Hello everyone,
To be honest I usually fix my pcs at home myself as I do have some knowledge. But getting bust lately and got stuff on PC and don't want to format it from start.
Just to make it simple, I guess a flash drive with shortcut virus that creates folder shortcut affected my PC. I run Malwarebytes and it did find some infections mostly the files svchost which is attached in the logs. After the virus was removed it asked for restart and the problem started there. Windows is trying to boot and reach the logo screen then switch to repair mode. It keep searching for problems then at end says failed and log says corrupted files. I restart again and same thing happen even on safe mode sends me to repair mode.
I tried windows repair disc but it kept saying uncompatable version. Tried the cmd and the fixes like (bootrec /fixmbr ... chkdsk .r .f c: ... sfc/scannow) and all didn't work
My last option was to try this farbar tool but had to run it on win7 PE. I got the log and hope you guys could help me with it. I am sure the problem are the files that malwarebyte removed but I can't run the program on the win7 PE to revert the changes and the files are packed in weird file now.
================================
Malware byte LOG
==============
<?xml version="1.0" encoding="UTF-16"?>
-<mbam-log>
-<header>
<date>2017/04/03 02:49:20 +0400</date>
<logfile>mbam-log-2017-04-03 (02-49-20).xml</logfile>
<isadmin>yes</isadmin>
</header>
-<engine>
<version>2.2.1.1043</version>
<malware-database>v2017.04.02.05</malware-database>
<rootkit-database>v2017.04.02.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
-<system>
<hostname>OMEGA</hostname>
<ip/>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>user</username>
<filesys>NTFS</filesys>
</system>
-<summary>
<type>threat</type>
<result>completed</result>
<objects>321444</objects>
<time>153</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>24</files>
<sectors>0</sectors>
</summary>
-<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
-<items>
-<file>
<path>c:\programdata\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>bb920fddffa9b97d46e470cfee121ee2</hash>
</file>
-<file>
<path>c:\users\user\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>5bf243a98b1d47efeb3fbb847888c040</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>e36a4aa23b6d8caa15158eb13cc47e82</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>212c6e7eb5f3e6508f9b49f62ed226da</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>4607feeeefb984b251d9fb444bb5837d</hash>
</file>
-<file>
<path>c:\programdata\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>133a7e6edbcd7abc95201703f3100cf4</hash>
</file>
-<file>
<path>c:\users\user\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>bc91c3297632e05620950614c63d12ee</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>2825c428a305e74f13a24cce946fbd43</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>2825f0fce1c7c4728134f921f013e719</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>3e0fe00cd1d7bf77f1c4e4362fd4d42c</hash>
</file>
-<file>
<path>c:\windows\syshost.exe</path>
<vendor>Trojan.Downloader</vendor>
<action>delete-on-reboot</action>
<hash>eb62cc205a4ef04628d9aea2c43f47b9</hash>
</file>
-<file>
<path>c:\users\user\appdata\local\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>1736de0e7533ba7ca3436872669d7f81</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\local\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>5cf1915baafe84b2ba2c8c4e3ec56c94</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>242917d5a0089f97a343b22805fe926e</hash>
</file>
-<file>
<path>c:\windows\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>59f49458d6d2999d29bd6179847f936d</hash>
</file>
-<file>
<path>c:\users\public\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>da73f5f71a8e76c05996a13956adf709</hash>
</file>
-<file>
<path>c:\users\user\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>321b6a824b5d87af6e810dcdc63d19e7</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>72db09e3c8e0999d6f8030aa966d9769</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>1d30ba32faae16208e615e7c12f1b54b</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>80cdd01c9612ad89fdf2c81215eeb14f</hash>
</file>
-<file>
<path>c:\users\user\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>a5a848a407a162d4ee0ba03acd36946c</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>d677dc10d5d3ae88ef0a23b7f60d8d73</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>6ce11ad2396fac8a16e3f0ead92a59a7</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>004de8042d7b6cca788122b833d0eb15</hash>
</file>
</items>
</mbam-log>
==================
<?xml version="1.0" encoding="UTF-16"?>
-<mbam-log>
-<header>
<date>2017/04/03 00:15:06 +0400</date>
<logfile>mbam-log-2017-04-03 (00-14-54).xml</logfile>
<isadmin>yes</isadmin>
</header>
-<engine>
<version>2.2.1.1043</version>
<malware-database>v2017.04.02.05</malware-database>
<rootkit-database>v2017.04.02.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
-<system>
<hostname>OMEGA</hostname>
<ip>192.168.0.41</ip>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>user</username>
<filesys>NTFS</filesys>
</system>
-<summary>
<type>threat</type>
<result>completed</result>
<objects>321880</objects>
<time>187</time>
<processes>5</processes>
<modules>0</modules>
<keys>0</keys>
<values>8</values>
<datas>0</datas>
<folders>0</folders>
<files>6</files>
<sectors>0</sectors>
</summary>
-<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
-<items>
-<process>
<path>C:\Users\user\AppData\Roaming\csrss.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>3840</pid>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</process>
-<process>
<path>C:\Users\user\AppData\Roaming\csrss.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>4152</pid>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</process>
-<process>
<path>C:\Users\user\AppData\Roaming\svchost.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>4124</pid>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</process>
-<process>
<path>C:\Users\user\AppData\Roaming\svchost.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>4192</pid>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</process>
-<process>
<path>c:\windows\installer\{bf3f76cd-c443-cc98-9c23-e49d7b563b7f}\syshost.exe</path>
