Author Topic: [In Progress - K] PC Runnng Slow Possible Malware, Pythagorean Virus Related??  (Read 228 times)

Offline crxb5

  • Bronze Member
  • Posts: 66
I have a Toshiba Satellite P875 Laptop that has suddenly started to run really slow to the point its almost inoperable.
I have Ran CCcleaner, Malwarebytes, and adwrcleaner and this virus (pythagorean) still wont go away or stop running.  I was unable to run the DDS log ool from either of the links as I got the error when i double clicked, even when disconnected from the internet, "DDS is not meant to be run in Compatibility Mode.' The program shall now exit"

Please let me know how i should proceed or how to turn of compatibility mode to run the log?

I have attached an image showing the pythagorean virus/process that seems to be replicating and slowing my computer down.  Please let me know how I shall proceed.  Thanks
« Last Edit: November 25, 2017, 10:41:56 AM by kevinf80 »

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Hello crxb5 and welcome to SpywareHammer,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.

NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt)  Please attach that log to your reply.
Let me see those logs in your reply...

Thank you,

Kevin

Offline crxb5

  • Bronze Member
  • Posts: 66
I have followed your instructions! See results below:

This may have something to do with a CODEX installer as well as i believe i got some weird codex message right before the computer started behaving horribly... LEt me know how to proceed next!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-11-2017 01
Ran by CRXB5 (administrator) on KB (27-11-2017 00:09:35)
Running from C:\Users\CRXB5\Desktop
Loaded Profiles: CRXB5 (Available Profiles: CRXB5)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\siaumzesvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
() C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoService.exe
() C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
() C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(Avid Technology, Inc.) C:\Windows\System32\M-AudioTaskBarIcon.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Users\CRXB5\AppData\Local\vsmrkel\vsmrkel.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
() C:\Users\CRXB5\AppData\Local\Amazon Music\Amazon Music Helper.exe
(HP Inc.) C:\Program Files\HP\HP OfficeJet 4650 series\Bin\ScanToPCActivationApp.exe
() C:\Program Files (x86)\magnitude\governs.exe
() C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe
(Dropbox, Inc.) C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Dropbox, Inc.) C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Dropbox, Inc.) C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Pythagorean) C:\Program Files (x86)\Fated\pythagorean.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\AppVShNotify.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\excel.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Users\CRXB5\AppData\Local\vsmrkel\wmciera.exe
() C:\Users\CRXB5\AppData\Local\vsmrkel\wmciera.exe
() C:\Users\CRXB5\AppData\Local\vsmrkel\wmciera.exe
() C:\Users\CRXB5\AppData\Local\vsmrkel\wmciera.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13513288 2013-03-29] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-08-19] (SRS Labs, Inc.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [ThpSrv] => C:\windows\system32\thpsrv /logon
HKLM\...\Run: [M-Audio Taskbar Icon] => C:\windows\system32\M-AudioTaskBarIcon.exe [798728 2010-12-07] (Avid Technology, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472992 2013-03-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM\...\Run: [pgm] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM\...\Run: [pgmpgm] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM-x32\...\Run: [AdobeCEPServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe [1039248 2013-03-13] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKLM-x32\...\Run: [chipping] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM-x32\...\Run: [chippingchipping] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
Winlogon\Notify\igfxcui: C:\Windows\System32\igfxdev.dll (Intel Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672640 2013-03-14] (Disc Soft Ltd)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [40417680 2017-11-01] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Amazon Music] => C:\Users\CRXB5\AppData\Local\Amazon Music\Amazon Music Helper.exe [5886272 2015-03-02] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Dropbox Update] => C:\Users\CRXB5\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-05] (Dropbox, Inc.)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Zoom] => [X]
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [HP OfficeJet 4650 series (NET)] => C:\Program Files\HP\HP OfficeJet 4650 series\Bin\ScanToPCActivationApp.exe [3770504 2017-04-06] (HP Inc.)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [laggards] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [laggardslaggards] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [frangipani] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [frangipanifrangipani] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [governs] => C:\Program Files (x86)\magnitude\governs.exe [66987 2017-11-24] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [numismatist] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {0260a71c-d4ff-11e5-bf00-e73811b99ae5} - "E:\HTC_Sync_Manager_PC.exe"
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {3e4b8e68-749d-11e3-bebe-008cfa2c72ff} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {6f725e7d-cd0c-11e5-beff-8401384f88ba} - "E:\MotorolaDeviceManagerSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {9060afb0-71dc-11e4-bee3-fdca786ef024} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {a6d82073-81de-11e5-befc-ed31c84eae63} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2017-11-15]
ShortcutTarget: Dropbox.lnk -> C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk [2014-04-29]
ShortcutTarget: Epson all-in-one Registration.lnk -> D:\Common\EpsonReg\EpsonReg.exe (No File)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pakula.lnk [2017-11-24]
ShortcutTarget: pakula.lnk -> C:\Program Files (x86)\Fated\pythagorean.exe (Pythagorean)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-04-18]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{24CBC36B-99D9-4504-B9C3-B0397BB7054E}: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{F60FA141-D9EF-41FF-BAA2-B5B31AE530B2}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://toshiba13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3623611392-2939539441-2581462275-1001 -> {26285137-655C-4D04-A5CC-7E8349E0AF46} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2017-09-05] (Microsoft Corporation)
BHO: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files\WOT\WOT.dll [2012-08-02] ()
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2017-08-15] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-10-31] (Oracle Corporation)
BHO-x32: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files (x86)\WOT\WOT.dll [2012-08-02] ()
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-10-31] (Oracle Corporation)
Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Toolbar: HKLM-x32 - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll [2012-08-02] ()
Toolbar: HKU\S-1-5-21-3623611392-2939539441-2581462275-1001 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-07-18] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Handler-x32: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll [2012-08-02] ()

