Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware removal for PC - infected from porn sites??

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 8th, 2017, 5:23 am

Hi guys,

embarassing title.. i know.. : /

But thank you in advance for helping me with this. it's really appreciated.

I suspect i may have gotten some kind of infection after browsing various porn sites, and was hoping to purge my PC of any infections.

I've run the standard malware anti-bytes, spybot search and destroy, cc-cleaner registry cleaner, and the basic stuff. but suspect i still have some kind of infection.

Here are my logs:

1.

FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-02-2017
Ran by flynn (administrator) on FLYNN-PC (08-02-2017 20:10:00)
Running from E:\firefox downloads
Loaded Profiles: flynn (Available Profiles: flynn)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Windows\SysWOW64\ASGT.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(ASUS) C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Flux Software LLC) C:\Users\flynn\AppData\Local\FluxSoftware\Flux\flux.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
(Portrait Displays, Inc) C:\Program Files (x86)\BenQ\Display Pilot\dthtml.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Portrait Displays Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(ASUS) C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe
() C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\wpCtrl.exe
() C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Floater.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\ET\EtHost.exe
() C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper.exe
() C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-19] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2398776 2016-06-15] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PivotSoftware] => C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe [112424 2013-06-18] ()
HKLM-x32\...\Run: [DT BEN] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [122384 2013-11-12] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [VolPanel] => C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe [241789 2009-07-07] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8891608 2016-07-14] (Piriform Ltd)
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\Run: [f.lux] => C:\Users\flynn\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\MountPoints2: {ea1d704e-4878-11e6-ae67-806e6f6e6963} - G:\.\Bin\ASSETUP.exe
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Tcpip\..\Interfaces\{6D32B02C-29D3-4172-81C9-44948DD3CC5B}: [NameServer] 10.5.0.1
Tcpip\..\Interfaces\{6D32B02C-29D3-4172-81C9-44948DD3CC5B}: [DhcpNameServer] 10.5.0.1
Tcpip\..\Interfaces\{DA720BB9-99B9-459B-9C11-6BF324A31CD1}: [DhcpNameServer] 10.1.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/seekingsalvation
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://files.creative.com/Web/softwareu ... PIDPDE.cab
DPF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} hxxp://files.creative.com/Web/softwareu ... TSUEng.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://files.creative.com/Web/softwareu ... /CTPID.cab

FireFox:
========
FF DefaultProfile: z4roa0cw.default
FF ProfilePath: C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default [2017-02-08]
FF Homepage: Mozilla\Firefox\Profiles\z4roa0cw.default -> hxxps://duckduckgo.com/
FF Extension: (Disconnect) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\2.0@disconnect.me.xpi [2016-07-12]
FF Extension: (HTTPS Everywhere) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\https-everywhere@eff.org.xpi [2017-02-02]
FF Extension: (RequestPolicy) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\requestpolicy@requestpolicy.com.xpi [2016-07-14]
FF Extension: (UAControl) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\uacontrol@qz.tsugumi.org.xpi [2016-07-14]
FF Extension: (uBlock Origin) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\uBlock0@raymondhill.net.xpi [2017-02-08]
FF Extension: (User-Agent JS Fixer) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\{086e582e-455b-4289-bfab-e90da7c0558b}.xpi [2016-07-14]
FF Extension: (NoScript) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-01-19]
FF ProfilePath: C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\24hemwe1.testing [2017-02-08]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-08-01] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-08-01] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-09-17] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-09-17] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default [2017-02-08]
CHR Extension: (Google Slides) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-02-07]
CHR Extension: (Google Docs) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-02-07]
CHR Extension: (Google Drive) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-07]
CHR Extension: (YouTube) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-07]
CHR Extension: (Google Sheets) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-02-07]
CHR Extension: (Google Docs Offline) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-07]
CHR Extension: (Gmail) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-07]
CHR Extension: (Chrome Media Router) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] () [File not signed]
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2016-07-12] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2016-07-12] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [294912 2010-09-30] (Creative Technology Ltd) [File not signed]
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [138768 2013-11-12] (Portrait Displays, Inc.)
R2 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [79552 2016-03-02] (Bitdefender)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1881144 2016-06-15] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3634232 2016-06-15] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2522680 2016-06-15] (NVIDIA Corporation)
R2 PlexUpdateService; C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe [1919472 2016-12-15] (Plex, Inc.)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49760 2012-01-06] (Asmedia Technology)
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [718840 2013-04-17] (BitDefender)
U5 avchv; C:\Windows\System32\Drivers\avchv.sys [261056 2012-11-02] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [593144 2013-04-17] (BitDefender)
R1 bdfwfpf; C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [121928 2013-07-02] (Bitdefender SRL)
R1 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [148696 2013-04-22] (BitDefender LLC)
R3 IOMap; C:\Windows\system32\drivers\IOMap64.sys [24824 2013-02-19] (ASUSTeK Computer Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [28216 2016-06-15] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [382536 2013-05-28] (BitDefender S.R.L.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-08 20:09 - 2017-02-08 20:10 - 00000000 ____D C:\FRST
2017-02-08 19:43 - 2017-02-08 19:39 - 00453264 ____R C:\Windows\system32\Drivers\etc\hosts.20170208-194327.backup
2017-02-07 19:53 - 2017-02-08 19:44 - 00000000 ____D C:\Users\flynn\AppData\LocalLow\Mozilla
2017-02-07 18:56 - 2017-02-07 18:56 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-02-07 18:56 - 2017-02-07 18:56 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-02-07 18:56 - 2017-02-07 18:56 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-27 07:42 - 2013-02-19 19:02 - 00024824 _____ (ASUSTeK Computer Inc.) C:\Windows\system32\Drivers\IOMap64.sys
2017-01-17 20:54 - 2017-01-17 20:54 - 06975096 _____ (Tim Kosse) C:\Users\flynn\Downloads\FileZilla_3.24.0_win64-setup.exe
2017-01-15 10:44 - 2017-01-21 17:12 - 00000192 _____ C:\Users\flynn\Desktop\download list.txt
2017-01-11 16:44 - 2017-01-06 05:55 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-01-11 16:44 - 2017-01-06 05:55 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-01-11 16:44 - 2017-01-06 05:52 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-01-11 16:44 - 2017-01-06 05:52 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-01-11 16:44 - 2017-01-06 04:43 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-01-11 16:44 - 2017-01-06 04:42 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-01-11 16:44 - 2017-01-06 04:32 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-01-11 16:44 - 2017-01-06 04:25 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-01-11 16:44 - 2017-01-06 04:24 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-01-11 16:44 - 2017-01-06 04:24 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-01-11 16:44 - 2017-01-06 04:24 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-01-11 16:44 - 2017-01-06 04:23 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-01-11 16:44 - 2017-01-06 04:19 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-08 19:52 - 2016-07-12 15:48 - 00000000 ____D C:\Users\flynn\AppData\Local\VirtualStore
2017-02-08 19:43 - 2016-07-12 17:15 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-02-08 19:37 - 2016-07-12 21:17 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-08 19:32 - 2009-07-14 15:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-08 19:32 - 2009-07-14 15:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-08 19:31 - 2009-07-14 16:13 - 00782470 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-08 19:31 - 2009-07-14 14:20 - 00000000 ____D C:\Windows\inf
2017-02-08 19:24 - 2016-07-12 16:25 - 00000000 ____D C:\ProgramData\NVIDIA
2017-02-08 19:24 - 2009-07-14 16:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-08 19:21 - 2016-07-12 16:54 - 00063876 _____ C:\Windows\system32\BMXStateBkp-{00000005-00000000-00000000-00001102-0000000B-00621102}.rfx
2017-02-08 19:21 - 2016-07-12 16:54 - 00063876 _____ C:\Windows\system32\BMXState-{00000005-00000000-00000000-00001102-0000000B-00621102}.rfx
2017-02-08 19:21 - 2016-07-12 16:54 - 00000900 _____ C:\Windows\system32\DVCState-{00000005-00000000-00000000-00001102-0000000B-00621102}.rfx
2017-02-08 18:43 - 2016-07-12 17:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-07 21:50 - 2016-07-12 20:42 - 00000000 ____D C:\Users\flynn\AppData\Local\Battle.net
2017-02-07 21:49 - 2016-07-12 17:38 - 00000000 ____D C:\Users\flynn\AppData\Roaming\MusicBee
2017-02-07 20:12 - 2016-07-12 17:47 - 00000000 ____D C:\Users\flynn\AppData\Roaming\foobar2000
2017-02-07 20:06 - 2016-07-12 23:08 - 00000000 ____D C:\Users\flynn\AppData\Roaming\MPC-HC
2017-02-07 19:11 - 2016-07-19 22:52 - 00000000 ____D C:\Users\flynn\AppData\Local\CrashDumps
2017-02-07 19:03 - 2016-07-12 21:11 - 00000000 ____D C:\Users\flynn\AppData\Local\Google
2017-02-07 18:56 - 2016-07-12 21:11 - 00000000 ____D C:\Program Files (x86)\Google
2017-02-06 21:04 - 2016-12-10 00:25 - 00000000 ____D C:\Users\flynn\AppData\Roaming\FileZilla
2017-01-26 15:29 - 2016-11-07 03:07 - 00000000 ____D C:\Users\flynn\AppData\Roaming\vlc
2017-01-15 16:07 - 2009-07-14 14:20 - 00000000 ____D C:\Windows\rescache
2017-01-15 06:08 - 2016-07-15 10:45 - 00000000 ____D C:\Windows\system32\MRT
2017-01-15 06:06 - 2016-07-15 10:44 - 135657872 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Files in the root of some directories =======

2016-12-10 15:21 - 2016-12-17 07:38 - 0000600 _____ () C:\Users\flynn\AppData\Local\PUTTY.RND
2016-07-12 20:55 - 2016-07-12 20:55 - 0200713 _____ () C:\ProgramData\1468317080.bdinstall.bin
2016-11-03 11:05 - 2016-11-03 11:05 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-07-12 16:08 - 2016-07-12 16:08 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-07-12 16:52 - 2010-01-14 18:00 - 0000235 _____ () C:\ProgramData\UDATHXD.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-03 21:50