<vendor>Ransom.Dharma</vendor>
<action>delete-on-reboot</action>
<pid>720</pid>
<hash>09440ae23a6edc5a3e41c08211f11fe1</hash>
</process>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Client Server Runtime Process</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\csrss.exe</valuedata>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Host-process Windows (Rundll32.exe)</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\csrss.exe</valuedata>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Service Host Process for Windows</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\svchost.exe</valuedata>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Host-process Windows (Rundll3.exe)</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\svchost.exe</valuedata>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</value>
-<value>
<path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>syshost32</valuename>
<vendor>Backdoor.Agent</vendor>
<action>success</action>
<valuedata>C:\Windows\Installer\{BF3F76CD-C443-CC98-9C23-E49D7B563B7F}\syshost.exe</valuedata>
<hash>0647da127d2bae88f6d771fe56adbe42</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS</path>
<valuename>Load</valuename>
<vendor>Trojan.Agent</vendor>
<action>success</action>
<valuedata>C:\ProgramData\msxmzrra.exe</valuedata>
<hash>74d97775c3e52412efbb7cd858ab659b</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS</path>
<valuename>Load</valuename>
<vendor>PUP.Optional.PageStarter</vendor>
<action>success</action>
<valuedata>C:\ProgramData\msxmzrra.exe</valuedata>
<hash>b39a23c97a2e69cde81bedc8ed165ca4</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>{B0B6E42C-DF17-4BEC-8153-56DAF5AD5A37}</valuename>
<vendor>PUP.Optional.PowerShellSP</vendor>
<action>delete-on-reboot</action>
<valuedata>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\OgUAMJY').rfBW)));</valuedata>
<hash>58f5feeea701f6405525c77956ac03fd</hash>
</value>
-<file>
<path>C:\Users\user\AppData\Roaming\csrss.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Roaming\svchost.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</file>
-<file>
<path>c:\windows\installer\{bf3f76cd-c443-cc98-9c23-e49d7b563b7f}\syshost.exe</path>
<vendor>Ransom.Dharma</vendor>
<action>success</action>
<hash>09440ae23a6edc5a3e41c08211f11fe1</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Local\Temp\KB42532549.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<hash>c88507e5317703338a0df21bc1418a76</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Roaming\rundll3.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<hash>99b4806c0b9da0963562937a7e84df21</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Roaming\rundll32.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<hash>0f3eb5373474f93ddfb8c5487f83fb05</hash>
</file>
</items>
</mbam-log>
=============
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by SYSTEM on MININT-PERN21 (04-04-2017 00:53:49)
Running from Y:\
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [322472 2015-06-23] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8497368 2015-07-07] (Realtek Semiconductor)
HKLM\...\Run: [CsrSyncMLServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe [244944 2012-03-22] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [296216 2015-02-16] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-19] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
HKLM-x32\...\RunOnce: [SIV] => C:\Program Files (x86)\Gigabyte\SIV\sivro.exe [12096 2015-07-01] (GIGA-BYTE TECHNOLOGY CO., LTD.)
HKLM-x32\...\RunOnce: [EasyTune] => C:\Program Files (x86)\Gigabyte\EasyTune\etro.exe [5632 2014-08-18] (GIGA-BYTE TECHNOLOGY CO., LTD.)
HKLM-x32\...\RunOnce: [PreRun] => C:\Program Files (x86)\Gigabyte\AppCenter\PreRun.exe [8192 2013-04-29] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [170688 2016-12-11] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [148016 2016-12-11] (NVIDIA Corporation)
GroupPolicy: Restriction <======= ATTENTION
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
S2 BtSwitcherService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [64216 2012-03-22] (Cambridge Silicon Radio Limited)
S2 CSRBtAudioService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [465624 2012-03-22] (Cambridge Silicon Radio Limited)
S2 CsrBtOBEXService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [1041616 2012-03-22] (Cambridge Silicon Radio Limited)
S2 CsrBtService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [825032 2012-03-22] (Cambridge Silicon Radio Limited)
S4 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [37416 2014-12-14] (CHENGDU YIWO Tech Development Co., Ltd)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [249104 2016-11-24] (EasyAntiCheat Ltd)
S2 gadjservice; C:\Program Files (x86)\Gigabyte\AppCenter\AdjustService.exe [16896 2015-04-14] ()
S3 HwmRecordService; C:\Program Files (x86)\GIGABYTE\SIV\HwmRecordService.exe [62784 2015-07-01] (GIGA-BYTE TECHNOLOGY CO., LTD.)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [18856 2015-06-23] (Intel Corporation)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-08] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2014-10-02] (Intel(R) Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [156960 2015-02-25] (Intel Corporation)
S2 NitroDriverReadSpool9; C:\Program Files\Nitro\Pro 9\NitroPDFDriverService9x64.exe [230920 2014-07-16] (Nitro PDF Software)
S2 NitroUpdateService; C:\Program Files\Nitro\Pro 9\Nitro_UpdateService.exe [417800 2014-07-16] ()
S2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-11] (NVIDIA Corporation)
S2 OODefragAgent; C:\Program Files\OO Software\Defrag\oodag.exe [3051848 2011-01-25] (O&O Software GmbH)
S3 PAExec; C:\Windows\PAExec.exe [189112 2016-07-05] (Power Admin LLC)
S2 SEVPNCLIENT; E:\DOWNLOADS\VPN Gate Client v4.15.0.9538 Build 132174 Portable~~\VPN.Gate\App\VPNGateClient\vpnclient_x64.exe [5187128 2015-04-29] (SoftEther VPN Project at University of Tsukuba, Japan.)
S2 ss_conn_service; F:\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2015-05-20] (DEVGURU Co., LTD.)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5613328 2015-07-29] (TeamViewer GmbH)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S0 6c9c2738c6fcfe45; C:\Windows\System32\Drivers\6c9c2738c6fcfe45.sys [75216 2017-03-24] () <===== ATTENTION Necurs Rootkit?