FireFox:
========
FF ProfilePath: C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default [2017-11-27]
FF user.js: detected! => C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\user.js [2014-07-30]
FF Extension: (MEGA) - C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\Extensions\firefox@mega.co.nz.xpi [2017-11-24]
FF Extension: (Updated Ad Blocker for Firefox 11+) - C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\Extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3618C}.xpi [2016-04-27] [Lagacy]
FF Extension: (Disable Media WMF NV12 format) - C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\features\{b265d3ee-7f11-4389-9f45-d459360dfeee}\disable-media-wmf-nv12@mozilla.org.xpi [2017-11-21] [Lagacy]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_27_0_0_187.dll [2017-11-14] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2013-03-21] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_187.dll [2017-11-14] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-10-31] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-10-31] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-12] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-12-12] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2013-03-21] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3623611392-2939539441-2581462275-1001: @zoom.us/ZoomVideoPlugin -> C:\Users\CRXB5\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2015-11-02] (Zoom Video Communications, Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 apexpsvc; C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe [245760 2017-09-03] () [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3058416 2017-09-05] (Microsoft Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [120728 2012-10-23] ()
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-02-19] (Realtek Semiconductor)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-07-22] (DEVGURU Co., LTD.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R1 dtsoftbus01; C:\WINDOWS\System32\drivers\dtsoftbus01.sys [283200 2013-05-08] (DT Soft Ltd)
S3 FTDIBUS; C:\WINDOWS\system32\drivers\ftdibus.sys [118160 2016-10-04] (Future Technology Devices International Ltd.)
S3 FTSER2K; C:\WINDOWS\system32\drivers\ftser2k.sys [88752 2016-10-04] ()
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [43664 2015-01-27] ()
S3 MADFULEGACYKEYBOARD; C:\WINDOWS\System32\drivers\MAudioLegacyKeyboard_DFU.sys [28680 2010-02-09] (M-Audio)
S3 MAUSBLEGACYKEYBOARD; C:\WINDOWS\system32\DRIVERS\MAudioLegacyKeyboard.sys [196616 2010-02-09] (M-Audio)
R3 NETwNe64; C:\WINDOWS\system32\DRIVERS\Netwew00.sys [3349984 2014-04-17] (Intel Corporation)
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [34544 2014-08-06] (Synaptics Incorporated)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [28632 2012-07-31] (Windows (R) Win 7 DDK provider)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S3 XHCIPort; C:\WINDOWS\System32\drivers\XHCIPort.sys [188384 2012-08-09] (Windows (R) Win 7 DDK provider)
R3 udiskMgr; system32\drivers\twadgj.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-11-27 00:09 - 2017-11-27 00:10 - 000023844 _____ C:\Users\CRXB5\Desktop\FRST.txt
2017-11-27 00:07 - 2017-11-27 00:08 - 002391552 _____ (Farbar) C:\Users\CRXB5\Desktop\FRST64.exe
2017-11-27 00:07 - 2017-11-27 00:07 - 000057311 _____ C:\Users\CRXB5\Desktop\bDkeCWMr.htm
2017-11-26 23:54 - 2017-11-26 23:54 - 000000334 _____ C:\Users\CRXB5\Desktop\[In Progress - K] PC Runnng Slow Possible Malware, Pythagorean Virus Related.URL
2017-11-25 00:09 - 2017-11-25 00:36 - 000000000 ____D C:\Users\CRXB5\Desktop\SpywareHammer
2017-11-25 00:03 - 2017-11-25 00:03 - 000141112 ____N C:\WINDOWS\system32\Drivers\spepswzz.sys
2017-11-24 23:55 - 2017-11-24 23:56 - 008261584 _____ (Malwarebytes) C:\Users\CRXB5\Downloads\adwcleaner_7.0.4.0(1).exe
2017-11-24 23:37 - 2017-11-24 23:37 - 000000000 _____ C:\WINDOWS\EEventManager.INI
2017-11-24 23:17 - 2017-11-24 23:27 - 008261584 _____ (Malwarebytes) C:\Users\CRXB5\Downloads\adwcleaner_7.0.4.0.exe
2017-11-24 23:09 - 2017-11-27 00:11 - 000000000 ____D C:\Users\CRXB5\AppData\Local\scowarz
2017-11-24 23:06 - 2017-11-24 23:06 - 000253880 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-11-24 23:06 - 2017-11-24 23:06 - 000193464 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2017-11-24 23:06 - 2017-11-24 23:06 - 000046008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-11-24 23:04 - 2017-11-24 23:04 - 000001894 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-11-24 23:04 - 2017-11-24 23:04 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-11-24 23:04 - 2017-11-24 23:04 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-11-24 23:04 - 2017-11-01 08:54 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-11-24 22:57 - 2017-11-24 22:57 - 000000000 ____D C:\ProgramData\MB3CoreBackup
2017-11-24 22:57 - 2017-11-24 22:57 - 000000000 ____D C:\ProgramData\MB2Migration
2017-11-24 22:57 - 2017-11-24 22:57 - 000000000 ____D C:\Program Files\Malwarebytes
2017-11-24 22:52 - 2017-11-24 22:56 - 078346672 _____ (Malwarebytes ) C:\Users\CRXB5\Downloads\mb3-setup-consumer-3.3.1.2183.exe
2017-11-24 22:28 - 2017-11-24 22:29 - 000289656 _____ C:\WINDOWS\Minidump\112417-72531-01.dmp
2017-11-24 22:28 - 2017-11-24 22:28 - 954011789 _____ C:\WINDOWS\MEMORY.DMP
2017-11-24 22:28 - 2017-11-24 22:28 - 000000000 ____D C:\WINDOWS\Minidump
2017-11-24 22:23 - 2017-11-27 00:10 - 000000000 ____D C:\Users\CRXB5\AppData\Local\vsmrkel
2017-11-24 22:23 - 2017-11-24 22:46 - 000000000 ____D C:\Users\CRXB5\AppData\Local\igfxmtc
2017-11-24 22:22 - 2017-11-25 00:03 - 002884096 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\siaumzesvc.exe
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\WINDOWS\SysWOW64\psomezt
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\WINDOWS\system32\psomezt
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\Users\CRXB5\AppData\Local\npx
2017-11-24 22:21 - 2017-11-24 22:21 - 000003632 _____ C:\WINDOWS\System32\Tasks\bak5474231k5474231
2017-11-24 22:21 - 2017-11-24 22:21 - 000000020 _____ C:\WINDOWS\b42329355
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ___HD C:\Program Files (x86)\Restriction
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ___HD C:\Program Files (x86)\magnitude
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\et
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Program Files (x86)\imposters
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Program Files (x86)\Fated
2017-11-24 22:15 - 2017-11-24 23:34 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\AGData
2017-11-24 22:14 - 2017-11-24 22:14 - 001018880 _____ C:\WINDOWS\2c78c97c88c50bfb8396dcb7ad23b224.dll
2017-11-24 19:19 - 2017-11-24 19:20 - 000032368 _____ C:\Users\CRXB5\Downloads\greenroom2016hdripxvidac3-evo-english-90113.zip
2017-11-24 06:26 - 2017-11-24 06:26 - 000614400 _____ C:\WINDOWS\7518628ea7ba8133f5edea79a3701417.exe
2017-11-24 06:26 - 2017-11-24 06:26 - 000051624 _____ C:\WINDOWS\uninstaller.dat
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\WINDOWS\boasted.exe
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\Users\CRXB5\AppData\Local\pythagorean.exe
2017-11-22 22:48 - 2017-11-22 22:48 - 000000000 ____D C:\Users\CRXB5\Downloads\Green Room 2015 1080p BluRay x264 DTS-JYK
2017-11-22 03:26 - 2017-11-22 03:29 - 026000601 _____ C:\Users\CRXB5\Downloads\7797148.flv
2017-11-22 01:46 - 2017-11-17 10:37 - 004168704 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-11-20 01:45 - 2017-11-20 01:45 - 031998770 _____ C:\Users\CRXB5\Downloads\Lil Peep - Come Over When You're Sober, Pt. 1.zip
2017-11-19 14:32 - 2017-11-19 14:32 - 025249158 _____ C:\Users\CRXB5\Downloads\CE2011ProceedingBookourpaperincluded.pdf
2017-11-15 14:51 - 2017-11-15 14:51 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-11-15 02:55 - 2017-11-15 02:55 - 128103559 _____ C:\Users\CRXB5\Downloads\drums.rar
2017-11-15 02:53 - 2017-11-15 02:53 - 000000225 _____ C:\Users\CRXB5\Desktop\New Beat I Made MPC 500 Instrumental - YouTube.URL
2017-11-14 19:37 - 2017-10-17 14:11 - 000339968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msexcl40.dll
2017-11-14 19:37 - 2017-10-16 13:38 - 002013016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2017-11-14 19:37 - 2017-10-14 08:04 - 001548624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2017-11-14 19:37 - 2017-10-14 03:38 - 025731584 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-11-14 19:37 - 2017-10-14 03:13 - 002903552 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-11-14 19:37 - 2017-10-14 03:11 - 000576512 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-11-14 19:37 - 2017-10-14 03:09 - 005979648 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-11-14 19:37 - 2017-10-14 03:01 - 000816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-11-14 19:37 - 2017-10-14 02:36 - 001033216 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2017-11-14 19:37 - 2017-10-14 02:31 - 000262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2017-11-14 19:37 - 2017-10-14 02:30 - 015266816 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-11-14 19:37 - 2017-10-14 02:30 - 000726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-11-14 19:37 - 2017-10-14 02:30 - 000380416 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2017-11-14 19:37 - 2017-10-14 02:29 - 000807936 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2017-11-14 19:37 - 2017-10-14 02:27 - 002134528 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2017-11-14 19:37 - 2017-10-14 02:21 - 003241472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-11-14 19:37 - 2017-10-14 02:14 - 020269056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-11-14 19:37 - 2017-10-14 02:09 - 001544704 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-11-14 19:37 - 2017-10-14 02:05 - 015431680 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2017-11-14 19:37 - 2017-10-14 01:58 - 000800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2017-11-14 19:37 - 2017-10-14 01:53 - 000499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-11-14 19:37 - 2017-10-14 01:50 - 002293760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-11-14 19:37 - 2017-10-14 01:45 - 000662016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-11-14 19:37 - 2017-10-14 01:33 - 004542464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-11-14 19:37 - 2017-10-14 01:28 - 013680128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-11-14 19:37 - 2017-10-14 01:28 - 000880640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-11-14 19:37 - 2017-10-14 01:25 - 000230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2017-11-14 19:37 - 2017-10-14 01:24 - 000694272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2017-11-14 19:37 - 2017-10-14 01:24 - 000331776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2017-11-14 19:37 - 2017-10-14 01:23 - 002058752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2017-11-14 19:37 - 2017-10-14 01:14 - 013317632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2017-11-14 19:37 - 2017-10-14 01:10 - 002767872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-11-14 19:37 - 2017-10-14 01:07 - 001314304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-11-14 19:37 - 2017-10-14 01:04 - 000710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2017-11-14 19:37 - 2017-10-10 11:36 - 000124416 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\luafv.sys
