Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2017 Ran by Anderson (administrator) on THALES (22-02-2017 20:17:30) Running from C:\Users\Anderson\Downloads Loaded Profiles: Anderson (Available Profiles: Anderson & thali & thale) Platform: Windows 10 Pro Version 1607 (X64) Language: Inglês (Estados Unidos) Internet Explorer Version 11 (Default browser: Edge) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe (BlueStack Systems, Inc.) C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe () C:\ProgramData\NetworkPacketManitor\Nettrans.exe (Microsoft Corporation) C:\Program Files\XBox\XBLive.exe (Microsoft Corporation) C:\ProgramData\Windows Security\winsecurity.exe () C:\Users\Anderson\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe () C:\ProgramData\Logic Handler\set.exe (ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe () C:\Users\Anderson\AppData\Roaming\Event Monitor\em.exe (Microsoft Corporation) C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe (Intel Corporation) C:\Windows\System32\igfxtray.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (B2QN) C:\Program Files\PKODETF5N0\KZ5K5X5OH.exe (B2QN) C:\Program Files\4Q55IOK0OX\4Q55IOK0O.exe (B2QN) C:\Program Files\J512JCQTE7\J512JCQTE.exe (B2QN) C:\Program Files\DYLJXNRV1Z\DYLJXNRV1.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Microsoft® Windows® Operating System) C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe (Microsoft Corporation) C:\Windows\System32\browser_broker.exe (Microsoft Corporation) C:\Windows\System32\InstallAgent.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe () C:\ProgramData\AppxelfmuzyaH\AppxelfmuzyaH.exe (Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-07] (Microsoft Corporation) HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation) Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation) HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [ePgZRjLj1Y.exe] => C:\ProgramData\{a6b-70-1a-6f493-bc047-ec05-90e1d}\ePgZRjLj1Y.exe -r1_1 -r2_1 HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [WlZlqQmYvn.exe] => C:\ProgramData\{a6b-70-1a-6f493-bc047-ec05-90e1d}\WlZlqQmYvn.exe 1 1 HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [40672278-7a24-4392-87e4-7b9a64009bf0] => C:\Program Files\PKODETF5N0\KZ5K5X5OH.exe [850432 2017-02-22] (B2QN) HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [b83d4260-0a27-4ec4-9750-af179093a740] => C:\Program Files\4Q55IOK0OX\4Q55IOK0O.exe [850432 2017-02-22] (B2QN) HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [432fe699-8277-4a3a-b04e-db9d82010a10] => C:\Program Files\J512JCQTE7\J512JCQTE.exe [850432 2017-02-22] (B2QN) HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [d718c67f-8ba7-45a5-a885-46e565d7abc4] => "C:\Program Files (x86)\BeCleaner\OUTDP.exe" HKU\S-1-5-21-1298314804-3398324407-510087451-1001\...\Run: [5123cff2-7eff-467f-a34a-0ad6cf47926e] => C:\Program Files\DYLJXNRV1Z\DYLJXNRV1.exe [850432 2017-02-22] (B2QN) HKU\S-1-5-18\...\Run: [] => [X] HKLM\...\Providers\b9m7cnt2: C:\Program Files (x86)\Droheseruces Configuration\local64spl.dll [308736 2017-02-21] () AppInit_DLLs: C:\ProgramData\AppxelfmuzyaH\KeyIty.dll => C:\ProgramData\AppxelfmuzyaH\KeyIty.dll [358912 2017-02-22] () AppInit_DLLs-x32: C:\ProgramData\AppxelfmuzyaH\Tampcore.dll => C:\ProgramData\AppxelfmuzyaH\Tampcore.dll [248320 2017-02-22] () ShellExecuteHooks: No Name - {5705D9EC-F447-11E6-9C1B-64006A5CFC23} - C:\Program Files (x86)\Witlyanipipy\Reutatainvefuch.dll [145920 2017-02-21] () ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyEnable: [S-1-5-21-1298314804-3398324407-510087451-1001] => Proxy is enabled. ProxyServer: [S-1-5-21-1298314804-3398324407-510087451-1001] => http=127.0.0.1:8080;https=127.0.0.1:8080 Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1 Tcpip\..