S1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22240 2013-10-27] ()
S0 atnxrrbd; C:\Windows\System32\drivers\bfxbhlt.sys [79064 2017-04-02] (Malwarebytes)
S3 CH341SER_A64; C:\Windows\System32\Drivers\CH341S64.SYS [58368 2011-11-04] (www.winchiphead.com)
S3 csravrcp; C:\Windows\System32\DRIVERS\csravrcp.sys [26304 2012-03-22] (Cambridge Silicon Radio Limited)
S3 CsrBthAudioHF; C:\Windows\System32\DRIVERS\CsrBthAudioHF.sys [39120 2012-03-22] (Cambridge Silicon Radio Limited)
S3 CsrBtPort; C:\Windows\System32\DRIVERS\CsrBtPort.sys [2784968 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrhfgcc; C:\Windows\System32\DRIVERS\csrhfgcc.sys [38080 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrpan; C:\Windows\System32\DRIVERS\csrpan.sys [39616 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrserial; C:\Windows\System32\DRIVERS\csrserial.sys [61128 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusb; C:\Windows\System32\Drivers\csrusb.sys [47296 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusbfilter; C:\Windows\System32\Drivers\csrusbfilter.sys [23752 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csr_bthav; C:\Windows\System32\drivers\csrbthav.sys [99520 2012-03-22] (Cambridge Silicon Radio Limited)
S3 DigiartyVirtualCDBus; C:\Windows\System32\drivers\DigiartyVirtualCDBus.sys [276256 2016-07-29] (Digiarty Software, Inc.)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-12-01] (Disc Soft Ltd)
S3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [502256 2015-08-12] (Intel Corporation)
S3 etocdrv; C:\Windows\etocdrv.sys [15584 2013-10-30] (Giga-Byte Technology CO., LTD.)
S0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [48168 2014-12-14] ()
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [31144 2015-06-23] (Intel Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\125C5B40.sys [192216 2017-04-02] (Malwarebytes)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
S3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0028.sys [28768 2016-01-14] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 Neo_VPN2; C:\Windows\System32\DRIVERS\Neo_0049.sys [28768 2016-02-21] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 netr28ux; C:\Windows\System32\DRIVERS\netr28ux.sys [2246488 2015-11-19] (MediaTek Inc.)
S3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
S3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
S3 SaiK0836; C:\Windows\System32\DRIVERS\SaiK0836.sys [172040 2013-01-10] (Saitek)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2015-05-18] (Anchorfree Inc.)
S3 toshidpt; C:\Windows\System32\drivers\Toshidpt.sys [10232 2012-08-01] (TOSHIBA Corporation.)
S1 UsbCharger; C:\Windows\System32\DRIVERS\UsbCharger.sys [22240 2013-10-24] ()
S3 wdm_usb; C:\Windows\System32\DRIVERS\usb2ser.sys [150136 2016-06-28] (MBB)
S3 xb1usb; C:\Windows\System32\DRIVERS\xb1usb.sys [42760 2016-02-21] (Microsoft Corporation)
S2 {C5F942FD-1110-4664-86CE-0C6BDA305235}; C:\Program Files (x86)\CyberLink\PowerDVD14\Common\NavFilter\000.fcl [32456 2014-11-04] (CyberLink Corp.)
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-04-04 00:53 - 2017-04-04 00:53 - 00000000 ____D C:\FRST
2017-04-02 15:52 - 2017-04-02 15:52 - 00079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\bfxbhlt.sys
2017-04-02 15:49 - 2017-04-02 15:49 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\125C5B40.sys
2017-04-02 13:57 - 2017-04-02 13:57 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\5E5005E0.sys
2017-04-02 13:15 - 2017-04-02 13:15 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\5639653E.sys
2017-04-02 13:14 - 2017-04-02 13:14 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\627A6504.sys
2017-04-02 12:35 - 2017-04-02 15:48 - 00000000 ____D C:\Users\user\AppData\Roaming\qBittorrent
2017-04-02 12:35 - 2017-04-02 12:35 - 00000000 ____D C:\Users\user\AppData\Local\qBittorrent
2017-04-02 12:35 - 2017-04-02 12:35 - 00000000 ____D C:\Program Files (x86)\qBittorrent
2017-04-02 12:34 - 2017-04-02 12:34 - 16865999 _____ (The qBittorrent project) C:\Users\user\Downloads\qbittorrent_3.3.11_setup.exe
2017-03-31 08:57 - 2017-03-31 08:57 - 00230083 _____ C:\Users\user\Documents\مذكرة لنفقة الأب على أبناءه.pdf
2017-03-30 03:44 - 2017-03-30 00:48 - 06095529 _____ C:\Users\user\Desktop\Scan_Doc0025.pdf
2017-03-25 21:06 - 2017-03-28 18:52 - 00000161 _____ C:\Users\user\Desktop\ffdfdfdf.txt
2017-03-24 13:11 - 2017-03-24 13:11 - 00000064 _____ C:\Windows\SysWOW64\rufus.ini
2017-03-24 13:10 - 2017-03-24 13:10 - 00000000 ___HD C:\$Windows.~WS
2017-03-24 05:43 - 2017-03-24 05:43 - 00075216 _____ C:\Windows\System32\Drivers\6c9c2738c6fcfe45.sys
2017-03-23 05:32 - 2017-03-23 05:32 - 00028768 _____ (SoftEther VPN Project at University of Tsukuba, Japan.) C:\Windows\System32\Drivers\Neo_0127.sys
2017-03-20 23:49 - 2017-03-20 23:49 - 00030670 _____ C:\Users\user\Documents\Book1.xlsx
2017-03-16 15:41 - 2017-03-20 17:10 - 00633746 _____ C:\Users\user\Documents\Improving ADIB’s Footprint without opening Additional Branches.pptx
2017-03-15 16:13 - 2017-03-15 16:13 - 00028768 _____ (SoftEther VPN Project at University of Tsukuba, Japan.) C:\Windows\System32\Drivers\Neo_0119.sys
2017-03-12 11:18 - 2017-03-13 12:53 - 00000000 ____D C:\Users\user\Desktop\New folder (8)
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-04-02 15:48 - 2016-11-22 17:23 - 00000000 ____D C:\Users\user\AppData\Local\Warframe
2017-04-02 13:42 - 2015-09-30 18:16 - 00004942 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OMEGA-user OMEGA
2017-04-02 13:26 - 2009-07-13 21:45 - 00033328 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-02 13:26 - 2009-07-13 21:45 - 00033328 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-04-02 13:25 - 2009-07-13 22:13 - 00787758 _____ C:\Windows\System32\PerfStringBackup.INI
2017-04-02 13:25 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2017-04-02 13:21 - 2016-10-31 06:51 - 00000000 ____D C:\ProgramData\NVIDIA
2017-04-02 13:21 - 2014-11-17 06:35 - 00003746 _____ C:\Windows\System32\Tasks\AutoKMS