==================== End of FRST.txt ============================



2. Addition.txt


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-02-2017
Ran by flynn (08-02-2017 20:10:22)
Running from E:\firefox downloads
Windows 7 Professional Service Pack 1 (X64) (2016-07-12 04:48:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1648639942-364084454-2766153320-500 - Administrator - Disabled)
flynn (S-1-5-21-1648639942-364084454-2766153320-1000 - Administrator - Enabled) => C:\Users\flynn
Guest (S-1-5-21-1648639942-364084454-2766153320-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus Free Edition (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antivirus Free Edition (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Spybot - Search and Destroy (Enabled - Up to date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Disabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (x32 Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Flash Player 22 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
AirVPN (HKLM-x32\...\AirVPN) (Version: - AirVPN - hxxps://airvpn.org)
AMD Catalyst Install Manager (HKLM\...\{5DDB9EF7-1BC0-C9C1-9829-6B9CF68AC357}) (Version: 8.0.903.0 - Advanced Micro Devices, Inc.)
Ansel (Version: 372.70 - NVIDIA Corporation) Hidden
Apple Application Support (32-bit) (HKLM-x32\...\{F2871C89-C8A5-42EE-8D45-0F02506385A6}) (Version: 5.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9BC93467-75D1-4AA4-BD58-D9C51D88DFAB}) (Version: 5.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.12.0 - Asmedia Technology)
Asmedia ASM106x SATA Host Controller Driver (HKLM-x32\...\{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}) (Version: 1.3.4.000 - Asmedia Technology)
ASUS GPU Tweak (HKLM-x32\...\InstallShield_{532F6E8A-AF97-41C3-915F-39F718EC07D1}) (Version: 2.4.2.4 - ASUSTek COMPUTER INC.)
ASUS GPU Tweak (x32 Version: 2.4.2.4 - ASUSTek COMPUTER INC.) Hidden
ASUS Product Register Program (HKLM-x32\...\{9D29D67C-315D-46A1-A3A9-3CAF24871578}) (Version: 1.0.022 - ASUSTek Computer Inc.)
Bitdefender Antivirus Free Edition (HKLM\...\BitDefender Gonzales) (Version: 1.0.21.1109 - Bitdefender)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.20 - Piriform)
CPUID HWMonitor 1.29 (HKLM\...\CPUID HWMonitor_is1) (Version: - )
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 3.00 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Creative Sound Blaster Properties x64 Edition (HKLM-x32\...\Creative Sound Blaster Properties x64 Edition) (Version: 1.02 - Creative Technology Limited)
Creative System Information (HKLM-x32\...\SysInfo) (Version: - )
Display Pilot (HKLM-x32\...\{6DD25D67-4339-47A1-950E-EEFC321CBB24}) (Version: 2.11.002 - Portrait Displays, Inc.)
Dolby Digital Live Pack (HKLM-x32\...\Dolby Digital Live Pack) (Version: 3.00 - Creative Technology Limited)
DTS Connect Pack (HKLM-x32\...\DTS Connect Pack) (Version: 1.00 - Creative Technology Limited)
Dying Light (HKLM\...\Steam App 239140) (Version: - Techland)
f.lux (HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\Flux) (Version: - )
FileZilla Client 3.17.0.1 (HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\FileZilla Client) (Version: 3.17.0.1 - Tim Kosse)
foobar2000 v1.3.10 (HKLM-x32\...\foobar2000) (Version: 1.3.10 - Peter Pawlowski)
Free Virtual Keyboard 3.0.1.0 (HKLM-x32\...\{CA4F9519-1A83-4907-8651-F17073A0E1CE}_is1) (Version: 3.0 - Comfort Software Group)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
GoPro Studio 2.0.0 (HKLM-x32\...\GoPro Studio) (Version: 2.0.0 - WoodmanLabs Inc. d.b.a. GoPro)
HP Deskjet 2050 J510 series Basic Device Software (HKLM\...\{D7716C7E-75F1-4C51-A2D5-C6A1E8311D53}) (Version: 20.0.771.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Help (HKLM-x32\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.55.55 - Hewlett Packard)
HP DeskJet 3630 series Basic Device Software (HKLM\...\{82088106-8F3E-4C76-A919-607CB9BA02AE}) (Version: 35.0.61.54677 - Hewlett-Packard Co.)
iTunes (HKLM\...\{554C62C7-E6BB-40F1-892B-F0AE02D3C135}) (Version: 12.5.3.17 - Apple Inc.)
LG Power Tools (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.3316 - CyberLink Corp.)
LG Power Tools (x32 Version: 6.0.3316 - CyberLink Corp.) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (HKLM-x32\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
mIRC (HKLM-x32\...\mIRC) (Version: 7.46 - mIRC Co. Ltd.)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
MPC-HC 1.7.10 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.10 - MPC-HC Team)
MusicBee 3.0 (HKLM-x32\...\MusicBee) (Version: 3.0 - Steven Mayall)
NVIDIA 3D Vision Driver 372.90 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 372.90 - NVIDIA Corporation)
NVIDIA Graphics Driver 372.90 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 372.90 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.15 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.15 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version: - )
Overwatch Test (HKLM-x32\...\Overwatch Test) (Version: - Blizzard Entertainment)
Pivot Pro Plugin (x32 Version: 9.61.004 - Portrait Displays, Inc.) Hidden
Plex Media Server (HKLM-x32\...\{d685b3b4-91da-4364-9e7d-f365a614d42b}) (Version: 1.3.3.3148 - Plex, Inc.)
Plex Media Server (x32 Version: 1.3.3148 - Plex, Inc.) Hidden
qBittorrent 3.3.5 (HKLM-x32\...\qBittorrent) (Version: 3.3.5 - The qBittorrent project)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.67.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7023 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.53 - Piriform)
Revo Uninstaller Pro 3.1.7 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.7 - VS Revo Group, Ltd.)
SDK (x32 Version: 2.40.007 - Portrait Displays, Inc.) Hidden
SHIELD Streaming (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.11.4.1 - NVIDIA Corporation) Hidden
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
Sound Blaster X-Fi (HKLM-x32\...\{20288888-A7AF-4B24-8AEB-398D20CD563C}) (Version: 1.0 - Creative Technology Limited)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Stopping Plex (x32 Version: 1.3.3148 - Plex, Inc.) Hidden
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.11.1 (HKLM\...\VulkanRT1.0.11.1) (Version: 1.0.11.1 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
Warhammer: End Times - Vermintide (HKLM\...\Steam App 235540) (Version: - Fatshark)
Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices (03/07/2012 ) (HKLM\...\0B624A43DD66DBF5CF3EDFA9741A364E688062A4) (Version: 03/07/2012 - GoPro)
WinRAR 5.31 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {07FDA491-E404-4EE9-9A5D-60521408EBCB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-02-07] (Google Inc.)
Task: {3DC6E7DD-7B67-4DA0-8B16-143CD46296B0} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {44C92ACE-AF03-4B2B-8068-0C48540F1407} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {4A3C8766-0B60-48B8-8FCF-F7253C52E414} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-02-07] (Google Inc.)
Task: {B4EAB0F5-6C7C-422D-B499-46D3A50CC518} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files (x86)\ASUS\APRP\aprp.exe [2013-06-21] (ASUSTek Computer Inc.)
Task: {E16C0328-F620-4247-80C4-DB94BC7B77E2} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {EBE901F0-47AB-466A-9A7B-A5BD31E1F558} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-07-14] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-12 20:53 - 2013-03-19 12:07 - 00712288 _____ () C:\Program Files\Bitdefender\Antivirus Free Edition\sqlite3.dll
2016-07-12 20:53 - 2013-09-03 14:29 - 00111832 _____ () C:\Program Files\Bitdefender\Antivirus Free Edition\BDMetrics.dll
2016-07-12 16:25 - 2016-09-17 09:57 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-07-12 16:37 - 2013-11-12 12:44 - 00098320 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\msgHook64.dll
2016-10-05 18:17 - 2016-10-05 18:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-10-05 18:17 - 2016-10-05 18:17 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-01-17 12:24 - 2012-01-17 12:24 - 00055296 _____ () C:\Windows\SysWOW64\ASGT.exe
2016-07-16 15:02 - 2016-06-15 12:14 - 00369208 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\MessageBus.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 01148984 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\libprotobuf.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 03613240 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Poco.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00289848 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamBase.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 02667576 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvMdnsPlugin.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 01990200 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvPortForwardPlugin.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 01842232 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\RtspPlugin.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00208952 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\RtspServer.dll
2016-07-12 16:37 - 2013-11-12 12:44 - 00274960 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dthook.dll
2016-05-09 18:22 - 2016-05-09 18:22 - 00052912 _____ () C:\Program Files\FileZilla FTP Client\fzshellext_64.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00035896 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_system-vc120-mt-1_58.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00921656 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_regex-vc120-mt-1_58.dll
2016-07-12 16:37 - 2013-06-18 13:26 - 00677160 _____ () C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\wpctrl.exe
2016-07-12 16:37 - 2013-06-18 13:26 - 00714024 _____ () C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\floater.exe
2016-07-12 16:37 - 2013-11-12 12:44 - 00163344 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper.exe
2016-07-12 16:37 - 2013-11-12 12:44 - 00197136 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper64.exe
2016-12-15 13:53 - 2016-12-15 13:53 - 00083440 _____ () C:\Program Files (x86)\Plex\Plex Media Server\zlib.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00203248 _____ () C:\Program Files (x86)\Plex\Plex Media Server\libidn.dll
2016-07-12 17:15 - 2014-05-13 13:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-07-12 17:15 - 2014-05-13 13:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-07-12 17:15 - 2014-05-13 13:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-07-12 17:15 - 2012-08-23 11:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-07-12 17:15 - 2012-04-03 18:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-06-20 12:01 - 2013-06-20 12:01 - 00258048 _____ () C:\Program Files (x86)\ASUS\GPU Tweak\Vender.dll
2013-05-14 16:11 - 2013-05-14 16:11 - 00049152 _____ () C:\Program Files (x86)\ASUS\GPU Tweak\Exeio.dll
2016-07-12 16:37 - 2013-11-12 12:44 - 00093712 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\msgHook.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00020536 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
2016-07-12 16:52 - 2009-02-06 19:52 - 00073728 _____ () C:\Windows\SysWOW64\CmdRtr.DLL
2016-07-12 16:52 - 2009-10-02 17:07 - 00176128 _____ () C:\Windows\SysWOW64\APOMngr.DLL
2016-07-12 16:37 - 2013-11-12 12:44 - 00187920 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Shared\PresetsCOM.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:054203E4 [144]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7914 more sites.

IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123simsen.com -> www.123simsen.com

There are 7914 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 13:34 - 2017-02-08 19:43 - 00453264 ____R C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15553 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1648639942-364084454-2766153320-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\flynn\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.1.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{D0780FB7-4D8F-472E-8F18-934E6D39EB9E}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{C64971FB-3590-4D0D-A647-3CCEA47A81CE}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [{86B0A250-B10D-476E-BEAC-F1B2DC2E25F2}] => C:\Program Files\HP\HP DeskJet 3630 series\Bin\DeviceSetup.exe
FirewallRules: [{8EA40CE5-DB2C-470C-AD7A-32190C692EE4}] => LPort=5357
FirewallRules: [{A08899DE-71D3-4B69-802F-11B53DBE4FD2}] => C:\Program Files\HP\HP DeskJet 3630 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [TCP Query User{2E9D29CF-F9CE-4424-A86F-77E9271A2089}F:\games\diablo iii\diablo iii.exe] => F:\games\diablo iii\diablo iii.exe
FirewallRules: [UDP Query User{D17E0339-F6AB-4853-9572-AD4206F6A9A1}F:\games\diablo iii\diablo iii.exe] => F:\games\diablo iii\diablo iii.exe
FirewallRules: [{DE02A53F-8268-4958-8C4C-3F0A318DF9D4}] => F:\Programs\Steam\Steam.exe
FirewallRules: [{0DC13906-BA64-458F-8B6D-3119473A5EE7}] => F:\Programs\Steam\Steam.exe
FirewallRules: [TCP Query User{0E4213DD-5D3F-49D7-BEFF-896DC7E60DE4}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{CB17202E-FE78-4EF0-A500-EE9347FFCFF3}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [TCP Query User{747CDBF5-DFDE-4E39-AEE4-C09809970E81}F:\games\overwatch\overwatch.exe] => F:\games\overwatch\overwatch.exe
FirewallRules: [UDP Query User{0661838E-73FC-426E-9457-E07DCB1718B5}F:\games\overwatch\overwatch.exe] => F:\games\overwatch\overwatch.exe
FirewallRules: [TCP Query User{055FE38D-CFA3-4063-B841-28DDBF956A20}F:\games\overwatch public test\overwatch test\overwatch.exe] => F:\games\overwatch public test\overwatch test\overwatch.exe
FirewallRules: [UDP Query User{4E913EFC-0D94-4AC1-8279-2FB529D2D75E}F:\games\overwatch public test\overwatch test\overwatch.exe] => F:\games\overwatch public test\overwatch test\overwatch.exe
FirewallRules: [TCP Query User{E1BCF0B2-41BF-4203-B75C-E29519656E77}C:\program files (x86)\skype\phone\skype.exe] => C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{AEF2DF82-7B8F-4194-B020-1ECEB2BD653C}C:\program files (x86)\skype\phone\skype.exe] => C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{7B48C108-290C-42F3-990B-3B0B294D0C79}F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe] => F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe
FirewallRules: [UDP Query User{F28DF4F4-1D40-4528-AA56-CC4C5894C773}F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe] => F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe
FirewallRules: [TCP Query User{B79849D8-BC1A-4B09-8056-1B9FF4190D8C}C:\program files (x86)\mirc\mirc.exe] => C:\program files (x86)\mirc\mirc.exe
FirewallRules: [UDP Query User{4922C41B-4780-458C-8C39-F688B2DFDF9F}C:\program files (x86)\mirc\mirc.exe] => C:\program files (x86)\mirc\mirc.exe
FirewallRules: [{0C5DFC86-3826-438A-84D7-657155785BD6}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\launcher\launcher.exe
FirewallRules: [{31F30E58-F177-4B39-B0E9-410180ABE9C6}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\launcher\launcher.exe
FirewallRules: [{E40A4367-8CB4-4FD0-8C43-F5E89DD4B9BD}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\binaries\vermintide.exe
FirewallRules: [{661511E0-629A-46B0-891E-95150347148E}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\binaries\vermintide.exe
FirewallRules: [{DE9E5F17-BE97-46A5-BC57-D38C71E212ED}] => F:\Programs\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{1D5DD280-1EED-438D-85D8-5A5901157B49}] => F:\Programs\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{999A44E9-B844-4590-A5AD-B52BC9EE945F}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{185592A7-DE3C-4D9D-9E42-43F3434A4726}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E0E0595E-3648-42A0-9FD6-A0D792CC84C3}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{62416682-07F2-4006-8D04-28BCF66B7D1F}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2A5E2EF3-A15B-4431-9C12-44D452C9B3B7}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{1370A0B5-C670-4BD9-822F-650D0C8A6019}] => C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{523915A2-9AC0-4A57-8CE5-BA099E06DB7F}] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
FirewallRules: [{8B261DC5-1C69-4FD4-8551-C6347C7D4709}] => C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
FirewallRules: [{DF9A0089-473A-4C39-8CAE-D17B03B2960D}] => C:\Program Files (x86)\Plex\Plex Media Server\Plex DLNA Server.exe
FirewallRules: [TCP Query User{E012BCA4-8E7F-4473-97B1-1DD29676945A}F:\games\diablo iii public test\x64\diablo iii64.exe] => F:\games\diablo iii public test\x64\diablo iii64.exe
FirewallRules: [UDP Query User{30BA62A1-D935-4697-9C0F-277B1C1D591F}F:\games\diablo iii public test\x64\diablo iii64.exe] => F:\games\diablo iii public test\x64\diablo iii64.exe
FirewallRules: [{828FAC62-AF28-4B89-BC81-DBFEADB1253F}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{F1ABE3F5-3850-4C00-AE2E-78F3A5F20BBD}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{45B1DFBF-FEE3-4884-A1F8-242A3AE7FC4A}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

26-12-2016 12:06:18 Windows Backup
27-12-2016 10:31:26 Plex Media Server
27-12-2016 10:32:28 Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215
01-01-2017 19:00:57 Windows Backup
08-01-2017 19:00:58 Windows Backup
15-01-2017 06:05:08 Windows Update
15-01-2017 19:01:16 Windows Backup
22-01-2017 19:01:14 Windows Backup
29-01-2017 19:01:23 Windows Backup
05-02-2017 21:21:07 Windows Backup

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/08/2017 07:24:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/08/2017 06:44:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/07/2017 06:38:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/06/2017 06:41:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/05/2017 09:10:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/05/2017 02:10:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/05/2017 08:14:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/04/2017 10:16:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: EtHost.exe, version: 1.1.10.0, time stamp: 0x51e86968
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000041d
Fault offset: 0x75454f69
Faulting process id: 0x1798
Faulting application start time: 0x01d27e5fdb383299
Faulting application path: C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\ET\EtHost.exe
Faulting module path: unknown
Report Id: 71cd23d3-eacb-11e6-bf42-e03f4977e54d

Error: (02/04/2017 12:34:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Battle.net.exe, version: 1.6.0.8293, time stamp: 0x588110c1
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x584772f7
Exception code: 0xc0000005
Fault offset: 0x00155e5d
Faulting process id: 0x18b4
Faulting application start time: 0x01d27e86014f7fb2
Faulting application path: F:\Games\Battle.net\Battle.net.8293\Battle.net.exe
Faulting module path: F:\Games\Battle.net\Battle.net.8293\Qt5Core.dll
Report Id: 1b841ef1-ea7a-11e6-bf42-e03f4977e54d

Error: (02/04/2017 07:54:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (02/06/2017 07:06:44 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (02/06/2017 07:06:43 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (02/06/2017 07:06:42 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (02/06/2017 06:42:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (02/06/2017 06:42:16 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (02/06/2017 06:41:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (02/06/2017 06:41:44 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (02/01/2017 08:10:02 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/01/2017 07:14:40 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (02/01/2017 07:14:39 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk8\DR8.


==================== Memory info ===========================

Processor: AMD FX(tm)-8320 Eight-Core Processor
Percentage of memory in use: 20%
Total physical RAM: 16281.73 MB
Available physical RAM: 13001.56 MB
Total Virtual: 32561.65 MB
Available Virtual: 28816.39 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:394.13 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:1862.89 GB) (Free:652.47 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:2794.39 GB) (Free:142.55 GB) NTFS
Drive f: (New Volume) (Fixed) (Total:2794.39 GB) (Free:259.03 GB) NTFS
Drive h: (Elements) (Fixed) (Total:2794.49 GB) (Free:142.32 GB) NTFS
Drive i: (Elements) (Fixed) (Total:1863.01 GB) (Free:309.15 GB) NTFS
Drive j: (Seagate Expansion Drive) (Fixed) (Total:1863.01 GB) (Free:571.6 GB) NTFS
Drive k: (SAMSUNG) (Fixed) (Total:1862.79 GB) (Free:117.78 GB) FAT32
Drive l: (Elements) (Fixed) (Total:2794.49 GB) (Free:2056.12 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: D05E9F5C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
Could not read MBR for disk 4.

========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 00080049)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 6 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: FC8C6AC1)
Partition 1: (Active) - (Size=1863 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
Could not read MBR for disk 7.

========================================================
Disk: 8 (Size: 2794.5 GB) (Disk ID: 16F2A91F)

Partition: GPT.

==================== End of Addition.txt ============================
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am
Advertisement
Register to Remove

Re: Malware removal for PC - infected from porn sites??