\Interfaces\{c1e709e3-47e8-44ab-badc-b6e16e3b2de4}: [DhcpNameServer] 192.168.1.1 192.168.1.1 ManualProxies: 1http=127.0.0.1:8080;https=127.0.0.1:8080 Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.123rede.com?oem=sv1&uid=Z2A45TTA_ST3250318AS&tm=1487724634 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.123rede.com?oem=sv1&uid=Z2A45TTA_ST3250318AS&tm=1487724634 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.123rede.com?oem=sv1&uid=Z2A45TTA_ST3250318AS&tm=1487724634 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.123rede.com?oem=sv1&uid=Z2A45TTA_ST3250318AS&tm=1487724634 HKU\S-1-5-21-1298314804-3398324407-510087451-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBKhl918K0qpwZ-oHt-8W_BcHInbYTtkqKeWXMBIjANy1rdw1hy6GaSDTLJdUl4NZ0yaEjydWmyoT0flG8JlJoE-focgrlESM0a2K5wazZGqZJnkC6OxEyKtuAH_n0zZ9SKEjzskjCTx2sodziPUl5wbuo6ZnzsvV-8visgAI4hnTmF4m-rkGfz_yI,&q={searchTerms} HKU\S-1-5-21-1298314804-3398324407-510087451-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBKhl918K0qpwZ-oHt-8W_BcHInbYTtkqKeWXMBIjANy1rdw1hy6GaSDTLJdUl4NZ0yaEjydWmyoT0flG8JlJoE-focgrWkINMAxSO7_m_8h8Rzf6_DNB_pnQdqQVDazGL2vrmIUGxSjoSy97FDHUhaSWBUww-ZQ0awYdBeDpJ1jnc4fimdYO8oALE, SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBKhl918K0qpwZ-oHt-8W_BcHInbYTtkqKeWXMBIjANy1rdw1hy6GaSDTLJdUl4NZ0yaEjydWmyoT0flG8JlJoE-focgrlESM0a2K5wazZGqZJnkC6OxEyKtuAH_n0zZ9SKEjzskjCTx2sodziPUl5wbuo6ZnzsvV-8visgAI4hnTmF4m-rkGfz_yI,&q={searchTerms} SearchScopes: HKU\S-1-5-21-1298314804-3398324407-510087451-1001 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBKhl918K0qpwZ-oHt-8W_BcHInbYTtkqKeWXMBIjANy1rdw1hy6GaSDTLJdUl4NZ0yaEjydWmyoT0flG8JlJoE-focgrlESM0a2K5wazZGqZJnkC6OxEyKtuAH_n0zZ9SKEjzskjCTx2sodziPUl5wbuo6ZnzsvV-8visgAI4hnTmF4m-rkGfz_yI,&q={searchTerms} SearchScopes: HKU\S-1-5-21-1298314804-3398324407-510087451-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBKhl918K0qpwZ-oHt-8W_BcHInbYTtkqKeWXMBIjANy1rdw1hy6GaSDTLJdUl4NZ0yaEjydWmyoT0flG8JlJoE-focgrlESM0a2K5wazZGqZJnkC6OxEyKtuAH_n0zZ9SKEjzskjCTx2sodziPUl5wbuo6ZnzsvV-8visgAI4hnTmF4m-rkGfz_yI,&q={searchTerms} BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-02-08] (Oracle Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-08] (Oracle Corporation) BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2017-02-06] (Microsoft Corporation) BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL [2017-02-06] (Microsoft Corporation) Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2017-02-06] (Microsoft Corporation) StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe www.123rede.com?oem=sv1&uid=Z2A45TTA_ST3250318AS&tm=1487724634 FireFox: ======== FF DefaultProfile: 0t0ct6af.default FF ProfilePath: C:\Users\Anderson\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\0t0ct6af.default\Profiles\0t0ct6af.default [not found] FF ProfilePath: C:\Users\Anderson\AppData\Roaming\Mozilla\Firefox\Profiles\0t0ct6af.default [2017-02-22] FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-08] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-08] (Oracle Corporation) FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-02-06] (Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2017-02-06] (Microsoft