2017-04-02 13:21 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-02 12:34 - 2014-11-17 06:27 - 00000000 ____D C:\Users\user\AppData\Roaming\uTorrent
2017-04-02 06:38 - 2014-11-17 07:16 - 00000000 __SHD C:\Users\user\IntelGraphicsProfiles
2017-04-01 15:12 - 2016-11-29 18:02 - 00000000 ____D C:\Users\user\AppData\LocalLow\Mozilla
2017-04-01 07:30 - 2016-11-16 12:37 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2017-03-31 12:23 - 2015-04-09 14:42 - 00000000 ____D C:\Users\user\AppData\Roaming\DMCache
2017-03-29 16:53 - 2016-11-28 13:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-29 04:06 - 2014-11-17 06:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-25 13:22 - 2015-08-12 05:18 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2017-03-24 13:54 - 2015-06-01 08:50 - 00000400 __RSH C:\ProgramData\ntuser.pol
2017-03-24 13:10 - 2014-11-17 18:54 - 00000000 ____D C:\Windows\Panther
2017-03-24 11:31 - 2016-10-07 04:55 - 00000000 ____D C:\ESD
2017-03-24 05:43 - 2014-11-17 16:40 - 00026192 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
2017-03-24 05:05 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\System32\NDF
2017-03-19 23:10 - 2011-04-12 01:28 - 00000000 ____D C:\Windows\CSC
2017-03-19 10:42 - 2014-11-28 22:39 - 00000000 ____D C:\ProgramData\Ashampoo
2017-03-19 08:48 - 2016-05-12 16:00 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2017-03-19 08:47 - 2014-11-18 06:35 - 00000000 ____D C:\Windows\Minidump
2017-03-16 20:55 - 2017-01-10 00:03 - 00004610 _____ C:\Users\user\Desktop\sell.txt
2017-03-16 14:29 - 2014-11-17 10:01 - 00000000 ____D C:\Users\user\AppData\Roaming\TS3Client
2017-03-16 11:51 - 2016-07-05 10:47 - 00000000 ____D C:\Users\user\AppData\Local\PingPlotter 5
2017-03-16 11:22 - 2014-11-17 10:01 - 00000000 ____D C:\Program Files (x86)\TeamSpeak 3 Client
2017-03-14 14:08 - 2014-11-26 20:24 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-03-14 14:08 - 2014-11-17 06:32 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-14 14:08 - 2014-11-17 06:32 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-14 14:08 - 2014-11-17 06:32 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-14 14:08 - 2014-11-17 06:32 - 00000000 ____D C:\Windows\System32\Macromed
2017-03-11 07:40 - 2009-07-13 22:08 - 00032598 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-03-10 14:54 - 2015-04-09 14:42 - 00000000 ____D C:\Users\user\AppData\Roaming\IDM
Files to move or delete:
====================
C:\ProgramData\msxmzrra.exe
C:\Users\user\PKHeX.exe
Some files in TEMP:
====================
2017-03-19 23:10 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo1174496688.dll
2017-03-22 15:59 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo1187208154.dll
2017-03-27 00:58 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo1894913152.dll
2017-03-19 08:48 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo2937783356.dll
2017-03-19 08:48 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3354033497.dll
2017-03-19 23:10 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3529502499.dll
2017-03-23 05:21 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3601258762.dll
2017-03-19 08:48 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3800728659.dll
2017-03-27 00:58 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo4215352247.dll
2017-01-18 16:48 - 2017-01-18 16:48 - 0739904 _____ (Oracle Corporation) C:\Users\user\AppData\Local\Temp\jre-8u121-windows-au.exe
2017-03-01 17:30 - 2015-01-19 07:48 - 1126480 ____N (CANON INC.) C:\Users\user\AppData\Local\Temp\MSETUP4.EXE
==================== Known DLLs (Whitelisted) =========================
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Association (Whitelisted) =============
==================== Restore Points =========================
==================== Memory info ===========================
Percentage of memory in use: 9%
Total physical RAM: 16243.56 MB
Available physical RAM: 14743.63 MB
Total Virtual: 16241.76 MB
Available Virtual: 7257.8 MB
==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:7.37 GB) (Free:7.3 GB) NTFS
Drive c: (OS) (Fixed) (Total:119.02 GB) (Free:18.4 GB) NTFS
Drive e: (DATA) (Fixed) (Total:488.15 GB) (Free:38.16 GB) NTFS
Drive f: (GAMES) (Fixed) (Total:443.23 GB) (Free:13.8 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
Drive y: (Win7PESE) (Removable) (Total:3.75 GB) (Free:3.3 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: 00000000)
Partition: GPT.
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)
Partition: GPT.
========================================================
Disk: 2 (Size: 3.8 GB) (Disk ID: 1A464402)
Partition 1: (Active) - (Size=3.8 GB) - (Type=07 NTFS)
LastRegBack: 2017-04-02 13:39
==================== End of FRST.txt ============================
To be honest I usually fix my pcs at home myself as I do have some knowledge. But getting bust lately and got stuff on PC and don't want to format it from start.
Just to make it simple, I guess a flash drive with shortcut virus that creates folder shortcut affected my PC. I run Malwarebytes and it did find some infections mostly the files svchost which is attached in the logs. After the virus was removed it asked for restart and the problem started there. Windows is trying to boot and reach the logo screen then switch to repair mode. It keep searching for problems then at end says failed and log says corrupted files. I restart again and same thing happen even on safe mode sends me to repair mode.
I tried windows repair disc but it kept saying uncompatable version. Tried the cmd and the fixes like (bootrec /fixmbr ... chkdsk .r .f c: ... sfc/scannow) and all didn't work
My last option was to try this farbar tool but had to run it on win7 PE. I got the log and hope you guys could help me with it. I am sure the problem are the files that malwarebyte removed but I can't run the program on the win7 PE to revert the changes and the files are packed in weird file now.