2017-11-14 19:37 - 2017-10-10 10:38 - 003631616 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll
2017-11-14 19:37 - 2017-10-10 10:38 - 000425984 _____ (Microsoft Corporation) C:\WINDOWS\system32\PCPTpm12.dll
2017-11-14 19:37 - 2017-10-10 10:11 - 002749952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll
2017-11-14 19:37 - 2017-10-10 10:08 - 000367104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PCPTpm12.dll
2017-11-14 19:37 - 2017-10-05 02:17 - 000380248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2017-11-14 19:37 - 2017-09-14 18:52 - 000986968 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2017-11-14 19:37 - 2017-09-08 12:14 - 003084288 _____ (Microsoft Corporation) C:\WINDOWS\system32\msftedit.dll
2017-11-14 19:37 - 2017-09-08 11:50 - 002471424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msftedit.dll
2017-11-14 19:37 - 2017-09-07 22:31 - 000685440 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2017-11-14 19:37 - 2017-09-07 22:28 - 000507176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2017-11-14 19:37 - 2017-09-07 16:31 - 000022528 _____ (Microsoft Corporation) C:\WINDOWS\system32\mgmtapi.dll
2017-11-14 19:37 - 2017-09-07 14:20 - 000018944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mgmtapi.dll
2017-11-14 19:37 - 2017-09-07 12:20 - 000513456 _____ C:\WINDOWS\SysWOW64\locale.nls
2017-11-14 19:37 - 2017-09-07 12:20 - 000513456 _____ C:\WINDOWS\system32\locale.nls
2017-11-14 19:37 - 2017-09-07 08:40 - 000995272 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2017-11-14 19:37 - 2017-09-07 08:40 - 000922432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll
2017-11-14 19:37 - 2017-09-06 18:07 - 000158552 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbccgp.sys
2017-11-14 19:37 - 2017-09-06 16:17 - 000461144 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbhub.sys
2017-11-14 19:37 - 2017-09-06 16:17 - 000443224 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbport.sys
2017-11-14 19:37 - 2017-09-06 09:14 - 000166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\regsvc.dll
2017-11-14 19:37 - 2017-08-10 20:39 - 002779136 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2017-11-14 19:37 - 2017-08-10 20:30 - 002464256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2017-11-14 19:32 - 2017-11-14 19:32 - 000002275 _____ C:\Users\CRXB5\Desktop\Kindle.lnk
2017-11-14 19:31 - 2017-11-14 19:31 - 055925296 _____ (Amazon.com) C:\Users\CRXB5\Downloads\KindleForPC-installer-1.21.48017.exe
2017-11-14 19:27 - 2017-10-11 02:35 - 000143016 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2017-11-14 19:27 - 2017-10-10 10:21 - 000463872 _____ (Microsoft Corporation) C:\WINDOWS\system32\pcasvc.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 002023936 _____ (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2017-11-14 19:27 - 2017-10-10 08:18 - 001570304 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000670208 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000605184 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000603648 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000402944 _____ (Microsoft Corporation) C:\WINDOWS\system32\centel.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000370688 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000241664 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000181760 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2017-11-14 00:56 - 2017-11-14 01:13 - 052305317 _____ C:\Users\CRXB5\Downloads\136051.rar
2017-11-13 21:13 - 2017-11-13 21:13 - 000000234 _____ C:\Users\CRXB5\Desktop\Beat's Vault.URL
2017-10-31 22:47 - 2017-10-31 22:47 - 001852992 _____ (Oracle Corporation) C:\Users\CRXB5\Downloads\JavaSetup8u151.exe
2017-10-31 01:30 - 2017-10-31 01:30 - 000000225 _____ C:\Users\CRXB5\Desktop\American Football - 'Never Meant' - Guitar Cover by George Wood - YouTube.URL
2017-10-29 22:47 - 2017-10-29 22:47 - 000001581 _____ C:\Users\Public\Desktop\AmericasCardroom.lnk
2017-10-29 22:47 - 2017-10-29 22:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AmericasCardroom
2017-10-29 22:41 - 2017-10-29 22:42 - 089245376 _____ C:\Users\CRXB5\Downloads\americascardroom_com(1).exe
2017-10-29 14:21 - 2017-10-29 14:22 - 068243976 _____ C:\Users\CRXB5\Downloads\finallywearenoone.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-11-27 00:09 - 2013-10-07 12:00 - 000000000 ____D C:\FRST
2017-11-27 00:07 - 2015-06-19 05:39 - 000000924 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-3623611392-2939539441-2581462275-1001UA.job
2017-11-27 00:00 - 2013-01-27 21:48 - 000003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3623611392-2939539441-2581462275-1001
2017-11-26 23:47 - 2013-08-22 08:36 - 000000000 ____D C:\WINDOWS\Inf
2017-11-26 21:54 - 2013-01-27 21:41 - 000000000 ____D C:\Users\CRXB5\AppData\Local\Packages
2017-11-26 21:36 - 2013-02-10 12:52 - 000000000 ____D C:\Users\CRXB5\AppData\Local\Adobe
2017-11-26 21:35 - 2014-10-13 17:58 - 000003902 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8AFD660D-AD1B-4290-AFE4-1A36A56A9935}
2017-11-26 21:33 - 2016-11-23 10:31 - 000000000 ____D C:\Users\CRXB5\AppData\LocalLow\Mozilla
2017-11-25 10:27 - 2013-08-22 10:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-11-25 10:25 - 2013-02-15 20:24 - 000000000 ____D C:\Program Files\Microsoft Office 15
2017-11-25 01:24 - 2017-03-21 00:38 - 000000000 ____D C:\AmericasCardroom
2017-11-25 00:27 - 2014-07-30 22:00 - 000000000 ____D C:\Users\CRXB5\Desktop\2014 vsts
2017-11-25 00:12 - 2013-06-12 00:56 - 000000000 ___RD C:\Users\CRXB5\Google Drive
2017-11-25 00:04 - 2013-08-22 09:45 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-11-25 00:04 - 2013-03-12 21:19 - 000000000 ____D C:\Temp
2017-11-25 00:03 - 2013-08-22 08:25 - 012320768 _____ C:\WINDOWS\system32\config\HARDWARE
2017-11-25 00:01 - 2013-10-09 19:13 - 000000000 ____D C:\AdwCleaner
2017-11-24 22:58 - 2014-10-13 17:19 - 000000000 ____D C:\Users\CRXB5
2017-11-24 22:44 - 2014-09-24 02:15 - 000886932 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-11-24 22:36 - 2013-08-22 09:44 - 005206248 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-11-24 22:33 - 2013-08-22 08:25 - 000262144 ___SH C:\WINDOWS\system32\config\BBI
2017-11-24 22:28 - 2016-11-17 17:01 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-11-24 22:10 - 2013-04-01 15:34 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\vlc
2017-11-24 21:13 - 2013-08-07 20:13 - 000000000 ____D C:\Users\CRXB5\Desktop\movie rips
2017-11-23 00:58 - 2017-08-15 01:03 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\poker-client-electron-common
2017-11-23 00:57 - 2017-01-10 23:39 - 000000000 ____D C:\Ignition
2017-11-22 22:48 - 2017-10-23 00:38 - 000000000 ____D C:\Users\CRXB5\AppData\LocalLow\uTorrent
2017-11-22 03:42 - 2012-07-26 02:59 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-11-22 03:07 - 2015-06-19 05:39 - 000000872 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-3623611392-2939539441-2581462275-1001Core.job
2017-11-19 14:29 - 2013-02-10 16:13 - 002254848 ___SH C:\Users\CRXB5\Desktop\Thumbs.db
2017-11-17 21:09 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\rescache
2017-11-17 20:09 - 2013-08-22 10:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-11-17 20:09 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-11-17 19:22 - 2013-02-08 21:29 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\Mozilla
2017-11-17 19:21 - 2013-04-21 20:48 - 000001293 _____ C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-11-17 19:21 - 2013-02-08 20:41 - 000001186 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-11-17 19:21 - 2013-02-08 20:41 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-11-17 19:04 - 2014-12-14 11:59 - 000000000 ____D C:\WINDOWS\system32\appraiser
2017-11-16 23:45 - 2015-11-16 10:17 - 000004476 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2017-11-16 23:44 - 2015-11-16 10:16 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-11-15 14:52 - 2013-04-02 11:58 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\Dropbox
2017-11-15 02:58 - 2014-08-12 23:17 - 000000000 ____D C:\Users\CRXB5\Desktop\New Kit 33
2017-11-14 19:40 - 2017-10-02 21:06 - 000000000 ____D C:\Users\CRXB5\Desktop\Online MBA
2017-11-14 19:36 - 2013-08-15 23:31 - 000000000 ____D C:\Users\CRXB5\Documents\My Kindle Content
2017-11-14 19:32 - 2013-08-15 23:30 - 000000000 ____D C:\Users\CRXB5\AppData\Local\Amazon
2017-11-14 18:39 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-11-14 18:39 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\system32\Macromed
2017-11-14 18:39 - 2013-05-30 01:18 - 000004288 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-11-13 22:24 - 2013-06-12 00:55 - 000003330 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-11-13 22:24 - 2013-06-12 00:55 - 000003202 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-11-11 14:31 - 2017-01-01 22:00 - 000000000 ____D C:\Users\CRXB5\Desktop\2017 Archives
2017-11-04 15:44 - 2017-09-20 20:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Backup and Sync from Google
2017-11-03 19:41 - 2017-05-16 00:21 - 000835568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-11-03 19:41 - 2017-05-16 00:21 - 000177648 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-10-31 22:48 - 2014-10-13 17:57 - 000000000 ____D C:\ProgramData\Oracle
2017-10-31 22:48 - 2014-10-13 17:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-10-31 22:48 - 2013-05-12 23:33 - 000000000 ____D C:\Program Files (x86)\Java
2017-10-31 22:47 - 2014-10-13 17:56 - 000097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll

==================== Files in the root of some directories =======

2013-08-09 22:09 - 2013-08-09 22:09 - 001249792 _____ (http://www.ruby-lang.org/) C:\Users\CRXB5\AppData\Roaming\msvcr90-ruby191.dll
2013-11-13 17:52 - 2013-11-13 17:52 - 144752885 _____ () C:\Users\CRXB5\AppData\Local\ACCCx2_2_1_260.zip.aamdownload
2013-11-13 17:52 - 2013-11-13 17:52 - 000001817 _____ () C:\Users\CRXB5\AppData\Local\ACCCx2_2_1_260.zip.aamdownload.aamd
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\Users\CRXB5\AppData\Local\pythagorean.exe
2014-10-16 23:28 - 2014-10-16 23:28 - 000001509 _____ () C:\Users\CRXB5\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
2017-11-24 22:12 - 2017-11-24 22:12 - 000024612 _____ (Valssaamontie 53) C:\Users\CRXB5\AppData\Local\Temp\capi.exe
2015-05-10 18:39 - 2015-05-10 18:39 - 008104768 _____ () C:\Users\CRXB5\AppData\Local\Temp\converter.exe
2015-11-21 11:21 - 2015-11-21 11:21 - 000071168 _____ () C:\Users\CRXB5\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqgnfvh.dll
2017-11-24 22:12 - 2017-11-24 22:12 - 003061772 _____ () C:\Users\CRXB5\AppData\Local\Temp\golm.exe
2014-07-28 00:15 - 2014-07-28 00:15 - 000918440 _____ (Oracle Corporation) C:\Users\CRXB5\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
2017-01-29 00:38 - 2017-01-29 00:38 - 000739904 _____ (Oracle Corporation) C:\Users\CRXB5\AppData\Local\Temp\jre-8u121-windows-au.exe
2017-07-28 19:06 - 2017-07-28 19:06 - 000740416 _____ (Oracle Corporation) C:\Users\CRXB5\AppData\Local\Temp\jre-8u144-windows-au.exe
2015-04-30 18:37 - 2015-04-30 18:37 - 000562272 _____ (Oracle Corporation) C:\Users\CRXB5\AppData\Local\Temp\jre-8u45-windows-au.exe
2016-05-09 17:25 - 2016-05-09 17:26 - 000739904 _____ (Oracle Corporation) C:\Users\CRXB5\AppData\Local\Temp\jre-8u91-windows-au.exe
2016-10-06 19:33 - 2016-10-06 19:33 - 002458672 _____ (The OpenSSL Project, http://www.openssl.org/) C:\Users\CRXB5\AppData\Local\Temp\libeay32.dll
2017-11-24 22:57 - 2017-11-24 22:56 - 078346672 _____ (Malwarebytes                                                ) C:\Users\CRXB5\AppData\Local\Temp\mb3-setup-consumer-3.3.1.2183.exe
2016-10-06 19:33 - 2016-10-06 19:33 - 000970912 _____ (Microsoft Corporation) C:\Users\CRXB5\AppData\Local\Temp\msvcr120.dll
2015-12-07 15:45 - 2014-09-25 09:55 - 000192000 _____ () C:\Users\CRXB5\AppData\Local\Temp\nls-checker-xp.exe
2015-12-07 15:45 - 2014-09-25 09:55 - 000204800 _____ () C:\Users\CRXB5\AppData\Local\Temp\nls-smart-installer-xp.exe
2017-11-24 22:12 - 2017-11-24 22:16 - 001792069 _____ () C:\Users\CRXB5\AppData\Local\Temp\pi.exe
2016-10-06 19:33 - 2016-10-06 19:33 - 000772672 _____ () C:\Users\CRXB5\AppData\Local\Temp\sqlite3.dll
2017-11-24 22:12 - 2017-11-24 22:12 - 001067520 _____ () C:\Users\CRXB5\AppData\Local\Temp\XvidCodecInstaller.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION

LastRegBack: 2017-11-17 20:08

==================== End of FRST.txt ============================

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Hello crxb5,

Do you have access to a USB flash drive no less than 4GB size. See if you can complete the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries...

To get the log from Malwarebytes do the following:

  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Let me see those logs in your reply...

Thank you,

Kevin.

Offline crxb5

  • Bronze Member
  • Posts: 66
I have attached the results as requested. IT appears the fixlog.txt did not find much at all?  Please let me know hot to proceed from here.  the Virus/malware is still present as my computer is running slow still and the process pythagorean is still impossible to delete..  THANKS. (MB scan is attached)

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-11-2017
Ran by CRXB5 (28-11-2017 02:53:44) Run:2
Running from C:\Users\CRXB5\Desktop\SpywareHammer
Loaded Profiles: CRXB5 (Available Profiles: CRXB5)
Boot Mode: Normal
==============================================

fixlist content:
*****************

*****************


==== End of Fixlog 02:53:44 ====

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Hello crxb5,

It would seem that you have the latest version of the "smartservice" infection. This infection may have two hidden rootkits, it also is prepared to combat FRST fixes by deleting the contents of "fixlist.txt" file.... One of the rootkits may even replace and rename itself as fixes and reboots are completed

Lets try the following:

Open FRST so you have it sitting ready on your desktop, do not have any other windows open....

Select these keys together Ctrl - Y a blank notepad page will open. Copy and paste the following script to that blank page:

Code: [Select]
Start::
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [pgm] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
C:\Program Files (x86)\Fated
HKLM\...\Run: [pgmpgm] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
C:\Program Files (x86)\Restriction
HKLM-x32\...\Run: [chipping] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM-x32\...\Run: [chippingchipping] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Zoom] => [X]
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [laggards] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [laggardslaggards] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [frangipani] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [frangipanifrangipani] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [governs] => C:\Program Files (x86)\magnitude\governs.exe [66987 2017-11-24] ()
C:\Program Files (x86)\magnitude
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [numismatist] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" <==== ATTENTION
C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {0260a71c-d4ff-11e5-bf00-e73811b99ae5} - "E:\HTC_Sync_Manager_PC.exe"
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {3e4b8e68-749d-11e3-bebe-008cfa2c72ff} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {6f725e7d-cd0c-11e5-beff-8401384f88ba} - "E:\MotorolaDeviceManagerSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {9060afb0-71dc-11e4-bee3-fdca786ef024} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {a6d82073-81de-11e5-befc-ed31c84eae63} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
ShortcutTarget: Epson all-in-one Registration.lnk -> D:\Common\EpsonReg\EpsonReg.exe (No File)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pakula.lnk [2017-11-24]
ShortcutTarget: pakula.lnk -> C:\Program Files (x86)\Fated\pythagorean.exe (Pythagorean)
FF user.js: detected! => C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\user.js [2014-07-30]
S2 apexpsvc; C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe [245760 2017-09-03] () [File not signed]
Unlock: C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe
C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe
Unlock: C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe
C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe
C:\Users\CRXB5\AppData\Local\igfxmtc
R3 udiskMgr; system32\drivers\twadgj.sys [X]
C:\WINDOWS\system32\Drivers\spepswzz.sys
C:\Users\CRXB5\AppData\Local\scowarz
2017-11-24 22:23 - 2017-11-27 00:10 - 000000000 ____D C:\Users\CRXB5\AppData\Local\vsmrkel
2017-11-24 22:23 - 2017-11-24 22:46 - 000000000 ____D C:\Users\CRXB5\AppData\Local\igfxmtc
2017-11-24 22:22 - 2017-11-25 00:03 - 002884096 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\siaumzesvc.exe
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\WINDOWS\SysWOW64\psomezt
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\WINDOWS\system32\psomezt
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\Users\CRXB5\AppData\Local\npx
2017-11-24 22:21 - 2017-11-24 22:21 - 000003632 _____ C:\WINDOWS\System32\Tasks\bak5474231k5474231
2017-11-24 22:21 - 2017-11-24 22:21 - 000000020 _____ C:\WINDOWS\b42329355
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\et
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Program Files (x86)\imposters
2017-11-24 22:14 - 2017-11-24 22:14 - 001018880 _____ C:\WINDOWS\2c78c97c88c50bfb8396dcb7ad23b224.dll
2017-11-24 06:26 - 2017-11-24 06:26 - 000614400 _____ C:\WINDOWS\7518628ea7ba8133f5edea79a3701417.exe
2017-11-24 06:26 - 2017-11-24 06:26 - 000051624 _____ C:\WINDOWS\uninstaller.dat
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\WINDOWS\boasted.exe
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\Users\CRXB5\AppData\Local\pythagorean.exe
Unlock: C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
FirewallRules: [{71BE4798-933D-47DF-B970-13B39158C718}] => (Allow) LPort=1900
FirewallRules: [{B20B71E9-4155-45DC-8861-A01BC4BA1BE6}] => (Allow) LPort=2869
FirewallRules: [{511DB526-F081-4A15-AE47-312D8189F992}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{9D6AA932-6568-422D-AAA9-B665C0189AB1}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{EB120B87-608E-4312-854B-FFCEAEE2A28F}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{D11B8275-DBA9-4962-8432-8738184EBEC1}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{6CA61701-D3EE-4D07-90D2-7F3F3C0D3517}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{6973B4B6-CDFE-4FD6-A732-827EE7C50012}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{64B712A3-183A-4BD4-B6D9-1772732C49BA}] => (Allow) LPort=5357
EmptyTemp:
Hosts:
CMD: ipconfig /flushDNS
end::

When the script is on that notepad page select these two keys together Ctrl - S That page will close and stay on the Desktop, do not try to name it or reopen...
Go to FRST and select the Fix button just once, FRST will run, on completion it may reboot your system. A log will be saved to your desktop "fixlog.txt" Post that to your next reply...