Unread postby mAL_rEm018 » February 11th, 2017, 8:25 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 3 days will result in this thread being closed.


Hello purgemypcplease,

Welcome to Malware Removal! My name is mAL_rEm018, but feel free to call me mAL. I will be helping you with your malware related problems :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.

To make sure everything goes smoothly, I would like you to observe the following rules:
  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread. Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum. Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing your logs and will return as soon as possible, with additional instructions. In the meantime I would like you to read and get acquainted with the following topic: HOW TO GET HELP IN THIS FORUM - everyone must read this, where the conditions for receiving help here are explained.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 12th, 2017, 8:10 am

Hi Mark, thanks for your help!
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 12th, 2017, 8:12 am

Mal ** . Autocorrect misspelt it.
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby mAL_rEm018 » February 12th, 2017, 8:56 am

Hello purgemypcplease,

Could you please provide a description of how your computer is behaving? You didn't include one in your initial post.

Backup your registry using TCRB
  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.

Next..

Adwcleaner
  • Please download AdwCleaner to your Desktop.
  • Close all your programs and right-click AdwCleaner.exe and select Run as administrator.
  • Click on Scan.
  • After the scan is over, select Logfile.
  • A notepad window will open. Please copy/paste the contents in your next reply.
    Note: do not select Cleaning at this point

purgemypcplease wrote:I've run the standard malware anti-bytes, spybot search and destroy, cc-cleaner registry cleaner, and the basic stuff.

I will need to see the Malwarebytes report. Please follow the steps below to retrieve it:
  • Please open Malwarebytes Anti-Malware.
  • Click History and then select Application Logs.
  • Double-click on the scan log by looking at the timestamp (it should be in the following order: Day/Month/Year Time)
  • Click Export and select Text file (*.txt).
  • In the File name: box, please write MBAM Log and save it to your desktop.
  • Once the process is over, a message will appear stating that the file has been successfully exported. Click OK.
  • Please post the contents of MBAM Log.txt in your next reply.


-----------------------------------------
In your next reply, I would like to see..
  • Did you have trouble with any of the steps?
  • Description of your computer's behavior.
  • Adwcleaner report.
  • MBAM Log.txt
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 12th, 2017, 5:07 pm

Sure -- I will complete this when I get home from work later. Thanks again.
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 14th, 2017, 4:03 am

Hi mAL,

Okay thank you for your help.

Here are the details as requested.

There was no trouble with any of the steps. Malware bytes log was easily retrieved, however malware bytes never seems to detect any infections. Spyboy Search & Destroy generally seems to find more things to fix upon scanning.

I suspect my PC may have some kind of background infection of adware or spyware, maybe IP logged, as certain websites (generally porn based websites) seem to not operate properly when browsing, such as very slow response times or pictures not loading, very slow speeds, where as other normal websites seem to work without any issues. And in general i'm concerned with all the adds that sites like porn hub create, that i may have gotten some kind of virus or infection on my PC.



1. TCRB backup has been created.
2. ADWcleaner Log file contents here: (says two threats found)

# AdwCleaner v6.043 - Logfile created 14/02/2017 at 18:56:34
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : flynn - FLYNN-PC
# Running from : E:\firefox downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found: [C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found: [C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1159 Bytes] - [14/02/2017 18:56:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1232 Bytes] ##########





3. Malware bytes log file from 8th of feb 2017 (most recent scan, can do a new scan if requested)


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 08-Feb-17
Scan Time: 7:37 PM
Logfile: MBAM log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.02.08.02
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: flynn

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296240
Time Elapsed: 3 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby mAL_rEm018 » February 15th, 2017, 12:39 am

Hello purgemypcplease,

Well I'm not seeing anything that would indicate an active infection is present on your computer. That being said, you ran FRST 6 days ago and things might have changed since then, so in this post I will give you the instructions to run a fresh scan.


Removing a program in Windows 7
  • Click the Star Menu and select Control Panel.
  • Click Programs, then Programs and Features.
  • Select the following programs:
    qBittorrent 3.3.5
  • Select Uninstall.
  • When prompted select Yes.
  • Answer any questions attentively.
  • When the process is finished, please restart your computer.
Note: you can only remove one program at a time.

purgemypcplease wrote:ADWcleaner Log file contents here: (says two threats found)

The two threats found are Potentially Unwanted Programs (AOL and ASK). If you wish to remove them, please do the following:

Adwcleaner
  • Close all your programs and right-click AdwCleaner.exe and select Run as administrator.
  • Click on Scan.
  • After the scan is over, select Clean.
  • Note: All programs will be closed and your computer will be rebooted, therefore I advise you to save any unsaved work.
  • A notepad window will open. Please copy/paste the contents in your next reply.

Next..

  • Double click Frst.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Copy/Paste or Type the following line into the Search: box.
    babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;Istartsurf;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer

    • Press the Search Registry button.
    • When finished searching a log will open on your Desktop ... SearchReg.txt
    • Please post it in your next reply.

I need to see a fresh FRST log..

  • Right-click on FRST64.exe and select Run as administrator.
  • Ensure that Addition.txt is checked.
  • Select Scan.
  • When the scan is over two windows will open, FRST.txt and Addition.txt.
  • Please post the contents of both logs in your next reply.


-----------------------------------------
In your next reply, I would like to see..
  • Did you have trouble with any of the steps?
  • Adwcleaner report (if you chose to remove the PUPs)
  • SearchReg.txt
  • FRST.txt
  • Addition.txt
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 15th, 2017, 5:51 am

hi mAL,

Thanks for your reply.

Okay so, i uninstalled qbbit without any issues.

Running the adwcleaner did create an issue. I closed all programs and right clicked "run as administrator" on adwcleaner. The PC then went un-responsive. the standard window that opens to say "do you authorise this program to run as admin" auto closed and the computer went unresponsive but the screen did not change. mouse was still moveable but clicking desktop or the folder did nothing. I could hear the PC/hard drive working in the background, but the PC was unresponsive.

After about a minute, i disconnected my modem and disconnected from the internet, still no change.

Next i opened up the task manager, with ctrl+alt+delete, and when i clicked task manager, it returned me to a black screen of windows.

I ctrl+alt+deleted back to the standard windows screen and tried to log out, when i was returned to the same black screen.

I ctrl+alt+deleted again and this time opted to shut down, which also did not seem to work.}

So i hit the reset button, and rebooted the PC in safe mode, while offline.

From there i was able to complete all the scans without any issues. removed the ask/AOL programs, etc.

This time when opening adwcleaner as administrator (while in safe mode, offline) it opened normally and prompted the " do you authorise this program to make changes to your pc " as usual.

I'm not sure, maybe i am being paranoid about the infection on my PC, as you are saying you are not seeing any typical signs. However that instance of the adwcleaner making the computer go unresponsive did seem peculiar to me as that generally never happens. I think i may have some kind of virus that hides itself when being detected? or shuts off and goes dormant or something like that? i don't know.. maybe i'm just being paranoid or something.



Here are the requested logs:

1. adwcleaner scanreport (completed offline while in safemode)
# AdwCleaner v6.043 - Logfile created 15/02/2017 at 20:01:56
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Local]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : flynn - FLYNN-PC
# Running from : E:\firefox downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****

[-] [C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [986 Bytes] - [15/02/2017 20:01:56]
C:\AdwCleaner\AdwCleaner[S0].txt - [1311 Bytes] - [14/02/2017 18:56:34]
C:\AdwCleaner\AdwCleaner[S1].txt - [1383 Bytes] - [15/02/2017 20:01:33]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1204 Bytes] ##########


2. search.reg

Farbar Recovery Scan Tool (x64) Version: 05-02-2017
Ran by flynn (15-02-2017 20:15:25)
Running from E:\firefox downloads
Boot Mode: Normal

================== Search Registry: "babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;Istartsurf;kelkoopartners;Luckysearches;Quicksurf;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;whitesmoke;Wordinator;WordSurfer" ===========


===================== Search result for "babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"


===================== Search result for "Searchqu" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"


===================== Search result for "SweetIM" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]

[HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]

[HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]


===================== Search result for "SweetPacks" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]

[HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]

[HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]

====== End of Search ======


3. FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-02-2017
Ran by flynn (administrator) on FLYNN-PC (15-02-2017 20:17:19)
Running from E:\firefox downloads
Loaded Profiles: flynn (Available Profiles: flynn)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Windows\SysWOW64\ASGT.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(ASUS) C:\Program Files (x86)\ASUS\GPU Tweak\GPUTweak.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Flux Software LLC) C:\Users\flynn\AppData\Local\FluxSoftware\Flux\flux.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
(Portrait Displays, Inc) C:\Program Files (x86)\BenQ\Display Pilot\dthtml.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Portrait Displays Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(ASUS) C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe
() C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\wpCtrl.exe
() C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Floater.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\ET\EtHost.exe
() C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper.exe
() C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper64.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-19] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2398776 2016-06-15] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PivotSoftware] => C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe [112424 2013-06-18] ()
HKLM-x32\...\Run: [DT BEN] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [122384 2013-11-12] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [VolPanel] => C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe [241789 2009-07-07] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-09-29] (CyberLink Corp.)
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8891608 2016-07-14] (Piriform Ltd)
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\Run: [f.lux] => C:\Users\flynn\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\MountPoints2: {ea1d704e-4878-11e6-ae67-806e6f6e6963} - G:\.\Bin\ASSETUP.exe
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Tcpip\..\Interfaces\{6D32B02C-29D3-4172-81C9-44948DD3CC5B}: [NameServer] 10.5.0.1
Tcpip\..\Interfaces\{6D32B02C-29D3-4172-81C9-44948DD3CC5B}: [DhcpNameServer] 10.5.0.1
Tcpip\..\Interfaces\{DA720BB9-99B9-459B-9C11-6BF324A31CD1}: [DhcpNameServer] 10.1.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.facebook.com/seekingsalvation
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://files.creative.com/Web/softwareu ... PIDPDE.cab
DPF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} hxxp://files.creative.com/Web/softwareu ... TSUEng.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://files.creative.com/Web/softwareu ... /CTPID.cab