================================
Malware byte LOG
==============
<?xml version="1.0" encoding="UTF-16"?>
-<mbam-log>
-<header>
<date>2017/04/03 02:49:20 +0400</date>
<logfile>mbam-log-2017-04-03 (02-49-20).xml</logfile>
<isadmin>yes</isadmin>
</header>
-<engine>
<version>2.2.1.1043</version>
<malware-database>v2017.04.02.05</malware-database>
<rootkit-database>v2017.04.02.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
-<system>
<hostname>OMEGA</hostname>
<ip/>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>user</username>
<filesys>NTFS</filesys>
</system>
-<summary>
<type>threat</type>
<result>completed</result>
<objects>321444</objects>
<time>153</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>24</files>
<sectors>0</sectors>
</summary>
-<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
-<items>
-<file>
<path>c:\programdata\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>bb920fddffa9b97d46e470cfee121ee2</hash>
</file>
-<file>
<path>c:\users\user\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>5bf243a98b1d47efeb3fbb847888c040</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>e36a4aa23b6d8caa15158eb13cc47e82</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>212c6e7eb5f3e6508f9b49f62ed226da</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\appdata\roaming\gdriver\syshost.exe</path>
<vendor>Rootkit.Necurs.DR</vendor>
<action>delete-on-reboot</action>
<hash>4607feeeefb984b251d9fb444bb5837d</hash>
</file>
-<file>
<path>c:\programdata\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>133a7e6edbcd7abc95201703f3100cf4</hash>
</file>
-<file>
<path>c:\users\user\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>bc91c3297632e05620950614c63d12ee</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>2825c428a305e74f13a24cce946fbd43</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>2825f0fce1c7c4728134f921f013e719</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\appdata\roaming\syshost.exe</path>
<vendor>Backdoor.Agent.E</vendor>
<action>delete-on-reboot</action>
<hash>3e0fe00cd1d7bf77f1c4e4362fd4d42c</hash>
</file>
-<file>
<path>c:\windows\syshost.exe</path>
<vendor>Trojan.Downloader</vendor>
<action>delete-on-reboot</action>
<hash>eb62cc205a4ef04628d9aea2c43f47b9</hash>
</file>
-<file>
<path>c:\users\user\appdata\local\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>1736de0e7533ba7ca3436872669d7f81</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\local\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>5cf1915baafe84b2ba2c8c4e3ec56c94</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>242917d5a0089f97a343b22805fe926e</hash>
</file>
-<file>
<path>c:\windows\temp\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>59f49458d6d2999d29bd6179847f936d</hash>
</file>
-<file>
<path>c:\users\public\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>da73f5f71a8e76c05996a13956adf709</hash>
</file>
-<file>
<path>c:\users\user\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>321b6a824b5d87af6e810dcdc63d19e7</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>72db09e3c8e0999d6f8030aa966d9769</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>1d30ba32faae16208e615e7c12f1b54b</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\syshost.exe</path>
<vendor>Exploit.Dropper.GS</vendor>
<action>delete-on-reboot</action>
<hash>80cdd01c9612ad89fdf2c81215eeb14f</hash>
</file>
-<file>
<path>c:\users\user\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>a5a848a407a162d4ee0ba03acd36946c</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\localservice\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>d677dc10d5d3ae88ef0a23b7f60d8d73</hash>
</file>
-<file>
<path>c:\windows\serviceprofiles\networkservice\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>6ce11ad2396fac8a16e3f0ead92a59a7</hash>
</file>
-<file>
<path>c:\windows\system32\config\systemprofile\appdata\local\syshost.exe</path>
<vendor>Exploit.Dropper.GSLAD</vendor>
<action>delete-on-reboot</action>
<hash>004de8042d7b6cca788122b833d0eb15</hash>
</file>
</items>
</mbam-log>
==================
<?xml version="1.0" encoding="UTF-16"?>
-<mbam-log>
-<header>
<date>2017/04/03 00:15:06 +0400</date>
<logfile>mbam-log-2017-04-03 (00-14-54).xml</logfile>
<isadmin>yes</isadmin>
</header>
-<engine>
<version>2.2.1.1043</version>
<malware-database>v2017.04.02.05</malware-database>
<rootkit-database>v2017.04.02.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
-<system>
<hostname>OMEGA</hostname>
<ip>192.168.0.41</ip>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>user</username>
<filesys>NTFS</filesys>
</system>
-<summary>
<type>threat</type>
<result>completed</result>
<objects>321880</objects>
<time>187</time>
<processes>5</processes>
<modules>0</modules>
<keys>0</keys>
<values>8</values>
<datas>0</datas>
<folders>0</folders>
<files>6</files>
<sectors>0</sectors>
</summary>
-<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
-<items>
-<process>
<path>C:\Users\user\AppData\Roaming\csrss.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>3840</pid>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</process>
-<process>
<path>C:\Users\user\AppData\Roaming\csrss.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>4152</pid>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</process>
-<process>
<path>C:\Users\user\AppData\Roaming\svchost.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>4124</pid>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</process>
-<process>
<path>C:\Users\user\AppData\Roaming\svchost.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<pid>4192</pid>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</process>
-<process>
<path>c:\windows\installer\{bf3f76cd-c443-cc98-9c23-e49d7b563b7f}\syshost.exe</path>
<vendor>Ransom.Dharma</vendor>
<action>delete-on-reboot</action>
<pid>720</pid>
<hash>09440ae23a6edc5a3e41c08211f11fe1</hash>