Next,

Go to this link: https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Follow the instructions in that link and run MBAR by Malwarebytes, post the two produced logs....

Let me see those logs in your reply... Also in case needed do you have a USB flashdrive no less than 4GB size..

Thank you,

Kevin...


Offline crxb5

  • Bronze Member
  • Posts: 66
below is the fixlog.txt and I have attached the MB scan files.  Let me know how to proceed.  It seems as if the virus is gone.

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-11-2017
Ran by CRXB5 (29-11-2017 23:53:56) Run:3
Running from C:\Users\CRXB5\Desktop\SpywareHammer
Loaded Profiles: CRXB5 (Available Profiles: CRXB5)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [pgm] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
C:\Program Files (x86)\Fated
HKLM\...\Run: [pgmpgm] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
C:\Program Files (x86)\Restriction
HKLM-x32\...\Run: [chipping] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM-x32\...\Run: [chippingchipping] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Zoom] => [X]
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [laggards] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [laggardslaggards] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [frangipani] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [frangipanifrangipani] => C:\Program Files (x86)\Restriction\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [governs] => C:\Program Files (x86)\magnitude\governs.exe [66987 2017-11-24] ()
C:\Program Files (x86)\magnitude
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [numismatist] => C:\Program Files (x86)\Fated\pythagorean.exe [11264 2017-11-24] (Pythagorean)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" <==== ATTENTION
C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" <==== ATTENTION
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {0260a71c-d4ff-11e5-bf00-e73811b99ae5} - "E:\HTC_Sync_Manager_PC.exe"
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {3e4b8e68-749d-11e3-bebe-008cfa2c72ff} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {6f725e7d-cd0c-11e5-beff-8401384f88ba} - "E:\MotorolaDeviceManagerSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {9060afb0-71dc-11e4-bee3-fdca786ef024} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\MountPoints2: {a6d82073-81de-11e5-befc-ed31c84eae63} - "E:\VerizonWirelessUpgradeAssistantSetup.exe" -a
ShortcutTarget: Epson all-in-one Registration.lnk -> D:\Common\EpsonReg\EpsonReg.exe (No File)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pakula.lnk [2017-11-24]
ShortcutTarget: pakula.lnk -> C:\Program Files (x86)\Fated\pythagorean.exe (Pythagorean)
FF user.js: detected! => C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\user.js [2014-07-30]
S2 apexpsvc; C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe [245760 2017-09-03] () [File not signed]
Unlock: C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe
C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe
Unlock: C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe
C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe
C:\Users\CRXB5\AppData\Local\igfxmtc
R3 udiskMgr; system32\drivers\twadgj.sys [X]
C:\WINDOWS\system32\Drivers\spepswzz.sys
C:\Users\CRXB5\AppData\Local\scowarz
2017-11-24 22:23 - 2017-11-27 00:10 - 000000000 ____D C:\Users\CRXB5\AppData\Local\vsmrkel
2017-11-24 22:23 - 2017-11-24 22:46 - 000000000 ____D C:\Users\CRXB5\AppData\Local\igfxmtc
2017-11-24 22:22 - 2017-11-25 00:03 - 002884096 _____ (TOSHIBA CORPORATION) C:\WINDOWS\system32\siaumzesvc.exe
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\WINDOWS\SysWOW64\psomezt
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\WINDOWS\system32\psomezt
2017-11-24 22:22 - 2017-11-24 22:22 - 000000000 ____D C:\Users\CRXB5\AppData\Local\npx
2017-11-24 22:21 - 2017-11-24 22:21 - 000003632 _____ C:\WINDOWS\System32\Tasks\bak5474231k5474231
2017-11-24 22:21 - 2017-11-24 22:21 - 000000020 _____ C:\WINDOWS\b42329355
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\et
2017-11-24 22:21 - 2017-11-24 22:21 - 000000000 ____D C:\Program Files (x86)\imposters
2017-11-24 22:14 - 2017-11-24 22:14 - 001018880 _____ C:\WINDOWS\2c78c97c88c50bfb8396dcb7ad23b224.dll
2017-11-24 06:26 - 2017-11-24 06:26 - 000614400 _____ C:\WINDOWS\7518628ea7ba8133f5edea79a3701417.exe
2017-11-24 06:26 - 2017-11-24 06:26 - 000051624 _____ C:\WINDOWS\uninstaller.dat
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\WINDOWS\boasted.exe
2017-11-24 04:35 - 2017-11-24 04:35 - 000011264 _____ (Pythagorean) C:\Users\CRXB5\AppData\Local\pythagorean.exe
Unlock: C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
FirewallRules: [{71BE4798-933D-47DF-B970-13B39158C718}] => (Allow) LPort=1900
FirewallRules: [{B20B71E9-4155-45DC-8861-A01BC4BA1BE6}] => (Allow) LPort=2869
FirewallRules: [{511DB526-F081-4A15-AE47-312D8189F992}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{9D6AA932-6568-422D-AAA9-B665C0189AB1}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{EB120B87-608E-4312-854B-FFCEAEE2A28F}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{D11B8275-DBA9-4962-8432-8738184EBEC1}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{6CA61701-D3EE-4D07-90D2-7F3F3C0D3517}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{6973B4B6-CDFE-4FD6-A732-827EE7C50012}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{64B712A3-183A-4BD4-B6D9-1772732C49BA}] => (Allow) LPort=5357
EmptyTemp:
Hosts:
CMD: ipconfig /flushDNS

*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pgm => value removed successfully
C:\Program Files (x86)\Fated => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pgmpgm => value removed successfully
C:\Program Files (x86)\Restriction => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\chipping => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\chippingchipping => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Zoom => value removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\laggards => value removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\laggardslaggards => value removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\frangipani => value removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\frangipanifrangipani => value removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\governs => value removed successfully
C:\Program Files (x86)\magnitude => moved successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\numismatist => value removed successfully
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\Run\\WinResSync => value not found.
"C:\Users\CRXB5\AppData\Roaming\Microsoft\Protect\c65560-5f30c1-f1d27368-b602f1-5df0.rs" => not found.
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\WinResSync => value not found.
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0260a71c-d4ff-11e5-bf00-e73811b99ae5} => key removed successfully
HKLM\Software\Classes\CLSID\{0260a71c-d4ff-11e5-bf00-e73811b99ae5} => key not found
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4b8e68-749d-11e3-bebe-008cfa2c72ff} => key removed successfully
HKLM\Software\Classes\CLSID\{3e4b8e68-749d-11e3-bebe-008cfa2c72ff} => key not found
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f725e7d-cd0c-11e5-beff-8401384f88ba} => key removed successfully
HKLM\Software\Classes\CLSID\{6f725e7d-cd0c-11e5-beff-8401384f88ba} => key not found
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9060afb0-71dc-11e4-bee3-fdca786ef024} => key removed successfully
HKLM\Software\Classes\CLSID\{9060afb0-71dc-11e4-bee3-fdca786ef024} => key not found
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a6d82073-81de-11e5-befc-ed31c84eae63} => key removed successfully
HKLM\Software\Classes\CLSID\{a6d82073-81de-11e5-befc-ed31c84eae63} => key not found
D:\Common\EpsonReg\EpsonReg.exe => not found.
C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pakula.lnk => moved successfully
C:\Program Files => FRST is scripted not to move this directory.
C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\user.js => moved successfully
apexpsvc => service not found.
"C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe" => not found.
"C:\Users\CRXB5\AppData\Local\npx\apexpsvc.exe" => not found.
"C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe" => was unlocked
C:\Users\CRXB5\AppData\Local\igfxmtc\igfxmtc.exe => moved successfully
C:\Users\CRXB5\AppData\Local\igfxmtc => moved successfully
HKLM\System\CurrentControlSet\Services\udiskMgr => key removed successfully
udiskMgr => service removed successfully
"C:\WINDOWS\system32\Drivers\spepswzz.sys" => not found.
C:\Users\CRXB5\AppData\Local\scowarz => moved successfully
C:\Users\CRXB5\AppData\Local\vsmrkel => moved successfully
"C:\Users\CRXB5\AppData\Local\igfxmtc" => not found.
C:\WINDOWS\system32\siaumzesvc.exe => moved successfully
C:\WINDOWS\SysWOW64\psomezt => moved successfully
C:\WINDOWS\system32\psomezt => moved successfully
"C:\Users\CRXB5\AppData\Local\npx" => not found.
C:\WINDOWS\System32\Tasks\bak5474231k5474231 => moved successfully
C:\WINDOWS\b42329355 => moved successfully
C:\Users\CRXB5\AppData\Roaming\et => moved successfully
C:\Program Files (x86)\imposters => moved successfully
C:\WINDOWS\2c78c97c88c50bfb8396dcb7ad23b224.dll => moved successfully
"C:\WINDOWS\7518628ea7ba8133f5edea79a3701417.exe" => not found.
C:\WINDOWS\uninstaller.dat => moved successfully
C:\WINDOWS\boasted.exe => moved successfully
C:\Users\CRXB5\AppData\Local\pythagorean.exe => moved successfully
"C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION" => not found.
"C:\WINDOWS\system32\drivers\spepswzz.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION" => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{71BE4798-933D-47DF-B970-13B39158C718} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B20B71E9-4155-45DC-8861-A01BC4BA1BE6} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{511DB526-F081-4A15-AE47-312D8189F992} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9D6AA932-6568-422D-AAA9-B665C0189AB1} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EB120B87-608E-4312-854B-FFCEAEE2A28F} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D11B8275-DBA9-4962-8432-8738184EBEC1} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6CA61701-D3EE-4D07-90D2-7F3F3C0D3517} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6973B4B6-CDFE-4FD6-A732-827EE7C50012} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{64B712A3-183A-4BD4-B6D9-1772732C49BA} => value removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