Corporation) StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe www.123rede.com?oem=sv1&uid=Z2A45TTA_ST3250318AS&tm=1487724634 ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AppxelfmuzyaH; C:\ProgramData\\AppxelfmuzyaH\\AppxelfmuzyaH.exe [981504 2017-02-23] () [File not signed] R2 backlh; C:\ProgramData\Logic Handler\set.exe [3786752 2017-02-22] () [File not signed] S3 BstHdAndroidSvc; C:\Program Files (x86)\Bluestacks\HD-Service.exe [486936 2016-12-13] (BlueStack Systems, Inc.) R2 BstHdLogRotatorSvc; C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe [470552 2016-12-13] (BlueStack Systems, Inc.) S3 BstHdPlusAndroidSvc; C:\Program Files (x86)\Bluestacks\HD-Plus-Service.exe [511512 2016-12-13] (BlueStack Systems, Inc.) R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3702472 2017-01-29] (Microsoft Corporation) R2 Nettrans; C:\ProgramData\NetworkPacketManitor\Nettrans.exe [43520 2017-02-23] () [File not signed] R2 OtherSearch; C:\Program Files (x86)\Jw9pwwRWvo\kl.dll [467456 2017-02-21] () [File not signed] <==== ATTENTION S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation) S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation) R2 WindowsSecurity; C:\ProgramData\Windows Security\winsecurity.exe [1264640 2017-01-16] (Microsoft Corporation) [File not signed] <==== ATTENTION R2 WMPNetworkAcSvc; C:\Users\Anderson\AppData\Roaming\WMPNetworkAcSvc\WMPNetworkAcSvc.exe [5091840 2016-11-10] () [File not signed] <==== ATTENTION R2 XBox; C:\Program Files\XBox\XBLive.exe [7068160 2017-02-14] (Microsoft Corporation) [File not signed] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 BstHdDrv; C:\Program Files (x86)\Bluestacks\HD-Hypervisor-amd64.sys [152672 2016-12-13] (BlueStack Systems) S3 BstkDrv; C:\Program Files (x86)\Bluestacks\BstkDrv.sys [270904 2016-11-08] (Bluestack System Inc. ) R3 e1cexpress; C:\WINDOWS\system32\DRIVERS\e1c63x64.sys [452432 2012-11-02] (Intel Corporation) R1 Lace514; C:\WINDOWS\System32\drivers\Lace_wpf_x64.sys [69400 2017-02-09] (Lace514) S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] () S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation) S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation) S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-22 20:17 - 2017-02-22 20:18 - 00015759 _____ C:\Users\Anderson\Downloads\FRST.txt 2017-02-22 20:17 - 2017-02-22 20:17 - 00000000 ____D C:\FRST 2017-02-22 20:16 - 2017-02-22 20:16 - 02423296 _____ (Farbar) C:\Users\Anderson\Downloads\FRST64.exe 2017-02-22 20:13 - 2017-02-22 20:18 - 00000000 ____D C:\ProgramData\AppxelfmuzyaH 2017-02-22 20:13 - 2017-02-22 20:13 - 00002395 _____ C:\WINDOWS\SysWOW64\findit.xml 2017-02-22 20:13 - 2017-02-22 20:13 - 00000000 ____D C:\ProgramData\AppxelfmuzyaHs 2017-02-22 20:07 - 2017-02-22 20:07 - 00002052 _____ C:\WINDOWS\System32\Tasks\apqTet5AQU 2017-02-22 20:04 - 2017-02-22 20:07 - 00000000 ____D C:\Program Files (x86)\Jw9pwwRWvo 2017-02-22 19:58 - 2017-02-22 19:58 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\Hetuentgrahs 2017-02-22 19:54 - 2017-02-22 19:54 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\Coerbotain 2017-02-22 19:53 - 2017-02-22 19:53 - 00003716 _____ C:\WINDOWS\System32\Tasks\{753DB872-71B3-4AEC-8614-5524748E3117} 2017-02-22 19:48 - 2017-02-22 19:48 - 00000000 ____D C:\Program Files\DYLJXNRV1Z 2017-02-22 19:45 - 2017-02-22 19:45 - 00000000 ____D C:\ProgramData\Logic Handler 2017-02-22 19:44 - 2017-02-22 20:13 - 00000000 ____D C:\ProgramData\NetworkPacketManitor 2017-02-22 19:44 - 2017-02-22 19:44 - 07291904 _____ C:\Users\Anderson\AppData\Roaming\agent.dat 2017-02-22 19:44 - 2017-02-22 19:44 - 01938533 _____ C:\Users\Anderson\AppData\Roaming\Domdox.bin 2017-02-22 19:44 - 2017-02-22 19:44 - 01895568 _____ C:\Users\Anderson\AppData\Roaming\Freshnix.tst 2017-02-22 19:44 - 2017-02-22 19:44 - 00278518 _____ C:\Users\Anderson\AppData\Roaming\Zimdax.bin 2017-02-22 19:44 - 2017-02-22 19:44 - 00126464 _____ C:\Users\Anderson\AppData\Roaming\noah.dat 2017-02-22 19:44 - 2017-02-22 19:44 - 00070752 _____ C:\Users\Anderson\AppData\Roaming\Config.xml 2017-02-22 19:44 - 2017-02-22 19:44 - 00018432 _____ C:\Users\Anderson\AppData\Roaming\Main.dat 2017-02-22 19:44 - 2017-02-22 19:44 - 00006106 _____ C:\WINDOWS\System32\Tasks\Ittckoherly Core 2017-02-22 19:44 - 2017-02-22 19:44 - 00005568 _____ C:\Users\Anderson\AppData\Roaming\md.xml 2017-02-22 19:44 - 2017-02-22 19:44 - 00000000 ____D C:\Users\Public\Documents\Tools 2017-02-22 19:44 - 2017-02-22 19:44 - 00000000 ____D C:\Users\Public\Documents\Guid 2017-02-22 19:44 - 2017-02-22 19:44 - 00000000 ____D C:\Users\Public\Documents\Baidu 2017-02-22 19:44 - 2017-02-22 19:44 - 00000000 ____D C:\Users\Anderson\AppData\Local\Lcogeqamuk 2017-02-22 19:44 - 2017-02-22 19:44 - 00000000 ____D C:\Program Files (x86)\Plowiseprunoght 2017-02-22 19:44 - 2017-02-22 19:44 - 00000000 ____D C:\Program Files (x86)\Ittckoherly Core 2017-02-22 19:44 - 2017-02-22 19:43 - 00981504 _____ C:\Users\Anderson\AppData\Roaming\Freshnix.exe 2017-02-22 19:43 - 2017-02-22 20:07 - 00000002 _____ C:\END 2017-02-22 19:43 - 2017-02-22 19:58 - 00000000 ____D C:\Program Files (x86)\BeCleaner 2017-02-22 19:43 - 2017-02-22 19:43 - 00140288 _____ C:\Users\Anderson\AppData\Roaming\Installer.dat 2017-02-22 19:43 - 2017-02-22 19:43 - 00016080 _____ C:\Users\Anderson\AppData\Roaming\InstallationConfiguration.xml 2017-02-22 19:43 - 2017-02-22 19:43 - 00000000 ____D C:\Program Files\J512JCQTE7 2017-02-22 19:42 - 2017-02-22 20:04 - 00003112 _____ C:\WINDOWS\System32\Tasks\RunAtStartup 2017-02-22 19:42 - 2017-02-22 20:04 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\Event Monitor 2017-02-22 19:42 - 2017-02-22 20:03 - 00000000 ____D C:\Program Files (x86)\pccleanplus 2017-02-22 19:42 - 2017-02-22 19:43 - 00000000 ____D C:\Users\Anderson\AppData\LocalLow\Mozilla 2017-02-22 19:42 - 2017-02-22 19:43 - 00000000 ____D C:\Program Files\4Q55IOK0OX 2017-02-22 19:42 - 2017-02-22 19:42 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\Mozilla 2017-02-22 19:42 - 2017-02-22 19:42 - 00000000 ____D C:\Users\Anderson\AppData\Local\Mozilla 2017-02-22 19:42 - 2017-02-22 19:42 - 00000000 ____D C:\Program Files\PKODETF5N0 2017-02-21 21:50 - 2017-02-21 21:50 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\excdir 2017-02-21 21:48 - 2017-02-21 21:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight 2017-02-21 21:48 - 2017-02-21 21:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight 2017-02-21 21:46 - 2017-02-22 19:55 - 00000000 ____D C:\WINDOWS\system32\SSL 2017-02-21 21:46 - 2017-02-21 22:10 - 00000388 ____H C:\WINDOWS\Tasks\Traffic Exchange Updater.job 2017-02-21 21:46 - 2017-02-21 22:10 - 00000346 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job 2017-02-21 21:46 - 2017-02-21 22:10 - 00000346 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job 2017-02-21 21:46 - 2017-02-21 22:10 - 00000346 _____ C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job 2017-02-21 21:46 - 2017-02-21 22:10 - 00000336 