</process>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Client Server Runtime Process</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\csrss.exe</valuedata>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Host-process Windows (Rundll32.exe)</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\csrss.exe</valuedata>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Service Host Process for Windows</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\svchost.exe</valuedata>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>Host-process Windows (Rundll3.exe)</valuename>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<valuedata>C:\Users\user\AppData\Roaming\svchost.exe</valuedata>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</value>
-<value>
<path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>syshost32</valuename>
<vendor>Backdoor.Agent</vendor>
<action>success</action>
<valuedata>C:\Windows\Installer\{BF3F76CD-C443-CC98-9C23-E49D7B563B7F}\syshost.exe</valuedata>
<hash>0647da127d2bae88f6d771fe56adbe42</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS</path>
<valuename>Load</valuename>
<vendor>Trojan.Agent</vendor>
<action>success</action>
<valuedata>C:\ProgramData\msxmzrra.exe</valuedata>
<hash>74d97775c3e52412efbb7cd858ab659b</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS</path>
<valuename>Load</valuename>
<vendor>PUP.Optional.PageStarter</vendor>
<action>success</action>
<valuedata>C:\ProgramData\msxmzrra.exe</valuedata>
<hash>b39a23c97a2e69cde81bedc8ed165ca4</hash>
</value>
-<value>
<path>HKU\S-1-5-21-2229136060-4167883317-2944481350-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</path>
<valuename>{B0B6E42C-DF17-4BEC-8153-56DAF5AD5A37}</valuename>
<vendor>PUP.Optional.PowerShellSP</vendor>
<action>delete-on-reboot</action>
<valuedata>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\OgUAMJY').rfBW)));</valuedata>
<hash>58f5feeea701f6405525c77956ac03fd</hash>
</value>
-<file>
<path>C:\Users\user\AppData\Roaming\csrss.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<hash>b994ce1ef0b81d19bfd8e42946bc21df</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Roaming\svchost.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>delete-on-reboot</action>
<hash>410c8e5e6246082e76210c017d8548b8</hash>
</file>
-<file>
<path>c:\windows\installer\{bf3f76cd-c443-cc98-9c23-e49d7b563b7f}\syshost.exe</path>
<vendor>Ransom.Dharma</vendor>
<action>success</action>
<hash>09440ae23a6edc5a3e41c08211f11fe1</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Local\Temp\KB42532549.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<hash>c88507e5317703338a0df21bc1418a76</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Roaming\rundll3.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<hash>99b4806c0b9da0963562937a7e84df21</hash>
</file>
-<file>
<path>C:\Users\user\AppData\Roaming\rundll32.exe</path>
<vendor>Trojan.Nymaim</vendor>
<action>success</action>
<hash>0f3eb5373474f93ddfb8c5487f83fb05</hash>
</file>
</items>
</mbam-log>
=============
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by SYSTEM on MININT-PERN21 (04-04-2017 00:53:49)
Running from Y:\
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [322472 2015-06-23] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8497368 2015-07-07] (Realtek Semiconductor)
HKLM\...\Run: [CsrSyncMLServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe [244944 2012-03-22] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [296216 2015-02-16] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-19] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
HKLM-x32\...\RunOnce: [SIV] => C:\Program Files (x86)\Gigabyte\SIV\sivro.exe [12096 2015-07-01] (GIGA-BYTE TECHNOLOGY CO., LTD.)
HKLM-x32\...\RunOnce: [EasyTune] => C:\Program Files (x86)\Gigabyte\EasyTune\etro.exe [5632 2014-08-18] (GIGA-BYTE TECHNOLOGY CO., LTD.)
HKLM-x32\...\RunOnce: [PreRun] => C:\Program Files (x86)\Gigabyte\AppCenter\PreRun.exe [8192 2013-04-29] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [170688 2016-12-11] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [148016 2016-12-11] (NVIDIA Corporation)
GroupPolicy: Restriction <======= ATTENTION
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
S2 BtSwitcherService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [64216 2012-03-22] (Cambridge Silicon Radio Limited)
S2 CSRBtAudioService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [465624 2012-03-22] (Cambridge Silicon Radio Limited)
S2 CsrBtOBEXService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [1041616 2012-03-22] (Cambridge Silicon Radio Limited)
S2 CsrBtService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [825032 2012-03-22] (Cambridge Silicon Radio Limited)
S4 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [37416 2014-12-14] (CHENGDU YIWO Tech Development Co., Ltd)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [249104 2016-11-24] (EasyAntiCheat Ltd)
S2 gadjservice; C:\Program Files (x86)\Gigabyte\AppCenter\AdjustService.exe [16896 2015-04-14] ()
S3 HwmRecordService; C:\Program Files (x86)\GIGABYTE\SIV\HwmRecordService.exe [62784 2015-07-01] (GIGA-BYTE TECHNOLOGY CO., LTD.)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [18856 2015-06-23] (Intel Corporation)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-08] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2014-10-02] (Intel(R) Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [156960 2015-02-25] (Intel Corporation)
S2 NitroDriverReadSpool9; C:\Program Files\Nitro\Pro 9\NitroPDFDriverService9x64.exe [230920 2014-07-16] (Nitro PDF Software)
S2 NitroUpdateService; C:\Program Files\Nitro\Pro 9\Nitro_UpdateService.exe [417800 2014-07-16] ()
S2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-11] (NVIDIA Corporation)
S2 OODefragAgent; C:\Program Files\OO Software\Defrag\oodag.exe [3051848 2011-01-25] (O&O Software GmbH)
S3 PAExec; C:\Windows\PAExec.exe [189112 2016-07-05] (Power Admin LLC)
S2 SEVPNCLIENT; E:\DOWNLOADS\VPN Gate Client v4.15.0.9538 Build 132174 Portable~~\VPN.Gate\App\VPNGateClient\vpnclient_x64.exe [5187128 2015-04-29] (SoftEther VPN Project at University of Tsukuba, Japan.)
S2 ss_conn_service; F:\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2015-05-20] (DEVGURU Co., LTD.)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5613328 2015-07-29] (TeamViewer GmbH)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S0 6c9c2738c6fcfe45; C:\Windows\System32\Drivers\6c9c2738c6fcfe45.sys [75216 2017-03-24] () <===== ATTENTION Necurs Rootkit?