Offline crxb5

  • Bronze Member
  • Posts: 66
And Yes I have a USB Flash Drive (32GB)

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Hello crxb5,

I do not believe we`ve moved all of the infection entries to quarantine, need another FRST scan to be sure....

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thanks,

Kevin...

Offline crxb5

  • Bronze Member
  • Posts: 66
FRST.txt below and additional.txt is attached.

Thanks.
-------------------------------------------------------------------------------
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-11-2017
Ran by CRXB5 (administrator) on KB (03-12-2017 23:36:24)
Running from C:\Users\CRXB5\Desktop\SpywareHammer
Loaded Profiles: CRXB5 &  (Available Profiles: CRXB5)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
() C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoService.exe
() C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
() C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(Avid Technology, Inc.) C:\Windows\System32\M-AudioTaskBarIcon.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Users\CRXB5\AppData\Local\Amazon Music\Amazon Music Helper.exe
(HP Inc.) C:\Program Files\HP\HP OfficeJet 4650 series\Bin\ScanToPCActivationApp.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Dropbox, Inc.) C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe
(Dropbox, Inc.) C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Dropbox, Inc.) C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Amazon.com) C:\Users\CRXB5\AppData\Local\Amazon\Kindle\application\Kindle.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13513288 2013-03-29] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-08-19] (SRS Labs, Inc.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [ThpSrv] => C:\windows\system32\thpsrv /logon
HKLM\...\Run: [M-Audio Taskbar Icon] => C:\windows\system32\M-AudioTaskBarIcon.exe [798728 2010-12-07] (Avid Technology, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472992 2013-03-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM-x32\...\Run: [AdobeCEPServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe [1039248 2013-03-13] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672640 2013-03-14] (Disc Soft Ltd)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [40417680 2017-11-01] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Amazon Music] => C:\Users\CRXB5\AppData\Local\Amazon Music\Amazon Music Helper.exe [5886272 2015-03-02] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [Dropbox Update] => C:\Users\CRXB5\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-05] (Dropbox, Inc.)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\...\Run: [HP OfficeJet 4650 series (NET)] => C:\Program Files\HP\HP OfficeJet 4650 series\Bin\ScanToPCActivationApp.exe [3770504 2017-04-06] (HP Inc.)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672640 2013-03-14] (Disc Soft Ltd)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [40417680 2017-11-01] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007\...\Run: [Amazon Music] => C:\Users\CRXB5\AppData\Local\Amazon Music\Amazon Music Helper.exe [5886272 2015-03-02] ()
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007\...\Run: [Dropbox Update] => C:\Users\CRXB5\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-05] (Dropbox, Inc.)
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007\...\Run: [HP OfficeJet 4650 series (NET)] => C:\Program Files\HP\HP OfficeJet 4650 series\Bin\ScanToPCActivationApp.exe [3770504 2017-04-06] (HP Inc.)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2017-11-15]
ShortcutTarget: Dropbox.lnk -> C:\Users\CRXB5\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk [2014-04-29]
ShortcutTarget: Epson all-in-one Registration.lnk -> D:\Common\EpsonReg\EpsonReg.exe (No File)
Startup: C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-04-18]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{24CBC36B-99D9-4504-B9C3-B0397BB7054E}: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{F60FA141-D9EF-41FF-BAA2-B5B31AE530B2}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://toshiba13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3623611392-2939539441-2581462275-1001 -> {26285137-655C-4D04-A5CC-7E8349E0AF46} URL =
SearchScopes: HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007 -> {26285137-655C-4D04-A5CC-7E8349E0AF46} URL =
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2017-09-05] (Microsoft Corporation)
BHO: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files\WOT\WOT.dll [2012-08-02] ()
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2017-08-15] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-10-31] (Oracle Corporation)
BHO-x32: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files (x86)\WOT\WOT.dll [2012-08-02] ()
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-10-31] (Oracle Corporation)
Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Toolbar: HKLM-x32 - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll [2012-08-02] ()
Toolbar: HKU\S-1-5-21-3623611392-2939539441-2581462275-1001 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Toolbar: HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-07-18] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll [2012-08-02] ()
Handler-x32: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll [2012-08-02] ()