FireFox:
========
FF DefaultProfile: z4roa0cw.default
FF ProfilePath: C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default [2017-02-15]
FF Homepage: Mozilla\Firefox\Profiles\z4roa0cw.default -> hxxps://duckduckgo.com/
FF Extension: (Disconnect) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\2.0@disconnect.me.xpi [2016-07-12]
FF Extension: (HTTPS Everywhere) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\https-everywhere@eff.org.xpi [2017-02-02]
FF Extension: (RequestPolicy) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\requestpolicy@requestpolicy.com.xpi [2016-07-14]
FF Extension: (UAControl) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\uacontrol@qz.tsugumi.org.xpi [2016-07-14]
FF Extension: (uBlock Origin) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\uBlock0@raymondhill.net.xpi [2017-02-08]
FF Extension: (User-Agent JS Fixer) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\{086e582e-455b-4289-bfab-e90da7c0558b}.xpi [2016-07-14]
FF Extension: (NoScript) - C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\z4roa0cw.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-01-19]
FF ProfilePath: C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\24hemwe1.testing [2017-02-15]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-08-01] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-08-01] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-09-17] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-09-17] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default [2017-02-15]
CHR Extension: (Google Slides) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-02-07]
CHR Extension: (Google Docs) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-02-07]
CHR Extension: (Google Drive) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-07]
CHR Extension: (YouTube) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-07]
CHR Extension: (Google Sheets) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-02-07]
CHR Extension: (Google Docs Offline) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-07]
CHR Extension: (Gmail) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-07]
CHR Extension: (Chrome Media Router) - C:\Users\flynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] () [File not signed]
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2016-07-12] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2016-07-12] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [294912 2010-09-30] (Creative Technology Ltd) [File not signed]
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [138768 2013-11-12] (Portrait Displays, Inc.)
R2 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [79552 2016-03-02] (Bitdefender)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1881144 2016-06-15] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3634232 2016-06-15] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2522680 2016-06-15] (NVIDIA Corporation)
R2 PlexUpdateService; C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe [1919472 2016-12-15] (Plex, Inc.)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49760 2012-01-06] (Asmedia Technology)
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [718840 2013-04-17] (BitDefender)
U5 avchv; C:\Windows\System32\Drivers\avchv.sys [261056 2012-11-02] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [593144 2013-04-17] (BitDefender)
R1 bdfwfpf; C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [121928 2013-07-02] (Bitdefender SRL)
R1 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [148696 2013-04-22] (BitDefender LLC)
R3 IOMap; C:\Windows\system32\drivers\IOMap64.sys [24824 2013-02-19] (ASUSTeK Computer Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [28216 2016-06-15] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [382536 2013-05-28] (BitDefender S.R.L.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-15 20:16 - 2017-02-15 20:16 - 00003977 _____ C:\Users\flynn\Desktop\SearchReg.txt
2017-02-15 20:05 - 2017-02-15 20:05 - 00001283 _____ C:\Users\flynn\Desktop\1-AdwCleaner[C0].txt
2017-02-15 20:05 - 2013-02-19 19:02 - 00024824 _____ (ASUSTeK Computer Inc.) C:\Windows\system32\Drivers\IOMap64.sys
2017-02-15 19:59 - 2017-02-15 20:01 - 00270660 _____ C:\Windows\ntbtlog.txt
2017-02-14 18:56 - 2017-02-14 18:56 - 00001311 _____ C:\Users\flynn\Desktop\AdwCleaner[S0].txt
2017-02-14 18:53 - 2017-02-15 20:05 - 00000000 ____D C:\AdwCleaner
2017-02-14 18:53 - 2017-02-14 18:53 - 00000207 _____ C:\Windows\tweaking.com-regbackup-FLYNN-PC-Windows-7-Professional-(64-bit).dat
2017-02-14 18:52 - 2017-02-14 18:52 - 00017983 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2017-02-14 18:52 - 2017-02-14 18:52 - 00002235 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2017-02-14 18:52 - 2017-02-14 18:52 - 00000000 ____D C:\RegBackup
2017-02-14 18:52 - 2017-02-14 18:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2017-02-14 18:52 - 2017-02-14 18:52 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2017-02-14 18:49 - 2017-02-14 18:49 - 00001056 _____ C:\Users\flynn\Desktop\MBAM log.txt
2017-02-08 20:09 - 2017-02-15 20:17 - 00000000 ____D C:\FRST
2017-02-08 19:43 - 2017-02-08 19:39 - 00453264 ____R C:\Windows\system32\Drivers\etc\hosts.20170208-194327.backup
2017-02-07 19:53 - 2017-02-15 19:55 - 00000000 ____D C:\Users\flynn\AppData\LocalLow\Mozilla
2017-02-07 18:56 - 2017-02-07 18:56 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-02-07 18:56 - 2017-02-07 18:56 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-02-07 18:56 - 2017-02-07 18:56 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-01-17 20:54 - 2017-01-17 20:54 - 06975096 _____ (Tim Kosse) C:\Users\flynn\Downloads\FileZilla_3.24.0_win64-setup.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-15 20:12 - 2009-07-14 15:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-15 20:12 - 2009-07-14 15:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-15 20:11 - 2009-07-14 16:13 - 00782470 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-15 20:11 - 2009-07-14 14:20 - 00000000 ____D C:\Windows\inf
2017-02-15 20:04 - 2016-07-12 16:25 - 00000000 ____D C:\ProgramData\NVIDIA
2017-02-15 20:04 - 2009-07-14 16:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-15 19:50 - 2016-07-12 16:54 - 00063876 _____ C:\Windows\system32\BMXStateBkp-{00000005-00000000-00000000-00001102-0000000B-00621102}.rfx
2017-02-15 19:50 - 2016-07-12 16:54 - 00063876 _____ C:\Windows\system32\BMXState-{00000005-00000000-00000000-00001102-0000000B-00621102}.rfx
2017-02-15 19:50 - 2016-07-12 16:54 - 00000900 _____ C:\Windows\system32\DVCState-{00000005-00000000-00000000-00001102-0000000B-00621102}.rfx
2017-02-14 22:37 - 2016-07-12 17:38 - 00000000 ____D C:\Users\flynn\AppData\Roaming\MusicBee
2017-02-14 20:17 - 2016-07-12 23:08 - 00000000 ____D C:\Users\flynn\AppData\Roaming\MPC-HC
2017-02-14 18:48 - 2016-07-12 21:17 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-14 18:45 - 2016-07-19 22:52 - 00000000 ____D C:\Users\flynn\AppData\Local\CrashDumps
2017-02-12 22:06 - 2016-07-12 20:42 - 00000000 ____D C:\Users\flynn\AppData\Local\Battle.net
2017-02-12 18:31 - 2016-07-12 17:47 - 00000000 ____D C:\Users\flynn\AppData\Roaming\foobar2000
2017-02-11 08:20 - 2016-12-10 00:25 - 00000000 ____D C:\Users\flynn\AppData\Roaming\FileZilla
2017-02-08 19:52 - 2016-07-12 15:48 - 00000000 ____D C:\Users\flynn\AppData\Local\VirtualStore
2017-02-08 19:43 - 2016-07-12 17:15 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-02-08 18:43 - 2016-07-12 17:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-07 19:03 - 2016-07-12 21:11 - 00000000 ____D C:\Users\flynn\AppData\Local\Google
2017-02-07 18:56 - 2016-07-12 21:11 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-26 15:29 - 2016-11-07 03:07 - 00000000 ____D C:\Users\flynn\AppData\Roaming\vlc
2017-01-21 17:12 - 2017-01-15 10:44 - 00000192 _____ C:\Users\flynn\Desktop\download list.txt

==================== Files in the root of some directories =======

2016-12-10 15:21 - 2016-12-17 07:38 - 0000600 _____ () C:\Users\flynn\AppData\Local\PUTTY.RND
2016-07-12 20:55 - 2016-07-12 20:55 - 0200713 _____ () C:\ProgramData\1468317080.bdinstall.bin
2016-11-03 11:05 - 2016-11-03 11:05 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-07-12 16:08 - 2016-07-12 16:08 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-07-12 16:52 - 2010-01-14 18:00 - 0000235 _____ () C:\ProgramData\UDATHXD.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-12 15:00