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job 2017-02-21 21:46 - 2017-02-21 22:10 - 00000336 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job 2017-02-21 21:46 - 2017-02-21 22:10 - 00000336 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job 2017-02-21 21:46 - 2017-02-21 21:46 - 00003708 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guardian 2017-02-21 21:46 - 2017-02-21 21:46 - 00003702 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Guard 2017-02-21 21:46 - 2017-02-21 21:46 - 00003690 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange 2017-02-21 21:46 - 2017-02-21 21:46 - 00003276 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange Updater 2017-02-21 21:46 - 2017-02-21 21:46 - 00003238 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 3 2017-02-21 21:46 - 2017-02-21 21:46 - 00003238 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 2 2017-02-21 21:46 - 2017-02-21 21:46 - 00003238 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 1 2017-02-21 21:46 - 2017-02-21 21:46 - 00003224 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 3 2017-02-21 21:46 - 2017-02-21 21:46 - 00003224 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 2 2017-02-21 21:46 - 2017-02-21 21:46 - 00003224 _____ C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 1 2017-02-21 21:46 - 2017-02-21 21:46 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics 2017-02-21 21:46 - 2017-02-21 21:46 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics 2017-02-21 21:46 - 2017-02-21 21:46 - 00000000 ____D C:\Program Files (x86)\Microleaves 2017-02-21 21:45 - 2017-02-22 20:08 - 00000034 _____ C:\Users\Public\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE} 2017-02-21 21:45 - 2017-02-22 20:08 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\WMPNetworkAcSvc 2017-02-21 21:45 - 2017-02-21 21:46 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\Microleaves 2017-02-21 21:45 - 2017-02-21 21:45 - 00006196 _____ C:\WINDOWS\System32\Tasks\Droheseruces Configuration 2017-02-21 21:45 - 2017-02-21 21:45 - 00005112 _____ C:\WINDOWS\System32\Tasks\Therlitain 2017-02-21 21:45 - 2017-02-21 21:45 - 00000000 ____D C:\Users\Anderson\AppData\Local\Coidosecemodom 2017-02-21 21:45 - 2017-02-21 21:45 - 00000000 ____D C:\Program Files\XBox 2017-02-21 21:45 - 2017-02-21 21:45 - 00000000 ____D C:\Program Files (x86)\Witlyanipipy 2017-02-21 21:45 - 2017-02-21 21:45 - 00000000 ____D C:\Program Files (x86)\Droheseruces Configuration 2017-02-21 21:44 - 2017-02-21 21:45 - 00000000 ____D C:\ProgramData\Windows Security 2017-02-21 21:42 - 2017-02-21 21:53 - 00000000 ____D C:\ProgramData\VCE Exam Simulator 2017-02-21 21:42 - 2017-02-21 21:42 - 00001181 _____ C:\Users\Public\Desktop\VCE Designer Demo.lnk 2017-02-21 21:42 - 2017-02-21 21:42 - 00001169 _____ C:\Users\Public\Desktop\VCE Player Demo.lnk 2017-02-21 21:42 - 2017-02-21 21:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VCE Exam Simulator Demo 2017-02-21 21:42 - 2017-02-21 21:42 - 00000000 ____D C:\Program Files (x86)\VCE Exam Simulator Demo 2017-02-21 21:40 - 2017-02-21 21:40 - 16865432 _____ C:\Users\Anderson\Downloads\vce_exam_simulator_demo_setup.zip 2017-02-21 21:34 - 2017-02-21 21:35 - 01800192 _____ C:\Users\Anderson\Downloads\VCE Exam Simulator 2-3-2 Crack.iso 2017-02-21 21:33 - 2017-02-21 21:33 - 05740849 _____ C:\Users\Anderson\Downloads\gratisexam.com-Cisco.PracticeTest.300-115.v2016-07-08.by.Alexander.163q.vce 2017-02-20 21:15 - 2017-02-20 21:15 - 00000000 ____D