FireFox:
========
FF ProfilePath: C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default [2017-12-03]
FF Extension: (MEGA) - C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\Extensions\firefox@mega.co.nz.xpi [2017-12-01]
FF Extension: (Updated Ad Blocker for Firefox 11+) - C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\Extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3618C}.xpi [2016-04-27] [Lagacy]
FF Extension: (Disable Media WMF NV12 format) - C:\Users\CRXB5\AppData\Roaming\Mozilla\Firefox\Profiles\h8dpgyrv.default\features\{893fac99-70a9-4080-b682-1bea12087a8a}\disable-media-wmf-nv12@mozilla.org.xpi [2017-12-01] [Lagacy]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_27_0_0_187.dll [2017-11-14] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2013-03-21] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_187.dll [2017-11-14] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-10-31] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-10-31] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-12] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-12-12] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2013-03-21] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3623611392-2939539441-2581462275-1001: @zoom.us/ZoomVideoPlugin -> C:\Users\CRXB5\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2015-11-02] (Zoom Video Communications, Inc.)
FF Plugin HKU\S-1-5-21-3623611392-2939539441-2581462275-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-11302017000320007: @zoom.us/ZoomVideoPlugin -> C:\Users\CRXB5\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2015-11-02] (Zoom Video Communications, Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3058416 2017-09-05] (Microsoft Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [120728 2012-10-23] ()
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-02-19] (Realtek Semiconductor)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-07-22] (DEVGURU Co., LTD.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
R1 dtsoftbus01; C:\WINDOWS\System32\drivers\dtsoftbus01.sys [283200 2013-05-08] (DT Soft Ltd)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77432 2017-11-01] ()
S3 FTDIBUS; C:\WINDOWS\system32\drivers\ftdibus.sys [118160 2016-10-04] (Future Technology Devices International Ltd.)
S3 FTSER2K; C:\WINDOWS\system32\drivers\ftser2k.sys [88752 2016-10-04] ()
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [43664 2015-01-27] ()
S3 MADFULEGACYKEYBOARD; C:\WINDOWS\System32\drivers\MAudioLegacyKeyboard_DFU.sys [28680 2010-02-09] (M-Audio)
S3 MAUSBLEGACYKEYBOARD; C:\WINDOWS\system32\DRIVERS\MAudioLegacyKeyboard.sys [196616 2010-02-09] (M-Audio)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [193464 2017-11-29] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [110016 2017-11-30] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [46008 2017-11-30] (Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2017-11-29] (Malwarebytes)
R3 NETwNe64; C:\WINDOWS\system32\DRIVERS\Netwew00.sys [3349984 2014-04-17] (Intel Corporation)
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [34544 2014-08-06] (Synaptics Incorporated)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [28632 2012-07-31] (Windows (R) Win 7 DDK provider)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S3 XHCIPort; C:\WINDOWS\System32\drivers\XHCIPort.sys [188384 2012-08-09] (Windows (R) Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-03 18:48 - 2017-12-03 20:05 - 000000000 ____D C:\Users\CRXB5\Desktop\saab
2017-11-30 00:19 - 2017-11-30 00:19 - 000255928 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\533292A4.sys
2017-11-30 00:13 - 2017-11-30 14:52 - 000000000 ____D C:\Users\CRXB5\Desktop\mbar
2017-11-30 00:13 - 2017-11-30 14:52 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-11-30 00:12 - 2017-11-30 00:12 - 014161479 _____ C:\Users\CRXB5\Desktop\mbar-1.10.3.1001-nr.exe
2017-11-29 23:48 - 2017-11-29 23:48 - 000000093 _____ C:\WINDOWS\wininit.ini
2017-11-29 00:28 - 2017-11-30 00:03 - 000110016 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-11-29 00:26 - 2017-11-29 00:26 - 000001894 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-11-29 00:26 - 2017-11-29 00:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-11-29 00:26 - 2017-11-01 08:54 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-11-28 02:54 - 2017-11-28 02:54 - 078346672 _____ (Malwarebytes ) C:\Users\CRXB5\Desktop\mb3-setup-consumer-3.3.1.2183.exe
2017-11-26 23:54 - 2017-11-26 23:54 - 000000334 _____ C:\Users\CRXB5\Desktop\[In Progress - K] PC Runnng Slow Possible Malware, Pythagorean Virus Related.URL
2017-11-25 00:09 - 2017-12-03 23:35 - 000000000 ____D C:\Users\CRXB5\Desktop\SpywareHammer
2017-11-24 23:55 - 2017-11-24 23:56 - 008261584 _____ (Malwarebytes) C:\Users\CRXB5\Downloads\adwcleaner_7.0.4.0(1).exe
2017-11-24 23:37 - 2017-11-24 23:37 - 000000000 _____ C:\WINDOWS\EEventManager.INI
2017-11-24 23:17 - 2017-11-24 23:27 - 008261584 _____ (Malwarebytes) C:\Users\CRXB5\Downloads\adwcleaner_7.0.4.0.exe
2017-11-24 23:06 - 2017-11-30 00:03 - 000046008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-11-24 23:06 - 2017-11-29 00:28 - 000253880 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-11-24 23:06 - 2017-11-29 00:28 - 000193464 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2017-11-24 23:04 - 2017-11-30 00:20 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-11-24 22:57 - 2017-11-24 22:57 - 000000000 ____D C:\ProgramData\MB3CoreBackup
2017-11-24 22:57 - 2017-11-24 22:57 - 000000000 ____D C:\Program Files\Malwarebytes
2017-11-24 22:52 - 2017-11-24 22:56 - 078346672 _____ (Malwarebytes ) C:\Users\CRXB5\Downloads\mb3-setup-consumer-3.3.1.2183.exe
2017-11-24 22:28 - 2017-11-24 22:29 - 000289656 _____ C:\WINDOWS\Minidump\112417-72531-01.dmp
2017-11-24 22:28 - 2017-11-24 22:28 - 954011789 _____ C:\WINDOWS\MEMORY.DMP
2017-11-24 22:28 - 2017-11-24 22:28 - 000000000 ____D C:\WINDOWS\Minidump
2017-11-24 22:15 - 2017-11-24 23:34 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\AGData
2017-11-24 19:19 - 2017-11-24 19:20 - 000032368 _____ C:\Users\CRXB5\Downloads\greenroom2016hdripxvidac3-evo-english-90113.zip
2017-11-22 22:48 - 2017-11-22 22:48 - 000000000 ____D C:\Users\CRXB5\Downloads\Green Room 2015 1080p BluRay x264 DTS-JYK
2017-11-22 03:26 - 2017-11-22 03:29 - 026000601 _____ C:\Users\CRXB5\Downloads\7797148.flv
2017-11-22 01:46 - 2017-11-17 10:37 - 004168704 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-11-20 01:45 - 2017-11-20 01:45 - 031998770 _____ C:\Users\CRXB5\Downloads\Lil Peep - Come Over When You're Sober, Pt. 1.zip
2017-11-19 14:32 - 2017-11-19 14:32 - 025249158 _____ C:\Users\CRXB5\Downloads\CE2011ProceedingBookourpaperincluded.pdf
2017-11-15 14:51 - 2017-11-15 14:51 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-11-15 02:55 - 2017-11-15 02:55 - 128103559 _____ C:\Users\CRXB5\Downloads\drums.rar
2017-11-15 02:53 - 2017-11-15 02:53 - 000000225 _____ C:\Users\CRXB5\Desktop\New Beat I Made MPC 500 Instrumental - YouTube.URL
2017-11-14 19:37 - 2017-10-17 14:11 - 000339968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msexcl40.dll
2017-11-14 19:37 - 2017-10-16 13:38 - 002013016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2017-11-14 19:37 - 2017-10-14 08:04 - 001548624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2017-11-14 19:37 - 2017-10-14 03:38 - 025731584 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-11-14 19:37 - 2017-10-14 03:13 - 002903552 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-11-14 19:37 - 2017-10-14 03:11 - 000576512 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-11-14 19:37 - 2017-10-14 03:09 - 005979648 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-11-14 19:37 - 2017-10-14 03:01 - 000816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-11-14 19:37 - 2017-10-14 02:36 - 001033216 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2017-11-14 19:37 - 2017-10-14 02:31 - 000262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2017-11-14 19:37 - 2017-10-14 02:30 - 015266816 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-11-14 19:37 - 2017-10-14 02:30 - 000726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-11-14 19:37 - 2017-10-14 02:30 - 000380416 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2017-11-14 19:37 - 2017-10-14 02:29 - 000807936 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2017-11-14 19:37 - 2017-10-14 02:27 - 002134528 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2017-11-14 19:37 - 2017-10-14 02:21 - 003241472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-11-14 19:37 - 2017-10-14 02:14 - 020269056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-11-14 19:37 - 2017-10-14 02:09 - 001544704 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-11-14 19:37 - 2017-10-14 02:05 - 015431680 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2017-11-14 19:37 - 2017-10-14 01:58 - 000800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2017-11-14 19:37 - 2017-10-14 01:53 - 000499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-11-14 19:37 - 2017-10-14 01:50 - 002293760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-11-14 19:37 - 2017-10-14 01:45 - 000662016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-11-14 19:37 - 2017-10-14 01:33 - 004542464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-11-14 19:37 - 2017-10-14 01:28 - 013680128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-11-14 19:37 - 2017-10-14 01:28 - 000880640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-11-14 19:37 - 2017-10-14 01:25 - 000230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2017-11-14 19:37 - 2017-10-14 01:24 - 000694272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2017-11-14 19:37 - 2017-10-14 01:24 - 000331776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2017-11-14 19:37 - 2017-10-14 01:23 - 002058752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2017-11-14 19:37 - 2017-10-14 01:14 - 013317632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2017-11-14 19:37 - 2017-10-14 01:10 - 002767872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-11-14 19:37 - 2017-10-14 01:07 - 001314304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-11-14 19:37 - 2017-10-14 01:04 - 000710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2017-11-14 19:37 - 2017-10-10 11:36 - 000124416 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\luafv.sys
2017-11-14 19:37 - 2017-10-10 10:38 - 003631616 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll
2017-11-14 19:37 - 2017-10-10 10:38 - 000425984 _____ (Microsoft Corporation) C:\WINDOWS\system32\PCPTpm12.dll
2017-11-14 19:37 - 2017-10-10 10:11 - 002749952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll
2017-11-14 19:37 - 2017-10-10 10:08 - 000367104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PCPTpm12.dll
2017-11-14 19:37 - 2017-10-05 02:17 - 000380248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2017-11-14 19:37 - 2017-09-14 18:52 - 000986968 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2017-11-14 19:37 - 2017-09-08 12:14 - 003084288 _____ (Microsoft Corporation) C:\WINDOWS\system32\msftedit.dll
2017-11-14 19:37 - 2017-09-08 11:50 - 002471424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msftedit.dll
2017-11-14 19:37 - 2017-09-07 22:31 - 000685440 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2017-11-14 19:37 - 2017-09-07 22:28 - 000507176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2017-11-14 19:37 - 2017-09-07 16:31 - 000022528 _____ (Microsoft Corporation) C:\WINDOWS\system32\mgmtapi.dll
2017-11-14 19:37 - 2017-09-07 14:20 - 000018944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mgmtapi.dll
2017-11-14 19:37 - 2017-09-07 12:20 - 000513456 _____ C:\WINDOWS\SysWOW64\locale.nls
2017-11-14 19:37 - 2017-09-07 12:20 - 000513456 _____ C:\WINDOWS\system32\locale.nls
2017-11-14 19:37 - 2017-09-07 08:40 - 000995272 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2017-11-14 19:37 - 2017-09-07 08:40 - 000922432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll
2017-11-14 19:37 - 2017-09-06 18:07 - 000158552 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbccgp.sys
2017-11-14 19:37 - 2017-09-06 16:17 - 000461144 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbhub.sys
2017-11-14 19:37 - 2017-09-06 16:17 - 000443224 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbport.sys
2017-11-14 19:37 - 2017-09-06 09:14 - 000166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\regsvc.dll
2017-11-14 19:37 - 2017-08-10 20:39 - 002779136 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2017-11-14 19:37 - 2017-08-10 20:30 - 002464256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2017-11-14 19:32 - 2017-11-14 19:32 - 000002275 _____ C:\Users\CRXB5\Desktop\Kindle.lnk
2017-11-14 19:31 - 2017-11-14 19:31 - 055925296 _____ (Amazon.com) C:\Users\CRXB5\Downloads\KindleForPC-installer-1.21.48017.exe
2017-11-14 19:27 - 2017-10-11 02:35 - 000143016 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2017-11-14 19:27 - 2017-10-10 10:21 - 000463872 _____ (Microsoft Corporation) C:\WINDOWS\system32\pcasvc.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 002023936 _____ (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2017-11-14 19:27 - 2017-10-10 08:18 - 001570304 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000670208 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000605184 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000603648 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000402944 _____ (Microsoft Corporation) C:\WINDOWS\system32\centel.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000370688 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000241664 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2017-11-14 19:27 - 2017-10-10 08:18 - 000181760 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2017-11-14 00:56 - 2017-11-14 01:13 - 052305317 _____ C:\Users\CRXB5\Downloads\136051.rar
2017-11-13 21:13 - 2017-11-13 21:13 - 000000234 _____ C:\Users\CRXB5\Desktop\Beat's Vault.URL