S1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22240 2013-10-27] ()
S0 atnxrrbd; C:\Windows\System32\drivers\bfxbhlt.sys [79064 2017-04-02] (Malwarebytes)
S3 CH341SER_A64; C:\Windows\System32\Drivers\CH341S64.SYS [58368 2011-11-04] (www.winchiphead.com)
S3 csravrcp; C:\Windows\System32\DRIVERS\csravrcp.sys [26304 2012-03-22] (Cambridge Silicon Radio Limited)
S3 CsrBthAudioHF; C:\Windows\System32\DRIVERS\CsrBthAudioHF.sys [39120 2012-03-22] (Cambridge Silicon Radio Limited)
S3 CsrBtPort; C:\Windows\System32\DRIVERS\CsrBtPort.sys [2784968 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrhfgcc; C:\Windows\System32\DRIVERS\csrhfgcc.sys [38080 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrpan; C:\Windows\System32\DRIVERS\csrpan.sys [39616 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrserial; C:\Windows\System32\DRIVERS\csrserial.sys [61128 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusb; C:\Windows\System32\Drivers\csrusb.sys [47296 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusbfilter; C:\Windows\System32\Drivers\csrusbfilter.sys [23752 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csr_bthav; C:\Windows\System32\drivers\csrbthav.sys [99520 2012-03-22] (Cambridge Silicon Radio Limited)
S3 DigiartyVirtualCDBus; C:\Windows\System32\drivers\DigiartyVirtualCDBus.sys [276256 2016-07-29] (Digiarty Software, Inc.)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-12-01] (Disc Soft Ltd)
S3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [502256 2015-08-12] (Intel Corporation)
S3 etocdrv; C:\Windows\etocdrv.sys [15584 2013-10-30] (Giga-Byte Technology CO., LTD.)
S0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [48168 2014-12-14] ()
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [31144 2015-06-23] (Intel Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\125C5B40.sys [192216 2017-04-02] (Malwarebytes)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
S3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0028.sys [28768 2016-01-14] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 Neo_VPN2; C:\Windows\System32\DRIVERS\Neo_0049.sys [28768 2016-02-21] (SoftEther VPN Project at University of Tsukuba, Japan.)
S3 netr28ux; C:\Windows\System32\DRIVERS\netr28ux.sys [2246488 2015-11-19] (MediaTek Inc.)
S3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
S3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
S3 SaiK0836; C:\Windows\System32\DRIVERS\SaiK0836.sys [172040 2013-01-10] (Saitek)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2015-05-18] (Anchorfree Inc.)
S3 toshidpt; C:\Windows\System32\drivers\Toshidpt.sys [10232 2012-08-01] (TOSHIBA Corporation.)
S1 UsbCharger; C:\Windows\System32\DRIVERS\UsbCharger.sys [22240 2013-10-24] ()
S3 wdm_usb; C:\Windows\System32\DRIVERS\usb2ser.sys [150136 2016-06-28] (MBB)
S3 xb1usb; C:\Windows\System32\DRIVERS\xb1usb.sys [42760 2016-02-21] (Microsoft Corporation)
S2 {C5F942FD-1110-4664-86CE-0C6BDA305235}; C:\Program Files (x86)\CyberLink\PowerDVD14\Common\NavFilter\000.fcl [32456 2014-11-04] (CyberLink Corp.)
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-04-04 00:53 - 2017-04-04 00:53 - 00000000 ____D C:\FRST
2017-04-02 15:52 - 2017-04-02 15:52 - 00079064 _____ (Malwarebytes) C:\Windows\System32\Drivers\bfxbhlt.sys
2017-04-02 15:49 - 2017-04-02 15:49 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\125C5B40.sys
2017-04-02 13:57 - 2017-04-02 13:57 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\5E5005E0.sys
2017-04-02 13:15 - 2017-04-02 13:15 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\5639653E.sys
2017-04-02 13:14 - 2017-04-02 13:14 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\627A6504.sys
2017-04-02 12:35 - 2017-04-02 15:48 - 00000000 ____D C:\Users\user\AppData\Roaming\qBittorrent
2017-04-02 12:35 - 2017-04-02 12:35 - 00000000 ____D C:\Users\user\AppData\Local\qBittorrent
2017-04-02 12:35 - 2017-04-02 12:35 - 00000000 ____D C:\Program Files (x86)\qBittorrent
2017-04-02 12:34 - 2017-04-02 12:34 - 16865999 _____ (The qBittorrent project) C:\Users\user\Downloads\qbittorrent_3.3.11_setup.exe
2017-03-31 08:57 - 2017-03-31 08:57 - 00230083 _____ C:\Users\user\Documents\مذكرة لنفقة الأب على أبناءه.pdf
2017-03-30 03:44 - 2017-03-30 00:48 - 06095529 _____ C:\Users\user\Desktop\Scan_Doc0025.pdf
2017-03-25 21:06 - 2017-03-28 18:52 - 00000161 _____ C:\Users\user\Desktop\ffdfdfdf.txt
2017-03-24 13:11 - 2017-03-24 13:11 - 00000064 _____ C:\Windows\SysWOW64\rufus.ini
2017-03-24 13:10 - 2017-03-24 13:10 - 00000000 ___HD C:\$Windows.~WS
2017-03-24 05:43 - 2017-03-24 05:43 - 00075216 _____ C:\Windows\System32\Drivers\6c9c2738c6fcfe45.sys
2017-03-23 05:32 - 2017-03-23 05:32 - 00028768 _____ (SoftEther VPN Project at University of Tsukuba, Japan.) C:\Windows\System32\Drivers\Neo_0127.sys
2017-03-20 23:49 - 2017-03-20 23:49 - 00030670 _____ C:\Users\user\Documents\Book1.xlsx
2017-03-16 15:41 - 2017-03-20 17:10 - 00633746 _____ C:\Users\user\Documents\Improving ADIB’s Footprint without opening Additional Branches.pptx
2017-03-15 16:13 - 2017-03-15 16:13 - 00028768 _____ (SoftEther VPN Project at University of Tsukuba, Japan.) C:\Windows\System32\Drivers\Neo_0119.sys
2017-03-12 11:18 - 2017-03-13 12:53 - 00000000 ____D C:\Users\user\Desktop\New folder (8)
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-04-02 15:48 - 2016-11-22 17:23 - 00000000 ____D C:\Users\user\AppData\Local\Warframe