C:\Users\Anderson\Documents\Custom Office Templates 2017-02-20 21:08 - 2017-02-21 20:50 - 00000000 ____D C:\Users\Anderson\Documents\Uninter 2017-02-17 18:05 - 2017-02-17 18:05 - 03225275 _____ C:\WINDOWS\36d7c39c19004c470a0e20f6792ff60b.exe 2017-02-09 06:03 - 2017-02-09 06:03 - 00069400 _____ (Lace514) C:\WINDOWS\system32\Drivers\Lace_wpf_x64.sys 2017-02-08 20:17 - 2017-02-08 20:17 - 00000000 ____D C:\Users\Anderson\Downloads\10-02_legacy_vista32-64_dd_ccc 2017-02-08 17:03 - 2017-02-08 17:04 - 00000000 ____D C:\Users\Anderson\Downloads\Chipset_Driver_DGVN0_WN_7.1.52.1176_A04 2017-02-08 17:03 - 2017-02-08 17:03 - 00000000 ____D C:\Users\Anderson\AppData\Local\Dell 2017-02-08 16:57 - 2017-02-08 16:57 - 00000000 ____D C:\Users\Anderson\AppData\LocalLow\Oracle 2017-02-07 11:38 - 2017-02-07 11:38 - 00000000 ____D C:\Users\thali\AppData\Roaming\Sun 2017-02-07 11:38 - 2017-02-07 11:38 - 00000000 ____D C:\Users\thali\AppData\LocalLow\Sun 2017-02-06 19:58 - 2017-02-06 19:58 - 00000000 ____D C:\Program Files\Common Files\DESIGNER 2017-02-06 14:10 - 2017-02-06 14:10 - 00000000 ____D C:\Users\Anderson\AppData\Roaming\Sun 2017-02-06 14:10 - 2017-02-06 14:10 - 00000000 ____D C:\Users\Anderson\AppData\LocalLow\Sun 2017-01-29 22:00 - 2016-12-21 04:08 - 00142848 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe 2017-01-29 22:00 - 2016-12-21 01:44 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-22 20:13 - 2017-01-09 21:40 - 00001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2017-02-22 20:13 - 2017-01-09 21:40 - 00001228 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2017-02-22 20:10 - 2016-07-16 08:47 - 00000000 ___HD C:\Program Files\WindowsApps 2017-02-22 20:10 - 2016-07-16 08:47 - 00000000 ____D C:\WINDOWS\AppReadiness 2017-02-22 20:07 - 2016-12-16 20:52 - 00416800 _____ C:\WINDOWS\system32\prfh0416.dat 2017-02-22 20:07 - 2016-12-16 20:52 - 00084926 _____ C:\WINDOWS\system32\prfc0416.dat 2017-02-22 20:07 - 2016-12-16 20:23 - 01440496 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-02-22 20:03 - 2016-12-16 20:19 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-02-22 20:02 - 2016-07-16 03:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI 2017-02-22 10:41 - 2017-01-16 14:09 - 00000000 ____D C:\Users\thale\AppData\Local\Troubleshooter 2017-02-21 22:19 - 2016-07-16 08:45 - 00000000 ____D C:\WINDOWS\INF 2017-02-21 22:13 - 2017-01-09 21:58 - 00000000 ____D C:\ProgramData\BlueStacksSetup 2017-02-21 21:53 - 2016-12-16 20:10 - 00000000 ____D C:\WINDOWS\system32\SleepStudy 2017-02-21 17:58 - 2017-01-15 20:14 - 00000000 ___RD C:\Users\thali\OneDrive 2017-02-20 21:56 - 2017-01-09 21:58 - 00000570 _____ C:\Users\thale\AppData\Local\TroubleshooterConfig.json 2017-02-19 11:52 - 2017-01-09 18:41 - 00000000 ____D C:\Users\thale 2017-02-18 22:58 - 2017-01-09 21:53 - 00000000 ____D C:\Users\thale\AppData\LocalLow\Mozilla 2017-02-10 12:18 - 2016-07-16 08:47 - 00000000 ____D C:\WINDOWS\system32\AppLocker 2017-02-09 09:11 - 2016-07-16 08:36 - 00000000 ____D C:\WINDOWS\CbsTemp 2017-02-08 21:26 - 2016-07-16 11:15 - 00000000 ____D C:\WINDOWS\OCR 2017-02-08 17:01 - 2017-01-09 19:06 - 00000000 ____D C:\ProgramData\Oracle 2017-02-08 17:01 - 2017-01-09 19:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-02-08 17:01 - 2017-01-09 19:06 - 00000000 ____D C:\Program Files\Java 2017-02-08 17:00 - 2017-01-09 19:06 - 00110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll 2017-02-08 16:58 - 2007-01-06 00:20 - 00014256 _____ C:\WINDOWS\system32\Drivers\ativvpxx.vp 