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-03 23:36 - 2016-11-23 10:31 - 000000000 ____D C:\Users\CRXB5\AppData\LocalLow\Mozilla
2017-12-03 23:36 - 2013-10-07 12:00 - 000000000 ____D C:\FRST
2017-12-03 23:07 - 2015-06-19 05:39 - 000000924 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-3623611392-2939539441-2581462275-1001UA.job
2017-12-03 21:34 - 2014-10-13 17:58 - 000003902 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8AFD660D-AD1B-4290-AFE4-1A36A56A9935}
2017-12-03 21:12 - 2017-01-01 22:00 - 000000000 ____D C:\Users\CRXB5\Desktop\2017 Archives
2017-12-03 20:22 - 2013-08-15 23:31 - 000000000 ____D C:\Users\CRXB5\Documents\My Kindle Content
2017-12-03 19:12 - 2017-03-21 00:38 - 000000000 ____D C:\AmericasCardroom
2017-12-03 14:35 - 2013-02-10 12:52 - 000000000 ____D C:\Users\CRXB5\AppData\Local\Adobe
2017-12-02 17:26 - 2017-10-02 21:06 - 000000000 ____D C:\Users\CRXB5\Desktop\Online MBA
2017-12-02 17:26 - 2015-05-10 18:41 - 000000000 ____D C:\Users\CRXB5\AppData\Local\CutePDF Writer
2017-12-02 03:07 - 2015-06-19 05:39 - 000000872 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskUserS-1-5-21-3623611392-2939539441-2581462275-1001Core.job
2017-12-01 22:21 - 2013-01-27 21:48 - 000003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3623611392-2939539441-2581462275-1001
2017-12-01 21:48 - 2015-11-16 10:16 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-12-01 02:01 - 2013-04-01 15:34 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\vlc
2017-11-30 23:28 - 2013-08-22 10:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-11-30 23:28 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-11-30 00:13 - 2013-02-10 16:13 - 002259968 ___SH C:\Users\CRXB5\Desktop\Thumbs.db
2017-11-30 00:09 - 2013-06-12 00:56 - 000000000 ___RD C:\Users\CRXB5\Google Drive
2017-11-30 00:04 - 2013-03-12 21:19 - 000000000 ____D C:\Temp
2017-11-30 00:02 - 2016-11-17 17:01 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-11-30 00:02 - 2013-08-22 09:45 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-11-30 00:02 - 2013-02-08 20:41 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-11-29 23:48 - 2013-04-21 20:48 - 000001293 _____ C:\Users\CRXB5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-11-29 23:48 - 2013-02-08 20:41 - 000001186 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-11-28 15:42 - 2014-10-13 17:19 - 000000000 ____D C:\Users\CRXB5
2017-11-28 02:25 - 2013-08-22 08:25 - 012320768 _____ C:\WINDOWS\system32\config\HARDWARE
2017-11-27 00:40 - 2013-01-27 21:41 - 000000000 ____D C:\Users\CRXB5\AppData\Local\Packages
2017-11-26 23:47 - 2013-08-22 08:36 - 000000000 ____D C:\WINDOWS\Inf
2017-11-25 10:27 - 2013-08-22 10:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-11-25 10:25 - 2013-02-15 20:24 - 000000000 ____D C:\Program Files\Microsoft Office 15
2017-11-25 00:27 - 2014-07-30 22:00 - 000000000 ____D C:\Users\CRXB5\Desktop\2014 vsts
2017-11-25 00:01 - 2013-10-09 19:13 - 000000000 ____D C:\AdwCleaner
2017-11-24 22:44 - 2014-09-24 02:15 - 000886932 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-11-24 22:36 - 2013-08-22 09:44 - 005206248 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-11-24 22:33 - 2013-08-22 08:25 - 000262144 ___SH C:\WINDOWS\system32\config\BBI
2017-11-24 21:13 - 2013-08-07 20:13 - 000000000 ____D C:\Users\CRXB5\Desktop\movie rips
2017-11-23 00:58 - 2017-08-15 01:03 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\poker-client-electron-common
2017-11-23 00:57 - 2017-01-10 23:39 - 000000000 ____D C:\Ignition
2017-11-22 22:48 - 2017-10-23 00:38 - 000000000 ____D C:\Users\CRXB5\AppData\LocalLow\uTorrent
2017-11-22 03:42 - 2012-07-26 02:59 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-11-17 21:09 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\rescache
2017-11-17 19:22 - 2013-02-08 21:29 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\Mozilla
2017-11-17 19:04 - 2014-12-14 11:59 - 000000000 ____D C:\WINDOWS\system32\appraiser
2017-11-16 23:45 - 2015-11-16 10:17 - 000004476 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2017-11-15 14:52 - 2013-04-02 11:58 - 000000000 ____D C:\Users\CRXB5\AppData\Roaming\Dropbox
2017-11-15 02:58 - 2014-08-12 23:17 - 000000000 ____D C:\Users\CRXB5\Desktop\New Kit 33
2017-11-14 19:32 - 2013-08-15 23:30 - 000000000 ____D C:\Users\CRXB5\AppData\Local\Amazon
2017-11-14 18:39 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-11-14 18:39 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\system32\Macromed
2017-11-14 18:39 - 2013-05-30 01:18 - 000004288 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-11-13 22:24 - 2013-06-12 00:55 - 000003330 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-11-13 22:24 - 2013-06-12 00:55 - 000003202 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-11-04 15:44 - 2017-09-20 20:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Backup and Sync from Google
2017-11-03 19:41 - 2017-05-16 00:21 - 000835568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-11-03 19:41 - 2017-05-16 00:21 - 000177648 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2013-08-09 22:09 - 2013-08-09 22:09 - 001249792 _____ (http://www.ruby-lang.org/) C:\Users\CRXB5\AppData\Roaming\msvcr90-ruby191.dll
2013-11-13 17:52 - 2013-11-13 17:52 - 144752885 _____ () C:\Users\CRXB5\AppData\Local\ACCCx2_2_1_260.zip.aamdownload
2013-11-13 17:52 - 2013-11-13 17:52 - 000001817 _____ () C:\Users\CRXB5\AppData\Local\ACCCx2_2_1_260.zip.aamdownload.aamd
2014-10-16 23:28 - 2014-10-16 23:28 - 000001509 _____ () C:\Users\CRXB5\AppData\Local\recently-used.xbel

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-11-30 02:25

==================== End of FRST.txt ============================

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Thanks for those logs crxb5, they look good. Couple more scan to complete:

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror

  • Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin.....

Offline crxb5

  • Bronze Member
  • Posts: 66
Hello, Below you will find my logs as per request.  No issues with laptop to report.  Thank you

# AdwCleaner 7.0.5.0 - Logfile created on Wed Dec 06 00:46:41 2017
# Updated on 2017/29/11 by Malwarebytes
# Running on Windows 8.1 (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Program Files (x86)\Driver Checker


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [14641 B] - [2016/10/11 0:1:33]
C:/AdwCleaner/AdwCleaner[C1].txt - [3739 B] - [2017/11/25 5:2:2]
C:/AdwCleaner/AdwCleaner[S0].txt - [1757 B] - [2013/10/10 0:16:21]
C:/AdwCleaner/AdwCleaner[S1].txt - [13699 B] - [2016/10/10 23:51:59]
C:/AdwCleaner/AdwCleaner[S2].txt - [3935 B] - [2017/11/25 5:1:15]
C:/AdwCleaner/AdwCleaner[S3].txt - [1320 B] - [2017/12/6 0:45:18]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########
---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.54, November 2017 (build 5.54.14383.1)
Started On Tue Dec 05 20:06:36 2017

Engine: 1.1.14306.0
Signatures: 1.257.0.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 05 20:09:09 2017


Return code: 0 (0x0)

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7676
Thanks for those logs crxb5, it would seem you had one of the early versions of "smartservice" infection. Although still not something you want on your system, it is much easier to remove.....

Run the following to clean up..

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:


  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings   <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...