2017-04-02 13:42 - 2015-09-30 18:16 - 00004942 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OMEGA-user OMEGA
2017-04-02 13:26 - 2009-07-13 21:45 - 00033328 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-02 13:26 - 2009-07-13 21:45 - 00033328 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-04-02 13:25 - 2009-07-13 22:13 - 00787758 _____ C:\Windows\System32\PerfStringBackup.INI
2017-04-02 13:25 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2017-04-02 13:21 - 2016-10-31 06:51 - 00000000 ____D C:\ProgramData\NVIDIA
2017-04-02 13:21 - 2014-11-17 06:35 - 00003746 _____ C:\Windows\System32\Tasks\AutoKMS
2017-04-02 13:21 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-02 12:34 - 2014-11-17 06:27 - 00000000 ____D C:\Users\user\AppData\Roaming\uTorrent
2017-04-02 06:38 - 2014-11-17 07:16 - 00000000 __SHD C:\Users\user\IntelGraphicsProfiles
2017-04-01 15:12 - 2016-11-29 18:02 - 00000000 ____D C:\Users\user\AppData\LocalLow\Mozilla
2017-04-01 07:30 - 2016-11-16 12:37 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2017-03-31 12:23 - 2015-04-09 14:42 - 00000000 ____D C:\Users\user\AppData\Roaming\DMCache
2017-03-29 16:53 - 2016-11-28 13:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-29 04:06 - 2014-11-17 06:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-25 13:22 - 2015-08-12 05:18 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2017-03-24 13:54 - 2015-06-01 08:50 - 00000400 __RSH C:\ProgramData\ntuser.pol
2017-03-24 13:10 - 2014-11-17 18:54 - 00000000 ____D C:\Windows\Panther
2017-03-24 11:31 - 2016-10-07 04:55 - 00000000 ____D C:\ESD
2017-03-24 05:43 - 2014-11-17 16:40 - 00026192 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
2017-03-24 05:05 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\System32\NDF
2017-03-19 23:10 - 2011-04-12 01:28 - 00000000 ____D C:\Windows\CSC
2017-03-19 10:42 - 2014-11-28 22:39 - 00000000 ____D C:\ProgramData\Ashampoo
2017-03-19 08:48 - 2016-05-12 16:00 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2017-03-19 08:47 - 2014-11-18 06:35 - 00000000 ____D C:\Windows\Minidump
2017-03-16 20:55 - 2017-01-10 00:03 - 00004610 _____ C:\Users\user\Desktop\sell.txt
2017-03-16 14:29 - 2014-11-17 10:01 - 00000000 ____D C:\Users\user\AppData\Roaming\TS3Client
2017-03-16 11:51 - 2016-07-05 10:47 - 00000000 ____D C:\Users\user\AppData\Local\PingPlotter 5
2017-03-16 11:22 - 2014-11-17 10:01 - 00000000 ____D C:\Program Files (x86)\TeamSpeak 3 Client
2017-03-14 14:08 - 2014-11-26 20:24 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-03-14 14:08 - 2014-11-17 06:32 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-14 14:08 - 2014-11-17 06:32 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-14 14:08 - 2014-11-17 06:32 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-14 14:08 - 2014-11-17 06:32 - 00000000 ____D C:\Windows\System32\Macromed
2017-03-11 07:40 - 2009-07-13 22:08 - 00032598 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-03-10 14:54 - 2015-04-09 14:42 - 00000000 ____D C:\Users\user\AppData\Roaming\IDM
Files to move or delete:
====================
C:\ProgramData\msxmzrra.exe
C:\Users\user\PKHeX.exe
Some files in TEMP:
====================
2017-03-19 23:10 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo1174496688.dll
2017-03-22 15:59 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo1187208154.dll
2017-03-27 00:58 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo1894913152.dll
2017-03-19 08:48 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo2937783356.dll
2017-03-19 08:48 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3354033497.dll
2017-03-19 23:10 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3529502499.dll
2017-03-23 05:21 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3601258762.dll
2017-03-19 08:48 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo3800728659.dll
2017-03-27 00:58 - 2012-06-05 22:03 - 0805376 _____ (Microsoft Corporation) C:\Users\user\AppData\Local\Temp\cdo4215352247.dll
2017-01-18 16:48 - 2017-01-18 16:48 - 0739904 _____ (Oracle Corporation) C:\Users\user\AppData\Local\Temp\jre-8u121-windows-au.exe
2017-03-01 17:30 - 2015-01-19 07:48 - 1126480 ____N (CANON INC.) C:\Users\user\AppData\Local\Temp\MSETUP4.EXE
==================== Known DLLs (Whitelisted) =========================
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Association (Whitelisted) =============
==================== Restore Points =========================
==================== Memory info ===========================
Percentage of memory in use: 9%
Total physical RAM: 16243.56 MB
Available physical RAM: 14743.63 MB
Total Virtual: 16241.76 MB
Available Virtual: 7257.8 MB
==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:7.37 GB) (Free:7.3 GB) NTFS
Drive c: (OS) (Fixed) (Total:119.02 GB) (Free:18.4 GB) NTFS
Drive e: (DATA) (Fixed) (Total:488.15 GB) (Free:38.16 GB) NTFS
Drive f: (GAMES) (Fixed) (Total:443.23 GB) (Free:13.8 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
Drive y: (Win7PESE) (Removable) (Total:3.75 GB) (Free:3.3 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: 00000000)
Partition: GPT.
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)
Partition: GPT.
========================================================
Disk: 2 (Size: 3.8 GB) (Disk ID: 1A464402)
Partition 1: (Active) - (Size=3.8 GB) - (Type=07 NTFS)
LastRegBack: 2017-04-02 13:39
==================== End of FRST.txt ============================
Facebook
Twitter
Instagram