\Norton Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\SymErr.exe [2016-02-11] (Symantec Corporation)
    Task: {EF9B0DFE-1D7D-4919-B37D-09A92091505C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-13] (Adobe Systems Incorporated)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2010-01-10 12:17 - 2010-01-10 12:17 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
    2010-01-21 17:40 - 2010-01-21 17:40 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2013-01-17 21:00 - 2013-01-17 21:00 - 00251904 _____ () C:\Program Files (x86)\Realtek\RtkWin7(8)DashClientInstaller\RtkDashService64.exe

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)

    AlternateDataStreams: C:\Program Files\Common Files\System:jUe8hl2Qt5MpvNxY5l340G [2228]
    AlternateDataStreams: C:\Users\Administrator\Cookies:US9ee7JcLK328BhRmOjL [2110]
    AlternateDataStreams: C:\ProgramData\Microsoft:004UGENrNjI5O8CoPJnEgxivc [2164]
    AlternateDataStreams: C:\ProgramData\Microsoft:VsrgNWzY454FBkIkmCPIiTNgE [1932]
    AlternateDataStreams: C:\ProgramData\TEMP:4B244549 [278]

    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-14 10:34 - 2016-07-18 08:51 - 00000027 ____N C:\Windows\system32\Drivers\etc\hosts

    127.0.0.1 localhost

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-378024836-819946511-3807712176-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    DNS Servers: 192.168.254.254
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files (x86)\Bluestacks\HD-Agent.exe
    MSCONFIG\startupreg: IDMan => C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [{1FF8FCDF-A0BF-488B-9313-3C64218CA763}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{50D82775-DE8F-4A58-AC29-E8664295240B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{B8D4CDC6-CC61-42A8-9F4D-033E1C40AF1A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
    FirewallRules: [{86302615-91F4-457E-AAAC-5F3DAA87C0C6}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
    FirewallRules: [{F4696E47-ECB4-449F-92BD-A3FA167BDA1B}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    FirewallRules: [{EE48FAB1-5D5B-487F-B4FE-9D82E27FB8E1}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    FirewallRules: [{74B899F9-E14D-40E0-80F5-E31F250E2494}] => (Allow) C:\Users\Administrator\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{26171E3B-55DB-4B60-9BAB-6E2C6EBC7EB0}] => (Allow) C:\Users\Administrator\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{8A874FAE-AE61-41F0-8B0B-507D6D308FDF}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
    FirewallRules: [{42BEA990-A89E-4B1D-9DE9-0A5A7F1910FA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
    FirewallRules: [TCP Query User{D3C795DD-21C7-4B55-989C-9CF4F0DD9242}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
    FirewallRules: [UDP Query User{C4A3E106-3A65-4A75-9CD5-2A6C71BCB397}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
    FirewallRules: [{9884350C-4171-4F5A-8FCA-B077FBD6E250}] => (Allow) C:\Users\Administrator\AppData\Local\Temp\QQGameDownloader\bns_1429866144_16471\MiniQQDL.exe
    FirewallRules: [{C248E500-8DFC-4592-B126-EA6BEDE588BD}] => (Allow) C:\Users\Administrator\AppData\Local\Temp\QQGameDownloader\bns_1429866144_16471\MiniQQDL.exe
    FirewallRules: [TCP Query User{B3762EE7-9B0E-47DB-9B06-9DFF24547066}C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe] => (Allow) C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe
    FirewallRules: [UDP Query User{07A8FD06-7A5F-490C-9D60-0AEAFEE03BDA}C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe] => (Allow) C:\users\administrator\appdata\local\temp\qqgamedownloader\bns_1429866144_16471\teniodl.exe
    FirewallRules: [{8E2C79DE-A9A0-4708-B3ED-217CD02F6384}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
    FirewallRules: [{FCE23EDC-4A7D-4806-99BA-6EBE7DFF3CE9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win32\dota2.exe
    FirewallRules: [{D6521918-07E8-4B41-86CF-E365979CD2D0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2cfg.exe
    FirewallRules: [{25A480B2-5D11-4344-8C50-0E0594F7E306}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2cfg.exe
    FirewallRules: [{BACBFDB4-FF71-47D6-9D69-83AA3169C103}] => (Allow) LPort=1583
    FirewallRules: [{89BE1639-F493-4C1C-A324-988200D4E3F8}] => (Allow) LPort=3351
    FirewallRules: [{2E4595D2-C164-4880-A671-2B63DCD5C04A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
    FirewallRules: [{7C0A4654-8EE7-472E-B473-85ED4FC32521}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\dota2.exe
    FirewallRules: [TCP Query User{4704F9DC-A9DC-4C12-800E-440602C94FC2}C:\program files (x86)\youwave android\vb\vboxsdl.exe] => (Allow) C:\program files (x86)\youwave android\vb\vboxsdl.exe
    FirewallRules: [UDP Query User{1F1BB775-B0C6-43F4-B357-0242875EE2AB}C:\program files (x86)\youwave android\vb\vboxsdl.exe] => (Allow) C:\program files (x86)\youwave android\vb\vboxsdl.exe
    FirewallRules: [{49D965CD-E9A7-43C3-9FF6-ADB357666D89}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{270A9CC0-F13A-4655-8E87-B5026CAAABA1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [TCP Query User{C8256E21-2105-4879-B49D-95B2741452AD}C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe] => (Allow) C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe
    FirewallRules: [UDP Query User{3B23AE62-790D-4FF4-86E2-DA0AD97D8E10}C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe] => (Allow) C:\program files (x86)\manageengine\adaudit plus\jre\bin\java.exe
    FirewallRules: [{B316C7F8-982C-404A-BD93-B951018C347B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    FirewallRules: [{36EFF10A-82EB-4E55-8672-43224CF2BB2C}] => (Allow) C:\Users\Administrator\AppData\Roaming\Nox\bin\Nox.exe
    FirewallRules: [{E36A9365-8ACD-41E1-8081-11B1FBE1519D}] => (Allow) C:\Program Files\Bignox\BigNoxVM\RTNoxVMHandle.exe