==================== End of FRST.txt ============================



4. addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-02-2017
Ran by flynn (15-02-2017 20:17:44)
Running from E:\firefox downloads
Windows 7 Professional Service Pack 1 (X64) (2016-07-12 04:48:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1648639942-364084454-2766153320-500 - Administrator - Disabled)
flynn (S-1-5-21-1648639942-364084454-2766153320-1000 - Administrator - Enabled) => C:\Users\flynn
Guest (S-1-5-21-1648639942-364084454-2766153320-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus Free Edition (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antivirus Free Edition (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Spybot - Search and Destroy (Enabled - Up to date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (x32 Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Flash Player 22 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
AirVPN (HKLM-x32\...\AirVPN) (Version: - AirVPN - hxxps://airvpn.org)
AMD Catalyst Install Manager (HKLM\...\{5DDB9EF7-1BC0-C9C1-9829-6B9CF68AC357}) (Version: 8.0.903.0 - Advanced Micro Devices, Inc.)
Ansel (Version: 372.70 - NVIDIA Corporation) Hidden
Apple Application Support (32-bit) (HKLM-x32\...\{F2871C89-C8A5-42EE-8D45-0F02506385A6}) (Version: 5.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9BC93467-75D1-4AA4-BD58-D9C51D88DFAB}) (Version: 5.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.12.0 - Asmedia Technology)
Asmedia ASM106x SATA Host Controller Driver (HKLM-x32\...\{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}) (Version: 1.3.4.000 - Asmedia Technology)
ASUS GPU Tweak (HKLM-x32\...\InstallShield_{532F6E8A-AF97-41C3-915F-39F718EC07D1}) (Version: 2.4.2.4 - ASUSTek COMPUTER INC.)
ASUS GPU Tweak (x32 Version: 2.4.2.4 - ASUSTek COMPUTER INC.) Hidden
ASUS Product Register Program (HKLM-x32\...\{9D29D67C-315D-46A1-A3A9-3CAF24871578}) (Version: 1.0.022 - ASUSTek Computer Inc.)
Bitdefender Antivirus Free Edition (HKLM\...\BitDefender Gonzales) (Version: 1.0.21.1109 - Bitdefender)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.20 - Piriform)
CPUID HWMonitor 1.29 (HKLM\...\CPUID HWMonitor_is1) (Version: - )
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 3.00 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Creative Sound Blaster Properties x64 Edition (HKLM-x32\...\Creative Sound Blaster Properties x64 Edition) (Version: 1.02 - Creative Technology Limited)
Creative System Information (HKLM-x32\...\SysInfo) (Version: - )
Display Pilot (HKLM-x32\...\{6DD25D67-4339-47A1-950E-EEFC321CBB24}) (Version: 2.11.002 - Portrait Displays, Inc.)
Dolby Digital Live Pack (HKLM-x32\...\Dolby Digital Live Pack) (Version: 3.00 - Creative Technology Limited)
DTS Connect Pack (HKLM-x32\...\DTS Connect Pack) (Version: 1.00 - Creative Technology Limited)
Dying Light (HKLM\...\Steam App 239140) (Version: - Techland)
f.lux (HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\Flux) (Version: - )
FileZilla Client 3.17.0.1 (HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\FileZilla Client) (Version: 3.17.0.1 - Tim Kosse)
foobar2000 v1.3.10 (HKLM-x32\...\foobar2000) (Version: 1.3.10 - Peter Pawlowski)
Free Virtual Keyboard 3.0.1.0 (HKLM-x32\...\{CA4F9519-1A83-4907-8651-F17073A0E1CE}_is1) (Version: 3.0 - Comfort Software Group)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
GoPro Studio 2.0.0 (HKLM-x32\...\GoPro Studio) (Version: 2.0.0 - WoodmanLabs Inc. d.b.a. GoPro)
HP Deskjet 2050 J510 series Basic Device Software (HKLM\...\{D7716C7E-75F1-4C51-A2D5-C6A1E8311D53}) (Version: 20.0.771.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Help (HKLM-x32\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.55.55 - Hewlett Packard)
HP DeskJet 3630 series Basic Device Software (HKLM\...\{82088106-8F3E-4C76-A919-607CB9BA02AE}) (Version: 35.0.61.54677 - Hewlett-Packard Co.)
iTunes (HKLM\...\{554C62C7-E6BB-40F1-892B-F0AE02D3C135}) (Version: 12.5.3.17 - Apple Inc.)
LG Power Tools (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.3316 - CyberLink Corp.)
LG Power Tools (x32 Version: 6.0.3316 - CyberLink Corp.) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (HKLM-x32\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
mIRC (HKLM-x32\...\mIRC) (Version: 7.46 - mIRC Co. Ltd.)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
MPC-HC 1.7.10 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.10 - MPC-HC Team)
MusicBee 3.0 (HKLM-x32\...\MusicBee) (Version: 3.0 - Steven Mayall)
NVIDIA 3D Vision Driver 372.90 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 372.90 - NVIDIA Corporation)
NVIDIA Graphics Driver 372.90 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 372.90 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.15 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.15 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version: - )
Overwatch Test (HKLM-x32\...\Overwatch Test) (Version: - Blizzard Entertainment)
Pivot Pro Plugin (x32 Version: 9.61.004 - Portrait Displays, Inc.) Hidden
Plex Media Server (HKLM-x32\...\{d685b3b4-91da-4364-9e7d-f365a614d42b}) (Version: 1.3.3.3148 - Plex, Inc.)
Plex Media Server (x32 Version: 1.3.3148 - Plex, Inc.) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.67.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7023 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.53 - Piriform)
Revo Uninstaller Pro 3.1.7 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.7 - VS Revo Group, Ltd.)
SDK (x32 Version: 2.40.007 - Portrait Displays, Inc.) Hidden
SHIELD Streaming (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.11.4.1 - NVIDIA Corporation) Hidden
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
Sound Blaster X-Fi (HKLM-x32\...\{20288888-A7AF-4B24-8AEB-398D20CD563C}) (Version: 1.0 - Creative Technology Limited)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Stopping Plex (x32 Version: 1.3.3148 - Plex, Inc.) Hidden
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 3.5.3 - Tweaking.com)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.11.1 (HKLM\...\VulkanRT1.0.11.1) (Version: 1.0.11.1 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
Warhammer: End Times - Vermintide (HKLM\...\Steam App 235540) (Version: - Fatshark)
Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices (03/07/2012 ) (HKLM\...\0B624A43DD66DBF5CF3EDFA9741A364E688062A4) (Version: 03/07/2012 - GoPro)
WinRAR 5.31 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {07FDA491-E404-4EE9-9A5D-60521408EBCB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-02-07] (Google Inc.)
Task: {3DC6E7DD-7B67-4DA0-8B16-143CD46296B0} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {44C92ACE-AF03-4B2B-8068-0C48540F1407} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {4A3C8766-0B60-48B8-8FCF-F7253C52E414} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-02-07] (Google Inc.)
Task: {B4EAB0F5-6C7C-422D-B499-46D3A50CC518} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files (x86)\ASUS\APRP\aprp.exe [2013-06-21] (ASUSTek Computer Inc.)
Task: {E16C0328-F620-4247-80C4-DB94BC7B77E2} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {EBE901F0-47AB-466A-9A7B-A5BD31E1F558} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-07-14] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-12 20:53 - 2013-03-19 12:07 - 00712288 _____ () C:\Program Files\Bitdefender\Antivirus Free Edition\sqlite3.dll
2016-07-12 20:53 - 2013-09-03 14:29 - 00111832 _____ () C:\Program Files\Bitdefender\Antivirus Free Edition\BDMetrics.dll
2016-07-12 16:25 - 2016-09-17 09:57 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-07-12 16:37 - 2013-11-12 12:44 - 00098320 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\msgHook64.dll
2016-10-05 18:17 - 2016-10-05 18:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-10-05 18:17 - 2016-10-05 18:17 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-01-17 12:24 - 2012-01-17 12:24 - 00055296 _____ () C:\Windows\SysWOW64\ASGT.exe
2016-07-16 15:02 - 2016-06-15 12:14 - 00369208 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\MessageBus.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 01148984 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\libprotobuf.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 03613240 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Poco.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00289848 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamBase.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 02667576 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvMdnsPlugin.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 01990200 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\NvPortForwardPlugin.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 01842232 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\Plugins\NSS\RtspPlugin.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00208952 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\RtspServer.dll
2016-07-12 16:37 - 2013-11-12 12:44 - 00274960 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dthook.dll
2016-05-09 18:22 - 2016-05-09 18:22 - 00052912 _____ () C:\Program Files\FileZilla FTP Client\fzshellext_64.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00035896 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_system-vc120-mt-1_58.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00921656 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\boost_regex-vc120-mt-1_58.dll
2016-07-12 16:37 - 2013-06-18 13:26 - 00677160 _____ () C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\wpctrl.exe
2016-07-12 16:37 - 2013-06-18 13:26 - 00714024 _____ () C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\floater.exe
2016-07-12 16:37 - 2013-11-12 12:44 - 00163344 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper.exe
2016-07-12 16:37 - 2013-11-12 12:44 - 00197136 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper64.exe
2016-12-15 13:53 - 2016-12-15 13:53 - 00083440 _____ () C:\Program Files (x86)\Plex\Plex Media Server\zlib.dll
2016-12-15 13:53 - 2016-12-15 13:53 - 00203248 _____ () C:\Program Files (x86)\Plex\Plex Media Server\libidn.dll
2016-07-12 17:15 - 2014-05-13 13:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-07-12 17:15 - 2014-05-13 13:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-07-12 17:15 - 2014-05-13 13:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-07-12 17:15 - 2012-08-23 11:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-07-12 17:15 - 2012-04-03 18:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-06-20 12:01 - 2013-06-20 12:01 - 00258048 _____ () C:\Program Files (x86)\ASUS\GPU Tweak\Vender.dll
2013-05-14 16:11 - 2013-05-14 16:11 - 00049152 _____ () C:\Program Files (x86)\ASUS\GPU Tweak\Exeio.dll
2016-07-12 16:37 - 2013-11-12 12:44 - 00093712 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\msgHook.dll
2016-07-16 15:02 - 2016-06-15 12:14 - 00020536 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
2016-07-12 16:52 - 2009-02-06 19:52 - 00073728 _____ () C:\Windows\SysWOW64\CmdRtr.DLL
2016-07-12 16:52 - 2009-10-02 17:07 - 00176128 _____ () C:\Windows\SysWOW64\APOMngr.DLL
2016-07-12 16:37 - 2013-11-12 12:44 - 00187920 _____ () C:\Program Files (x86)\Common Files\Portrait Displays\Shared\PresetsCOM.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:054203E4 [144]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7914 more sites.

IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\123simsen.com -> www.123simsen.com

There are 7914 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 13:34 - 2017-02-08 19:43 - 00453264 ____R C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15553 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1648639942-364084454-2766153320-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\flynn\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{86B0A250-B10D-476E-BEAC-F1B2DC2E25F2}] => C:\Program Files\HP\HP DeskJet 3630 series\Bin\DeviceSetup.exe
FirewallRules: [{8EA40CE5-DB2C-470C-AD7A-32190C692EE4}] => LPort=5357
FirewallRules: [{A08899DE-71D3-4B69-802F-11B53DBE4FD2}] => C:\Program Files\HP\HP DeskJet 3630 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [TCP Query User{2E9D29CF-F9CE-4424-A86F-77E9271A2089}F:\games\diablo iii\diablo iii.exe] => F:\games\diablo iii\diablo iii.exe
FirewallRules: [UDP Query User{D17E0339-F6AB-4853-9572-AD4206F6A9A1}F:\games\diablo iii\diablo iii.exe] => F:\games\diablo iii\diablo iii.exe
FirewallRules: [{DE02A53F-8268-4958-8C4C-3F0A318DF9D4}] => F:\Programs\Steam\Steam.exe
FirewallRules: [{0DC13906-BA64-458F-8B6D-3119473A5EE7}] => F:\Programs\Steam\Steam.exe
FirewallRules: [TCP Query User{0E4213DD-5D3F-49D7-BEFF-896DC7E60DE4}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{CB17202E-FE78-4EF0-A500-EE9347FFCFF3}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [TCP Query User{747CDBF5-DFDE-4E39-AEE4-C09809970E81}F:\games\overwatch\overwatch.exe] => F:\games\overwatch\overwatch.exe
FirewallRules: [UDP Query User{0661838E-73FC-426E-9457-E07DCB1718B5}F:\games\overwatch\overwatch.exe] => F:\games\overwatch\overwatch.exe
FirewallRules: [TCP Query User{055FE38D-CFA3-4063-B841-28DDBF956A20}F:\games\overwatch public test\overwatch test\overwatch.exe] => F:\games\overwatch public test\overwatch test\overwatch.exe
FirewallRules: [UDP Query User{4E913EFC-0D94-4AC1-8279-2FB529D2D75E}F:\games\overwatch public test\overwatch test\overwatch.exe] => F:\games\overwatch public test\overwatch test\overwatch.exe
FirewallRules: [TCP Query User{E1BCF0B2-41BF-4203-B75C-E29519656E77}C:\program files (x86)\skype\phone\skype.exe] => C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{AEF2DF82-7B8F-4194-B020-1ECEB2BD653C}C:\program files (x86)\skype\phone\skype.exe] => C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{7B48C108-290C-42F3-990B-3B0B294D0C79}F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe] => F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe
FirewallRules: [UDP Query User{F28DF4F4-1D40-4528-AA56-CC4C5894C773}F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe] => F:\programs\steam\steamapps\common\dying light\dyinglightgame.exe
FirewallRules: [TCP Query User{B79849D8-BC1A-4B09-8056-1B9FF4190D8C}C:\program files (x86)\mirc\mirc.exe] => C:\program files (x86)\mirc\mirc.exe
FirewallRules: [UDP Query User{4922C41B-4780-458C-8C39-F688B2DFDF9F}C:\program files (x86)\mirc\mirc.exe] => C:\program files (x86)\mirc\mirc.exe
FirewallRules: [{0C5DFC86-3826-438A-84D7-657155785BD6}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\launcher\launcher.exe
FirewallRules: [{31F30E58-F177-4B39-B0E9-410180ABE9C6}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\launcher\launcher.exe
FirewallRules: [{E40A4367-8CB4-4FD0-8C43-F5E89DD4B9BD}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\binaries\vermintide.exe
FirewallRules: [{661511E0-629A-46B0-891E-95150347148E}] => F:\Programs\Steam\steamapps\common\Warhammer End Times Vermintide\binaries\vermintide.exe
FirewallRules: [{DE9E5F17-BE97-46A5-BC57-D38C71E212ED}] => F:\Programs\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{1D5DD280-1EED-438D-85D8-5A5901157B49}] => F:\Programs\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{999A44E9-B844-4590-A5AD-B52BC9EE945F}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{185592A7-DE3C-4D9D-9E42-43F3434A4726}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E0E0595E-3648-42A0-9FD6-A0D792CC84C3}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{62416682-07F2-4006-8D04-28BCF66B7D1F}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2A5E2EF3-A15B-4431-9C12-44D452C9B3B7}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{1370A0B5-C670-4BD9-822F-650D0C8A6019}] => C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{523915A2-9AC0-4A57-8CE5-BA099E06DB7F}] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
FirewallRules: [{8B261DC5-1C69-4FD4-8551-C6347C7D4709}] => C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
FirewallRules: [{DF9A0089-473A-4C39-8CAE-D17B03B2960D}] => C:\Program Files (x86)\Plex\Plex Media Server\Plex DLNA Server.exe
FirewallRules: [TCP Query User{E012BCA4-8E7F-4473-97B1-1DD29676945A}F:\games\diablo iii public test\x64\diablo iii64.exe] => F:\games\diablo iii public test\x64\diablo iii64.exe
FirewallRules: [UDP Query User{30BA62A1-D935-4697-9C0F-277B1C1D591F}F:\games\diablo iii public test\x64\diablo iii64.exe] => F:\games\diablo iii public test\x64\diablo iii64.exe
FirewallRules: [{828FAC62-AF28-4B89-BC81-DBFEADB1253F}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{F1ABE3F5-3850-4C00-AE2E-78F3A5F20BBD}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{45B1DFBF-FEE3-4884-A1F8-242A3AE7FC4A}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

01-01-2017 19:00:57 Windows Backup
08-01-2017 19:00:58 Windows Backup
15-01-2017 06:05:08 Windows Update
15-01-2017 19:01:16 Windows Backup
22-01-2017 19:01:14 Windows Backup
29-01-2017 19:01:23 Windows Backup
05-02-2017 21:21:07 Windows Backup
12-02-2017 19:01:06 Windows Backup

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/15/2017 08:04:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/15/2017 08:01:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/15/2017 07:52:55 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/15/2017 06:47:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/14/2017 07:16:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/14/2017 06:38:28 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/13/2017 07:13:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 08:19:31 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/11/2017 08:04:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: EtHost.exe, version: 1.1.10.0, time stamp: 0x51e86968
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23572, time stamp: 0x57fd0379
Exception code: 0xe0434352
Fault offset: 0x0000c54f
Faulting process id: 0x1500
Faulting application start time: 0x01d283ddd73b3959
Faulting application path: C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\ET\EtHost.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 28359299-f039-11e6-9d0b-e03f4977e54d

Error: (02/11/2017 08:37:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Battle.net.exe, version: 1.6.0.8293, time stamp: 0x588110c1
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x584772f7
Exception code: 0xc0000005
Fault offset: 0x00155e82
Faulting process id: 0x18b8
Faulting application start time: 0x01d283e3e61143e6
Faulting application path: F:\Games\Battle.net\Battle.net.8293\Battle.net.exe
Faulting module path: F:\Games\Battle.net\Battle.net.8293\Qt5Core.dll
Report Id: 30f7c907-efd9-11e6-9d0b-e03f4977e54d


System errors:
=============
Error: (02/15/2017 08:00:18 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:14 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (02/15/2017 08:00:14 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/15/2017 08:00:14 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.


==================== Memory info ===========================

Processor: AMD FX(tm)-8320 Eight-Core Processor
Percentage of memory in use: 14%
Total physical RAM: 16281.73 MB
Available physical RAM: 13902.05 MB
Total Virtual: 32561.65 MB
Available Virtual: 29969.26 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:394.86 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:1862.89 GB) (Free:652.47 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:2794.39 GB) (Free:142.17 GB) NTFS
Drive f: (New Volume) (Fixed) (Total:2794.39 GB) (Free:256.45 GB) NTFS
Drive h: (Elements) (Fixed) (Total:2794.49 GB) (Free:142.32 GB) NTFS
Drive i: (Elements) (Fixed) (Total:1863.01 GB) (Free:309.15 GB) NTFS
Drive j: (Seagate Expansion Drive) (Fixed) (Total:1863.01 GB) (Free:571.6 GB) NTFS
Drive l: (Elements) (Fixed) (Total:2794.49 GB) (Free:2056.12 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: D05E9F5C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
Could not read MBR for disk 4.

========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 00080049)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
Could not read MBR for disk 6.

========================================================
Disk: 7 (Size: 2794.5 GB) (Disk ID: 16F2A91F)

Partition: GPT.

==================== End of Addition.txt ============================
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby mAL_rEm018 » February 15th, 2017, 2:01 pm

Hello purgemypcplease,

I took a second look at your post from yesterday and I would like to address the following comment, which I missed at first:

viewtopic.php?p=654169#p654169

I suspect my PC may have some kind of background infection of adware or spyware, maybe IP logged, as certain websites (generally porn based websites) seem to not operate properly when browsing, such as very slow response times or pictures not loading, very slow speeds, where as other normal websites seem to work without any issues. And in general i'm concerned with all the adds that sites like porn hub create, that i may have gotten some kind of virus or infection on my PC.

Are you still accessing porn websites while I am "cleaning" your computer?? If you are, then not only would I consider this rude, but also a waste of my time as your computer will inevitably catch additional infections... If you wish to continue receiving help from me, then I expect you to stop accessing pornographic websites. If this is something that you are unwilling to do, please let me know and I will request for this topic to be closed.

Let me know how you want to proceed in your next reply.


mAL
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 16th, 2017, 4:06 am

Hi mAL,

my apologies. i am not trying to waste your time at all. i havent been to any of the public sites where i believe the infections wouldve come from, i had briefly browsed one private torrent community pornsite but i'm fairly sure that site is no threat, as it is a closed community and well vetted. i didnt think that would be an issue.

Ofcourse i would like to proceed to ensure that i've cleaned my PC as much as possible. I wont visit any sites of that kind at all.

If you're still happy to proceed ofcourse i am.
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby mAL_rEm018 » February 16th, 2017, 3:24 pm

Hello purgemypcplease,

purgemypcplease wrote:my apologies. i am not trying to waste your time at all. i havent been to any of the public sites where i believe the infections wouldve come from, i had briefly browsed one private torrent community pornsite but i'm fairly sure that site is no threat, as it is a closed community and well vetted. i didnt think that would be an issue.

There is no need to apologize.. I just wanted to be sure we were on the same page. As far as Torrent sites go, you should not trust any of them, regardless of them being private or not. I will give you more information regarding computer security and safe browsing habits once we have finished cleaning your computer.

Now let's get to work.. :)


FF ProfilePath: C:\Users\flynn\AppData\Roaming\Mozilla\Firefox\Profiles\24hemwe1.testing [2017-02-15]

Are you aware of the following Firefox profile? It has an unusual file extension.

Please run the following fix..