2017-02-08 16:58 - 2007-01-05 23:34 - 03107788 _____ C:\WINDOWS\SysWOW64\atiumdva.dat 2017-02-08 16:58 - 2007-01-05 23:34 - 03107788 _____ C:\WINDOWS\system32\atiumd6a.dat 2017-02-08 16:58 - 2006-08-24 05:26 - 00655825 _____ C:\WINDOWS\system32\Drivers\ativcaxx.cpa 2017-02-08 16:58 - 2006-08-24 05:26 - 00002096 _____ C:\WINDOWS\system32\Drivers\ativpkxx.vp 2017-02-08 16:58 - 2006-08-24 05:26 - 00002096 _____ C:\WINDOWS\system32\Drivers\ativokxx.vp 2017-02-08 16:58 - 2006-08-24 05:26 - 00002096 _____ C:\WINDOWS\system32\Drivers\ativdkxx.vp 2017-02-08 16:58 - 2006-08-24 05:26 - 00000929 _____ C:\WINDOWS\system32\Drivers\ativcaxx.vp 2017-02-07 11:33 - 2017-01-15 20:14 - 00002405 _____ C:\Users\thali\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2017-02-07 11:32 - 2017-01-15 20:11 - 00000000 ____D C:\Users\thali\AppData\Local\Packages 2017-02-06 19:58 - 2016-07-16 08:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2017-02-06 19:58 - 2016-07-16 08:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared 2017-02-06 19:56 - 2017-01-09 20:22 - 00000000 ____D C:\Program Files\Microsoft Office 2017-02-06 18:50 - 2017-01-09 21:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2017-02-06 18:50 - 2017-01-09 21:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2017-02-06 14:05 - 2016-12-16 20:34 - 00003278 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2 2017-02-06 14:05 - 2016-12-16 20:33 - 00002414 _____ C:\Users\Anderson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2017-02-06 14:05 - 2016-12-16 19:00 - 00000000 __RDO C:\Users\Anderson\SkyDrive 2017-01-30 07:50 - 2017-01-18 21:24 - 00000000 ____D C:\Users\thale\AppData\Roaming\uTorrent ==================== Files in the root of some directories ======= 2017-02-22 19:44 - 2017-02-22 19:44 - 7291904 _____ () C:\Users\Anderson\AppData\Roaming\agent.dat 2017-02-22 19:44 - 2017-02-22 19:44 - 0070752 _____ () C:\Users\Anderson\AppData\Roaming\Config.xml 2017-02-22 19:44 - 2017-02-22 19:44 - 1938533 _____ () C:\Users\Anderson\AppData\Roaming\Domdox.bin 2017-02-22 19:44 - 2017-02-22 19:43 - 0981504 _____ () C:\Users\Anderson\AppData\Roaming\Freshnix.exe 2017-02-22 19:44 - 2017-02-22 19:44 - 1895568 _____ () C:\Users\Anderson\AppData\Roaming\Freshnix.tst 2017-02-22 19:43 - 2017-02-22 19:43 - 0016080 _____ () C:\Users\Anderson\AppData\Roaming\InstallationConfiguration.xml 2017-02-22 19:43 - 2017-02-22 19:43 - 0140288 _____ () C:\Users\Anderson\AppData\Roaming\Installer.dat 2017-02-22 19:44 - 2017-02-22 19:44 - 0018432 _____ () C:\Users\Anderson\AppData\Roaming\Main.dat 2017-02-22 19:44 - 2017-02-22 19:44 - 0005568 _____ () C:\Users\Anderson\AppData\Roaming\md.xml 2017-02-22 19:44 - 2017-02-22 19:44 - 0126464 _____ () C:\Users\Anderson\AppData\Roaming\noah.dat 2017-02-22 19:45 - 2017-02-22 19:45 - 0032038 _____ () C:\Users\Anderson\AppData\Roaming\uninstall_temp.ico 2017-02-22 19:44 - 2017-02-22 19:44 - 0278518 _____ () C:\Users\Anderson\AppData\Roaming\Zimdax.bin Some files in TEMP: ==================== 2017-02-22 19:43 - 2017-02-22 19:43 - 0425674 _____ (WeMonetize ) C:\Users\Anderson\AppData\Local\Temp\8XCWVM0.exe 2017-02-22 19:58 - 2017-02-22 19:58 - 0534528 _____ (B2QN) C:\Users\Anderson\AppData\Local\Temp\FFASPJF1MFDH.exe 2017-02-08 16:57 - 2017-02-08 16:57 - 0739904 _____ (Oracle Corporation) C:\Users\Anderson\AppData\Local\Temp\jre-8u121-windows-au.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-02-19 18:15 ==================== End of FRST.txt ============================