    ==================== Restore Points =========================

    21-06-2016 14:36:08 Scheduled Checkpoint
    29-06-2016 07:25:52 Scheduled Checkpoint
    06-07-2016 12:44:28 Scheduled Checkpoint
    14-07-2016 13:01:20 Scheduled Checkpoint
    18-07-2016 08:35:33 ComboFix created restore point

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (07/19/2016 06:54:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/18/2016 11:49:43 AM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )
    Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile C:\Program Files (x86)\BlueStacks\HD-CreateSymlink.exe because this image is a 64bit assembly; try using 64bit ngen instead.

    Error: (07/18/2016 08:52:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/18/2016 06:30:15 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/17/2016 02:47:37 PM) (Source: SideBySide) (EventID: 80) (User: )
    Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
    A component version required by the application conflicts with another component version already active.
    Conflicting components are:.
    Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
    Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

    Error: (07/17/2016 02:39:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/17/2016 12:18:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/17/2016 11:54:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/17/2016 11:17:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (07/17/2016 10:56:12 AM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: Dagami)
    Description: Application or service 'Anti-malware remediation tool' could not be shut down.


    System errors:
    =============
    Error: (07/18/2016 08:48:58 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
    Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

    Error: (07/18/2016 08:48:03 AM) (Source: Application Popup) (EventID: 1060) (User: )
    Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

    Error: (07/18/2016 08:44:10 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
    Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

    Error: (07/18/2016 12:54:36 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The BlueStacks Plus Android Service service terminated unexpectedly. It has done this 1 time(s).

    Error: (07/18/2016 12:00:28 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
    Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.

    Error: (07/17/2016 11:27:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The BlueStacks Updater Service service terminated unexpectedly. It has done this 1 time(s).

    Error: (07/17/2016 02:37:16 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
    Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
    %%1056 = An instance of the service is already running.


    Error: (07/17/2016 02:36:46 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

    Error: (07/17/2016 02:36:46 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The IconMan_R service terminated unexpectedly. It has done this 1 time(s).

    Error: (07/17/2016 02:36:46 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.


    CodeIntegrity:
    ===================================
    Date: 2016-07-18 08:48:03.852
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-07-18 08:48:03.774
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM) i3-2377M CPU @ 1.50GHz
    Percentage of memory in use: 81%
    Total physical RAM: 1914.03 MB
    Available physical RAM: 345.64 MB
    Total Virtual: 6914.03 MB
    Available Virtual: 4707.7 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:465.42 GB) (Free:321.23 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 55363B78)
    Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=465.4 GB) - (Type=07 NTFS)

    ==================== End of Addition.txt ============================
     
  19. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
     

    Attached Files:

  20. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Fix result of Farbar Recovery Scan Tool (x64) Version: 17-07-2016
    Ran by Administrator (2016-07-19 10:14:43) Run:1
    Running from C:\Users\Administrator\Downloads
    Loaded Profiles: Administrator (Available Profiles: Administrator)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-378024836-819946511-3807712176-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    FF HKU\S-1-5-21-378024836-819946511-3807712176-500\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
    CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.omniboxes.com/?type=hp&ts=1425269246&from=obw&uid=ST500LT012-9WS142_S0V77MW0XXXXS0V77MW0"
    CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    2015-01-26 00:12 - 2015-01-26 00:12 - 0002086 _____ () C:\Users\Administrator\AppData\Roaming\HUVI
    2015-01-26 00:12 - 2016-07-16 11:40 - 0000365 _____ () C:\Users\Administrator\AppData\Roaming\JZMYE
    AlternateDataStreams: C:\Program Files\Common Files\System:jUe8hl2Qt5MpvNxY5l340G [2228]
    AlternateDataStreams: C:\Users\Administrator\Cookies:US9ee7JcLK328BhRmOjL [2110]
    AlternateDataStreams: C:\ProgramData\Microsoft:004UGENrNjI5O8CoPJnEgxivc [2164]
    AlternateDataStreams: C:\ProgramData\Microsoft:VsrgNWzY454FBkIkmCPIiTNgE [1932]
    AlternateDataStreams: C:\ProgramData\TEMP:4B244549 [278]

    *****************

    "HKLM\SOFTWARE\Policies\Google" => key removed successfully
    "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
    "HKU\S-1-5-21-378024836-819946511-3807712176-500\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
    HKU\S-1-5-21-378024836-819946511-3807712176-500\Software\Mozilla\SeaMonkey\Extensions\\mozilla_cc2@internetdownloadmanager.com => value removed successfully
    Chrome StartupUrls => removed successfully
    "HKLM\SOFTWARE\Google\Chrome\Extensions\jeaohhlajejodfjadcponpnjgkiikocn" => key removed successfully
    "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => key removed successfully
    catchme => service removed successfully
    VGPU => service removed successfully
    C:\Users\Administrator\AppData\Roaming\HUVI => moved successfully
    C:\Users\Administrator\AppData\Roaming\JZMYE => moved successfully
    C:\Program Files\Common Files\System => ":jUe8hl2Qt5MpvNxY5l340G" ADS removed successfully.
    "C:\Users\Administrator\Cookies" => ":US9ee7JcLK328BhRmOjL" ADS not found.
    C:\ProgramData\Microsoft => ":004UGENrNjI5O8CoPJnEgxivc" ADS removed successfully.
    C:\ProgramData\Microsoft => ":VsrgNWzY454FBkIkmCPIiTNgE" ADS removed successfully.
    C:\ProgramData\TEMP => ":4B244549" ADS removed successfully.

    ==== End of Fixlog 10:14:45 ====
     
  21. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
    NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services

    Press "Scan".
    It will create a log (FSS.txt) in the same directory the tool is run.
    Please copy and paste the log to your reply.


    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    [​IMG] Download Sophos Free Virus Removal Tool and save it to your desktop.
    • Double click the icon and select Run
    • Click Next
    • Select I accept the terms in this license agreement, then click Next twice
    • Click Install
    • Click Finish to launch the program
    • Once the virus database has been updated click Start Scanning
    • If any threats are found click Details, then View log file... (bottom left hand corner)
    • Copy and paste the results in your reply
    • Close the Notepad document, close the Threat Details screen, then click Start cleanup
    • Click Exit to close the program
     
  22. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Results of screen317's Security Check version 1.014 --- 12/23/15
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Norton Security
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Adobe Flash Player 22.0.0.209
    Mozilla Firefox (47.0)
    Google Chrome (51.0.2704.103)
    Google Chrome (51.0.2704.84)
    Google Chrome (SetupMetrics.pma..)
    ````````Process Check: objlist.exe by Laurent````````
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 3%
    ````````````````````End of Log``````````````````````
     
  23. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    Farbar Service Scanner Version: 27-01-2016
    Ran by Administrator (administrator) on 19-07-2016 at 11:22:19
    Running from "C:\Users\Administrator\Downloads"
    Microsoft Windows 7 Ultimate Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============

    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****
     
  24. kingtaoist

    kingtaoist TS Rookie Topic Starter Posts: 19

    No threats found on sophos
     
  25. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Your computer is clean [​IMG]

    1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
    This is a very crucial step so make sure you don't skip it.
    Download [​IMG]DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

    Double-click Delfix.exe to start the tool.
    Make sure the following items are checked:
    • Activate UAC (optional; some users prefer to keep it off)
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore
    • Reset system settings
    Now click "Run" and wait patiently.
    Once finished a logfile will be created. You don't have to attach it to your next reply.

    2. Make sure Windows Updates are current.

    3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    4. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    11. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
    About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

    12. Please, let me know, how your computer is doing.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...