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
CreateRestorePoint:

HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\MountPoints2: {ea1d704e-4878-11e6-ae67-806e6f6e6963} - G:\.\Bin\ASSETUP.exe
GroupPolicy\User: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2017-02-08 19:43 - 2017-02-08 19:39 - 00453264 ____R C:\Windows\system32\Drivers\etc\hosts.20170208-194327.backup
AlternateDataStreams: C:\ProgramData\Temp:054203E4 [144]
FirewallRules: [TCP Query User{0E4213DD-5D3F-49D7-BEFF-896DC7E60DE4}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{CB17202E-FE78-4EF0-A500-EE9347FFCFF3}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]

Hosts:
EmptyTemp:

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Let's do an online scan to make sure we didn't miss anything. This scan can take a long time to complete, but it is very thorough.

DNS Servers: Media is not connected to internet.

If you haven't already done so, please reconnect your computer to the internet.

Next..

Please disable your Antivirus as shown in the following topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Close all opened programs, open your browser and go to the following link: ESET Online Scanner.
  • Click on the SCAN NOW button under ESET Online Scanner.
    • Depending on which browser you are using, you might be prompted to download an executable file.
    • Please save it to your desktop.
    • Right-click on esetonlinescanner_enu.exe and select Run as administrator.
    • If you agree to the Terms of use, select Accept to continue.
  • Please check the following option:
    • Enable detection of potentially unwanted applications
  • Select Advanced settings and ensure that the following options are checked:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology
  • Make sure that the following option is NOT checked: => Very important!
    • Clean threats automatically
  • Click Scan and the process will now begin. Please do not use your computer while the scan is running.
  • Once the scan is completed, click Copy to clipboard.
  • Open the Start menu and type notepad.exe in the search programs and files box.
  • Press Enter. A blank Notepad page should open, paste the contents inside the window.
  • Save the file as ESETScan.txt.
  • Please copy/paste the contents of ESETScan.txt in your next reply.
  • You can now safely close the program.
    Do not forget to re-activate your Antivirus at this point.


-----------------------------------------
In your next reply, I would like to see..
  • Did you have trouble perfoming any of the steps?
  • Answer to my question.
  • fixlog.txt
  • ESETScan.txt
  • How is your computer behaving?
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 17th, 2017, 6:47 am

Hi mAL,

Okay thanks!

all steps performed without any issues.

Yes i created that firefox profile myself, as my main profile is highly customised, and i thought this customisation and plugins were what was causing websites to not function properly. it was too much work to undo all the about:config settings, so i just created a blank browser profile on its own to test.

it turns out that i just needed to update firefox to improve the issues last time, but i was suspicious i had some kind of latent infection of some kind as PC had been underperforming with the internet speeds and just in general was very slow for that one particular private torrent site.

But yes any tips you have would be helpful too. i'm usually pretty good with privacy and am a well experienced internet user, but always happy to learn from a guru such as yourself!


Computer seems to be running well. i was a bit alarmed when the ESETScan was detecting alot of infections, but it seems to mostly just be old setup files and executables. i should probably delete all those old setup files that i no longer use.

I'll wait for your instruction though.

1. here is the fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-02-2017 02
Ran by flynn (17-02-2017 19:06:43) Run:1
Running from E:\firefox downloads
Loaded Profiles: flynn (Available Profiles: flynn)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

HKU\S-1-5-21-1648639942-364084454-2766153320-1000\...\MountPoints2: {ea1d704e-4878-11e6-ae67-806e6f6e6963} - G:\.\Bin\ASSETUP.exe
GroupPolicy\User: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2017-02-08 19:43 - 2017-02-08 19:39 - 00453264 ____R C:\Windows\system32\Drivers\etc\hosts.20170208-194327.backup
AlternateDataStreams: C:\ProgramData\Temp:054203E4 [144]
FirewallRules: [TCP Query User{0E4213DD-5D3F-49D7-BEFF-896DC7E60DE4}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe
FirewallRules: [UDP Query User{CB17202E-FE78-4EF0-A500-EE9347FFCFF3}C:\program files (x86)\qbittorrent\qbittorrent.exe] => C:\program files (x86)\qbittorrent\qbittorrent.exe

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com]
[-HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com]

Hosts:
EmptyTemp:
*****************

Restore point was successfully created.
HKU\S-1-5-21-1648639942-364084454-2766153320-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ea1d704e-4878-11e6-ae67-806e6f6e6963} => key removed successfully
HKCR\CLSID\{ea1d704e-4878-11e6-ae67-806e6f6e6963} => key not found.
C:\Windows\system32\GroupPolicy\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
C:\Windows\system32\Drivers\etc\hosts.20170208-194327.backup => moved successfully
C:\ProgramData\Temp => ":054203E4" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{0E4213DD-5D3F-49D7-BEFF-896DC7E60DE4}C:\program files (x86)\qbittorrent\qbittorrent.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{CB17202E-FE78-4EF0-A500-EE9347FFCFF3}C:\program files (x86)\qbittorrent\qbittorrent.exe => value removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com => key removed successfully
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com => key removed successfully
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com => key removed successfully
HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetim.com => key removed successfully
HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetim.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com => key removed successfully
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com => key removed successfully
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com => key removed successfully
HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sweetpacks.com => key removed successfully
HKEY_USERS\S-1-5-21-1648639942-364084454-2766153320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sweetpacks.com => key removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10450889 B
Java, Flash, Steam htmlcache => 149770675 B
Windows/system/drivers => 7098 B
Edge => 0 B
Chrome => 348160 B
Firefox => 17009436 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 58558406 B
systemprofile32 => 66228 B
LocalService => 0 B
NetworkService => 0 B
flynn => 184390753 B
UpdatusUser => 0 B

RecycleBin => 0 B
EmptyTemp: => 409.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:07:19 ====


2. ESETScan.txt:

D:\ALL BACKUPS\Desktop\GOMPLAYERENSETUP.EXE

a variant of Win32/Bundled.Toolbar.Ask

potentially unsafe application
D:\ALL BACKUPS\Desktop\Setup_FreeConverter.exe

Win32/Toolbar.Widgi potentially unwanted

application
D:\ALL BACKUPS\old desktop and settings files

\Desktop\GOMPLAYERENSETUP.EXE a variant of

Win32/Bundled.Toolbar.Ask potentially unsafe

application
D:\ALL BACKUPS\old desktop and settings files

\Desktop\winamp5601_full_emusic-7plus_en-us.exe

Win32/OpenCandy potentially unsafe application
E:\APOLLO\What.CD Toolbox 6 for Windows

\Burning\SetupImgBurn_2.5.8.0.exe

Win32/OpenCandy potentially unsafe application
E:\APOLLO\What.CD Toolbox 6 for Windows\Content

Analysis\Adobe Audition CC

v6.0.732\adobe.photoshop.cc-patch-painter.exe

a variant of Win32/HackTool.Patcher.AD

potentially unsafe application
E:\APOLLO\What.CD Toolbox 6 for Windows\File

Management\FreeFileSync_5.20_Windows_Setup.exe

Win32/OpenCandy potentially unsafe application
E:\firefox downloads\rcsetup153.exe

Win32/Bundled.Toolbar.Google.D potentially

unsafe application
F:\#C drive backup from legit windows install

\desktop\flynn\Desktop\ccsetup515.exe

Win32/Bundled.Toolbar.Google.D potentially

unsafe application
F:\#C drive backup from legit windows install

\desktop\New folder\Desktop\ccsetup515.exe

Win32/Bundled.Toolbar.Google.D potentially

unsafe application
F:\#C drive backup from legit windows install

\desktop\New folder\New folder\Desktop

\ccsetup515.exe Win32/Bundled.Toolbar.Google.D

potentially unsafe application
F:\Programs\utorrent\uTorrent.exe a

variant of Win32/Bunndle potentially unsafe

application
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby purgemypcplease » February 17th, 2017, 5:07 pm

PC definitely seems to be running faster with loading pages and load times and etc.
purgemypcplease
Active Member
 
Posts: 10
Joined: February 8th, 2017, 5:14 am

Re: Malware removal for PC - infected from porn sites??

Unread postby mAL_rEm018 » February 17th, 2017, 6:29 pm

Hello purgemypcplease,

You have several add-ons that are privacy related and use encryption. If you have any problem with Firefox being slow again in the future, then this is the first place you should look into.

purgemypcplease wrote:PC definitely seems to be running faster with loading pages and load times and etc.

That's good! We still have a bit more work to do, so please stick with this topic until I give you the all clear.

Please run the following fix..

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
CreateRestorePoint:

D:\ALL BACKUPS\Desktop\GOMPLAYERENSETUP.EXE
D:\ALL BACKUPS\Desktop\Setup_FreeConverter.exe
D:\ALL BACKUPS\old desktop and settings files\Desktop\GOMPLAYERENSETUP.EXE
D:\ALL BACKUPS\old desktop and settings files\Desktop\winamp5601_full_emusic-7plus_en-us.exe
E:\APOLLO\What.CD Toolbox 6 for Windows\Burning\SetupImgBurn_2.5.8.0.exe
E:\APOLLO\What.CD Toolbox 6 for Windows\ContentAnalysis\Adobe Audition CCv6.0.732\adobe.photoshop.cc-patch-painter.exe
E:\APOLLO\What.CD Toolbox 6 for Windows\FileManagement\FreeFileSync_5.20_Windows_Setup.exe
E:\firefox downloads\rcsetup153.exe
F:\#C drive backup from legit windows install\desktop\flynn\Desktop\ccsetup515.exe
F:\#C drive backup from legit windows install\desktop\New folder\Desktop\ccsetup515.exe
F:\#C drive backup from legit windows install\desktop\New folder\New folder\Desktop\ccsetup515.exe
F:\Programs\utorrent\uTorrent.exe

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Please give me an update on your computer's behaviour. If all is well, I will provide you with my all clean speech.


-----------------------------------------
In your next reply, I would like to see..
  • Did you encounter any problems while performing the fix?
  • fixlog.txt
  • Update on computer's behaviour
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 121 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware