Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Idle Crawler & Runner infection, constant HDD activity in normal mode


  • This topic is locked This topic is locked
35 replies to this topic

#1 S-Works

S-Works

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 04 June 2015 - 05:34 AM

Hey guys, this is my first post here. I hope some of the malware removal Gods on this forum can help me out. :)

 

Disclaimer: please forgive me if any of the description below is complete BS. I'm have some experience with removing malware and PUP's in the past but none that have resisted to this extent. 

 

Problem: 

Started Sunday, May 31st, 2015. My laptop was working fine all day, I put it in sleep mode and went home. When I came home the problems started. I can best describe it as: the computer takes ages to start up and load the windows explorer. When that finally happens. Everything is very slow. Programs like Word and Google Chrome do not open.

 

My Activity beforehand:

Before this date I did little out of the ordinary except for download Icecream Ebook Reader for reading .epub files. 

It seemed legit and worked fine. 

 

Security:

Before this problem I had no anti-virus. My Northon Internet Security had run out a few days ago. I was planning on switching to Kaspersky at the end of the month. I do have Malware Bytes PRO installed and activated. Also CCcleaner.

 

Why I think it's malware:

PC works pretty well in safe mode, almost none of the issues described above.

Something seems to be actively trying to prevent me from downloading any programs, even in Safe Mode.

It has blocked correct installation of antivirus programs (tried installing Panda Free Antivirus and afterwards Bitfender Free Antivirus).

Malware seemed to change language of antiviruses I was trying to install. Panda Antivirus turned German, Bitdefender turned Romanian.

I suspect it something like Idle Crawler as the description for this PUP very closely describes what might be wrong with my PC.

 

What I've done up to now:

I've tried a lot of things up to now, all of them in safe mode because that the only time when it seems the processes that seem to cause problems are disabled allowing me to actually launch programs and scans. In hindsight I wish I had found bleepingcomputer earlier because after some reading on this website there are certain actions I probably shouldn't have taken.. I just hope I haven't significantly messed anything up beyond repair.

 

List of things tried (no particular order, all in Safe Mode):

Back up important documents, pictures and music onto external HDD

Run Malware Bytes (has found nothing)

Run Hitman Pro (found a few things, removed them but problem is not fixed)

Installed Panda Free Antivirus 2015, installation failed to finish incorrectly. Couldn't uninstall, until I used GeekUnistaller to force uninstall.

Bitdefender wouldn't start installing because of unclear error.

Run RKill (didn't find any malicious processes to stop)

Run Adwarecleaner (didn't find anything)

Run Combofix (finished succesfully, didn't fix problem, probably shouldn't have done this one with my experience level)

Run CCcleaner

Run .cmd -> DSKCHK /F (didn't find any problem)

Run .cmd /scannow -> failed at 25%

Installed and Run 360 Total Security (gets stuck at windows processes, left it for more than 12 hours overnight, was still stuck).

Run FRST(see log below)

 

I hope I've provided adequate info and that some of you can help me. :) Thank you in advanced.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:03-06-2015
Ran by Owner (administrator) on OWNER-PC on 04-06-2015 10:51:33
Running from H:\
Loaded Profiles: Owner (Available Profiles: Owner)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2587944 2010-12-31] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [361984 2011-03-21] (Alcor Micro Corp.)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2188904 2011-01-18] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [2018032 2011-04-02] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe [731472 2011-02-23] ()
HKLM-x32\...\Run: [SonicMasterTray] => C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-10] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-18] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-08] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] => C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2319536 2011-10-19] (ASUS)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5235608 2012-04-30] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe [1264248 2015-05-18] (QIHU 360 SOFTWARE CO. LIMITED)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\...\Run: [HP Photosmart 5510d series (NET)] => C:\Program Files\HP\HP Photosmart 5510d series\Bin\ScanToPCActivationApp.exe [2676584 2011-08-16] (Hewlett-Packard Co.)
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AsusVibeLauncher.lnk [2011-04-02]
ShortcutTarget: AsusVibeLauncher.lnk -> C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FancyStart daemon.lnk [2011-11-23]
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()
ShellIconOverlayIdentifiers: [AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\ASUSWSShellExt64.dll [2010-09-02] (eCareme Technologies, Inc.)
ShellIconOverlayIdentifiers: [AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\ASUSWSShellExt64.dll [2010-09-02] (eCareme Technologies, Inc.)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-04-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-04-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-04-14] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4103599219-1354955145-788884429-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-03-10] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2015-04-14] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-04-14] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2015-03-04] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-01-27] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-04-14] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-04-14] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-27] (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
 
FireFox:
========
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\gkv1nm8w.default
FF Homepage: www.yahoo.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_134.dll [2015-03-29] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-03-29] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll [2012-04-26] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @esn/esnlaunch,version=2.1.4 -> C:\Program Files (x86)\Battlelog Web Plugins\2.1.4\npesnlaunch.dll [2013-05-22] (ESN Social Software AB)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-27] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-02-17] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-12-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-14] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF Plugin-x32: ZEON/PDF,version=2.0 -> C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll [2010-01-23] (Zeon Corporation)
FF Plugin HKU\S-1-5-21-4103599219-1354955145-788884429-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-4103599219-1354955145-788884429-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\gkv1nm8w.default\Extensions\adblockpopups@jessehakanen.net.xpi [2014-08-23]
FF Extension: Firefox Old Version Update Hotfix - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\gkv1nm8w.default\Extensions\firefox-hotfix@mozilla.org.xpi [2014-08-23]
FF Extension: YouTube High Definition - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\gkv1nm8w.default\Extensions\{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi [2014-08-23]
FF Extension: Adblock Plus - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\gkv1nm8w.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-23]
FF Extension: Hotspot Shield Extension - C:\Program Files (x86)\Mozilla Firefox\extensions\afproxy@anchorfree.com [2015-01-29]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-07-10]
FF HKLM-x32\...\Firefox\Extensions: [WebProtection@360safe.com] - C:\Program Files (x86)\360\Total Security\safemon\webprotection_firefox
FF Extension: 360 Internet Protection - C:\Program Files (x86)\360\Total Security\safemon\webprotection_firefox [2015-06-03]
 
Chrome: 
=======
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-13]
CHR Extension: (Adblock Plus) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-06-13]
CHR Extension: (Google Search) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-13]
CHR Extension: (Chromebleed) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\eeoekjnjgppnaegdjbcafdggilajhpic [2014-06-13]
CHR Extension: (AdBlock) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-06-13]
CHR Extension: (Hola Better Internet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2014-06-13]
CHR Extension: (Bookmark Manager) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-21]
CHR Extension: (JavaScript Popup Blocker) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiajdlfgbgnnjakkbnpdhmhfhklkbiol [2014-06-13]
CHR Extension: (Auto HD For YouTube™) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\koiaokdomkpjdgniimnkhgbilbjgpeak [2014-06-13]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-11]
CHR Extension: (Google Wallet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-13]
StartMenuInternet: Google Chrome - Chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
S2 gpsvc; C:\Windows\System32\gpsvc.dll [777728 2010-11-20] (Microsoft Corporation) [File not signed]
S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-12-23] ()
S2 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [558376 2014-12-23] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1910640 2015-03-07] (Electronic Arts)
S2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [839792 2015-05-18] (QIHU 360 SOFTWARE CO. LIMITED)
S2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1150368 2012-04-24] (Western Digital )
S2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [247704 2012-04-11] (Western Digital)
S2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1177496 2012-04-11] (Western Digital )
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [100424 2015-05-18] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [77896 2015-05-18] (360.cn)
S1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [305736 2015-05-18] (360.cn)
S1 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [40520 2015-05-18] (360.cn)
S1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [314448 2015-05-18] (Qihu 360 Software Co., Ltd.)
S3 ALSysIO; C:\Users\Owner\AppData\Local\Temp\ALSysIO64.sys [26488 2015-06-03] (Arthur Liberman)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
S1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [180816 2015-05-18] (Qihu 360 Software Co., Ltd.)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-03-25] (Disc Soft Ltd)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [18528 2014-11-18] ()
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [15968 2014-11-18] ()
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [10848 2014-11-18] ()
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [10208 2014-11-18] ()
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [44744 2014-12-23] (AnchorFree Inc.)
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [136408 2015-06-04] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
S4 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
S2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163600 2015-04-21] (Panda Security, S.L.)
S2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2015-02-25] (Panda Security, S.L.)
S1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197392 2015-02-25] (Panda Security, S.L.)
S2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124176 2015-02-25] (Panda Security, S.L.)
S2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [133904 2015-02-25] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R3 ScpVBus; C:\Windows\System32\DRIVERS\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2014-12-23] (Anchorfree Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-04 10:50 - 2015-06-04 10:52 - 00000000 ____D C:\FRST
2015-06-04 04:36 - 2015-06-04 04:36 - 00001289 _____ C:\Windows\WindowsUpdate.log
2015-06-03 18:55 - 2015-06-03 18:55 - 00000262 _____ C:\Users\Owner\Downloads\cc_20150603_185521.reg
2015-06-03 18:54 - 2015-06-03 18:54 - 00264786 _____ C:\Users\Owner\Downloads\cc_20150603_185438.reg
2015-06-03 18:51 - 2015-06-03 18:53 - 00046300 _____ C:\Users\Owner\Downloads\cc_20150603_185115.reg
2015-06-03 18:17 - 2015-06-03 18:17 - 00000000 _RSHD C:\360SANDBOX
2015-06-03 18:16 - 2015-06-03 18:16 - 00003288 ____N C:\bootsqm.dat
2015-06-03 13:04 - 2015-06-03 13:04 - 00000000 ____D C:\Windows\Tasks\360Disabled
2015-06-03 13:04 - 2015-06-03 13:04 - 00000000 ____D C:\Users\Owner\AppData\Roaming\360safe
2015-06-03 13:03 - 2015-06-03 19:00 - 00000000 ____D C:\ProgramData\360TotalSecurity
2015-06-03 13:03 - 2015-06-03 13:04 - 00000000 ____D C:\ProgramData\360safe
2015-06-03 13:02 - 2015-06-03 13:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2015-06-03 13:02 - 2015-06-03 13:02 - 00000000 ____D C:\Program Files (x86)\360
2015-06-03 13:02 - 2015-05-18 12:20 - 00314448 _____ (Qihu 360 Software Co., Ltd.) C:\Windows\system32\Drivers\360fsflt.sys
2015-06-03 13:02 - 2015-05-18 12:20 - 00305736 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys
2015-06-03 13:02 - 2015-05-18 12:20 - 00180816 _____ (Qihu 360 Software Co., Ltd.) C:\Windows\system32\Drivers\BAPIDRV64.SYS
2015-06-03 13:02 - 2015-05-18 12:20 - 00100424 _____ (360.cn) C:\Windows\system32\Drivers\360AntiHacker64.sys
2015-06-03 13:02 - 2015-05-18 12:20 - 00077896 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2015-06-03 13:02 - 2015-05-18 12:20 - 00040520 _____ (360.cn) C:\Windows\system32\Drivers\360Camera64.sys
2015-06-03 13:01 - 2015-06-03 13:01 - 36034168 _____ C:\Users\Owner\Downloads\360TS_Setup.exe
2015-06-03 13:01 - 2015-06-03 13:00 - 01332344 _____ (QIHU 360 SOFTWARE CO. LIMITED) C:\Users\Owner\Downloads\360TS_Setup_Mini.exe
2015-06-03 12:52 - 2015-06-03 12:52 - 00105210 _____ C:\ProgramData\1433328734.bdinstall.bin
2015-06-03 10:49 - 2015-04-02 18:59 - 06337032 _____ (Geek Uninstaller) C:\Users\Owner\Downloads\geek.exe
2015-06-02 23:58 - 2015-06-02 23:58 - 00000000 ____D C:\Users\Owner\AppData\Local\GWX
2015-06-02 21:51 - 2015-06-02 21:51 - 00029610 _____ C:\ComboFix.txt
2015-06-02 21:30 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-02 21:30 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-02 21:30 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-02 21:30 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-02 21:30 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-02 21:30 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-02 21:30 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-02 21:30 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-02 21:29 - 2015-06-02 21:51 - 00000000 ____D C:\Qoobox
2015-06-02 21:29 - 2015-06-02 21:50 - 00000000 ____D C:\Windows\erdnt
2015-06-02 21:29 - 2015-06-02 21:28 - 05628238 ____R (Swearware) C:\Users\Owner\Downloads\ComboFix.exe
2015-06-02 21:21 - 2015-06-02 21:21 - 01063160 _____ (Bleeping Computer, LLC) C:\Users\Owner\Downloads\WiNlOgOn64.exe
2015-06-02 21:21 - 2015-06-02 21:20 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\Owner\Downloads\WiNlOgOn.exe
2015-06-02 20:21 - 2015-06-02 20:00 - 02231296 _____ C:\Users\Owner\Downloads\JohnWare.exe
2015-06-02 20:01 - 2015-06-02 20:49 - 00000000 ____D C:\AdwCleaner
2015-06-02 17:41 - 2015-06-02 17:41 - 00000000 ____D C:\Program Files\HitmanPro
2015-06-02 17:39 - 2015-06-02 17:39 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-06-02 17:15 - 2015-06-02 17:15 - 00000000 ____D C:\Users\Owner\AppData\Roaming\QuickScan
2015-06-01 23:02 - 2015-06-01 23:02 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Panda Security
2015-06-01 22:19 - 2015-06-03 10:51 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-06-01 17:47 - 2015-06-01 22:19 - 00000000 ____D C:\ProgramData\Panda Security
2015-06-01 07:51 - 2015-06-01 07:51 - 00013182 _____ C:\Windows\system32\.crusader
2015-06-01 07:29 - 2015-06-01 07:52 - 00000000 ____D C:\ProgramData\HitmanPro
2015-06-01 07:29 - 2015-06-01 07:29 - 11024496 _____ (SurfRight B.V.) C:\Users\Owner\Downloads\HitmanPro_x64.exe
2015-05-30 13:53 - 2015-06-01 07:13 - 00000000 ____D C:\Users\Owner\Documents\Ebooks
2015-05-30 10:56 - 2015-05-30 10:57 - 00000000 ____D C:\Users\Owner\.ebookreader
2015-05-18 15:34 - 2015-05-18 15:34 - 00000991 _____ C:\Users\Owner\Documents\Bier.spv
2015-05-15 13:56 - 2015-05-20 22:45 - 00000000 ____D C:\Users\Owner\Documents\Fiets
2015-05-14 01:36 - 2015-05-01 15:17 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-14 01:36 - 2015-05-01 15:16 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 07:52 - 2015-05-05 03:29 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-13 07:52 - 2015-05-05 03:12 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-05-13 07:52 - 2015-04-22 04:28 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-05-13 07:52 - 2015-04-22 03:48 - 00342736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-05-13 07:52 - 2015-04-21 19:08 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-05-13 07:52 - 2015-04-21 19:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-05-13 07:52 - 2015-04-21 18:51 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-05-13 07:52 - 2015-04-21 18:50 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-13 07:52 - 2015-04-21 18:50 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-05-13 07:52 - 2015-04-21 18:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-13 07:52 - 2015-04-21 18:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-05-13 07:52 - 2015-04-21 18:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-05-13 07:52 - 2015-04-21 18:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-05-13 07:52 - 2015-04-21 18:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-05-13 07:52 - 2015-04-21 18:24 - 19691008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-05-13 07:52 - 2015-04-21 18:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-05-13 07:52 - 2015-04-21 18:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-05-13 07:52 - 2015-04-21 18:11 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-05-13 07:52 - 2015-04-21 18:10 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-05-13 07:52 - 2015-04-21 18:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-05-13 07:52 - 2015-04-21 18:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-13 07:52 - 2015-04-21 18:04 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-05-13 07:52 - 2015-04-21 18:03 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-05-13 07:52 - 2015-04-21 18:02 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-05-13 07:52 - 2015-04-21 18:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-05-13 07:52 - 2015-04-21 17:58 - 00664576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-05-13 07:52 - 2015-04-21 17:58 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-05-13 07:52 - 2015-04-21 17:57 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-05-13 07:52 - 2015-04-21 17:49 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-13 07:52 - 2015-04-21 17:49 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-05-13 07:52 - 2015-04-21 17:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-05-13 07:52 - 2015-04-21 17:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-13 07:52 - 2015-04-21 17:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-05-13 07:52 - 2015-04-21 17:38 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-05-13 07:52 - 2015-04-21 17:36 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-05-13 07:52 - 2015-04-21 17:31 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-05-13 07:52 - 2015-04-21 17:26 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-05-13 07:52 - 2015-04-21 17:25 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-05-13 07:52 - 2015-04-21 17:24 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-05-13 07:52 - 2015-04-21 17:17 - 12828672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-05-13 07:52 - 2015-04-21 17:15 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-13 07:52 - 2015-04-21 17:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-05-13 07:52 - 2015-04-21 16:58 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-05-13 07:52 - 2015-04-21 16:56 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-05-13 07:52 - 2015-04-18 05:10 - 00460800 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-05-13 07:52 - 2015-04-18 04:56 - 00342016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2015-05-13 07:51 - 2015-04-27 21:28 - 05569984 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-05-13 07:51 - 2015-04-27 21:28 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-05-13 07:51 - 2015-04-27 21:28 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-05-13 07:51 - 2015-04-27 21:26 - 01728960 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 01254400 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 01162752 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\sechost.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-05-13 07:51 - 2015-04-27 21:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-05-13 07:51 - 2015-04-27 21:22 - 00404992 _____ (Microsoft Corporation) C:\Windows\system32\tracerpt.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\logman.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\typeperf.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\relog.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-05-13 07:51 - 2015-04-27 21:22 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\diskperf.exe
2015-05-13 07:51 - 2015-04-27 21:21 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-05-13 07:51 - 2015-04-27 21:18 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-05-13 07:51 - 2015-04-27 21:18 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:16 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 21:11 - 03989440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-05-13 07:51 - 2015-04-27 21:11 - 03934144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-05-13 07:51 - 2015-04-27 21:08 - 01310744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00635392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00092160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sechost.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-05-13 07:51 - 2015-04-27 21:05 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-05-13 07:51 - 2015-04-27 21:04 - 00641536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2015-05-13 07:51 - 2015-04-27 21:04 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-05-13 07:51 - 2015-04-27 21:04 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tracerpt.exe
2015-05-13 07:51 - 2015-04-27 21:04 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\logman.exe
2015-05-13 07:51 - 2015-04-27 21:04 - 00040448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\typeperf.exe
2015-05-13 07:51 - 2015-04-27 21:04 - 00037888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\relog.exe
2015-05-13 07:51 - 2015-04-27 21:04 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-05-13 07:51 - 2015-04-27 21:04 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-05-13 07:51 - 2015-04-27 21:03 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-05-13 07:51 - 2015-04-27 21:03 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-05-13 07:51 - 2015-04-27 21:03 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-05-13 07:51 - 2015-04-27 21:03 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-05-13 07:51 - 2015-04-27 21:03 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\diskperf.exe
2015-05-13 07:51 - 2015-04-27 21:03 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-05-13 07:51 - 2015-04-27 21:01 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-05-13 07:51 - 2015-04-27 21:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 20:06 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-05-13 07:51 - 2015-04-27 19:57 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-05-13 07:51 - 2015-04-27 19:57 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-05-13 07:51 - 2015-04-27 19:55 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 19:55 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-05-13 07:51 - 2015-04-27 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-05-13 07:51 - 2015-04-21 19:14 - 24971776 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-13 07:51 - 2015-04-21 18:50 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-13 07:51 - 2015-04-21 18:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-05-13 07:51 - 2015-04-21 18:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-05-13 07:51 - 2015-04-21 18:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-13 07:51 - 2015-04-21 18:35 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-13 07:51 - 2015-04-21 18:35 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-05-13 07:51 - 2015-04-21 18:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-05-13 07:51 - 2015-04-21 18:31 - 06025728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-13 07:51 - 2015-04-21 18:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-05-13 07:51 - 2015-04-21 18:09 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-05-13 07:51 - 2015-04-21 18:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-05-13 07:51 - 2015-04-21 18:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-13 07:51 - 2015-04-21 17:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-05-13 07:51 - 2015-04-21 17:40 - 14401536 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-13 07:51 - 2015-04-21 17:39 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-05-13 07:51 - 2015-04-21 17:27 - 02352128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-13 07:51 - 2015-04-21 17:02 - 01882112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-05-13 07:51 - 2015-04-20 05:17 - 01647104 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-13 07:51 - 2015-04-20 05:17 - 01179136 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-13 07:51 - 2015-04-20 04:56 - 01250816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2015-05-13 07:51 - 2015-04-20 04:11 - 03204608 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-13 07:51 - 2015-04-13 05:28 - 00328704 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-13 07:51 - 2015-04-08 05:29 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-05-13 07:51 - 2015-04-08 05:29 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2015-05-13 07:51 - 2015-04-08 05:14 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2015-05-13 07:51 - 2015-01-29 05:19 - 02543104 _____ (Microsoft Corporation) C:\Windows\system32\wpdshext.dll
2015-05-13 07:51 - 2015-01-29 05:02 - 02311168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wpdshext.dll
2015-05-13 07:50 - 2015-03-04 06:41 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\apphelp.dll
2015-05-13 07:50 - 2015-03-04 06:41 - 00072192 _____ (Microsoft Corporation) C:\Windows\system32\aelupsvc.dll
2015-05-13 07:50 - 2015-03-04 06:41 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2015-05-13 07:50 - 2015-03-04 06:41 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\shimeng.dll
2015-05-13 07:50 - 2015-03-04 06:11 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shimeng.dll
2015-05-13 07:50 - 2015-03-04 06:10 - 00295936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apphelp.dll
2015-05-13 07:50 - 2015-03-04 06:10 - 00020992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sdbinst.exe
2015-05-13 07:50 - 2015-02-18 09:06 - 00123904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2015-05-13 07:50 - 2015-02-18 09:04 - 00142336 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2015-05-06 11:44 - 2015-05-06 11:44 - 00010346 _____ C:\Users\Owner\Documents\Moscow Expenses.xlsx
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-04 10:12 - 2009-07-14 07:13 - 00797850 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-04 09:40 - 2014-04-14 20:46 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-03 18:50 - 2012-03-12 07:20 - 00000000 ____D C:\Users\Owner\AppData\Local\CrashDumps
2015-06-03 18:38 - 2012-01-20 09:47 - 00000000 ___HD C:\ASUS.DAT
2015-06-03 18:36 - 2011-11-23 09:55 - 00002794 _____ C:\Windows\system32\AutoRunFilter.ini
2015-06-03 18:22 - 2014-08-29 18:00 - 00000398 _____ C:\Windows\Tasks\updater.exe.job
2015-06-03 18:22 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-03 17:45 - 2013-03-01 22:25 - 00007599 _____ C:\Users\Owner\AppData\Local\resmon.resmoncfg
2015-06-03 16:38 - 2009-07-14 05:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-06-03 16:38 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2015-06-03 00:08 - 2012-02-11 11:31 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4103599219-1354955145-788884429-1000UA.job
2015-06-03 00:01 - 2014-08-30 23:40 - 00000398 _____ C:\Windows\Tasks\TA Unofficial Patch Updater.job
2015-06-02 23:20 - 2012-04-12 15:19 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-02 23:14 - 2009-07-14 06:45 - 00025088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-02 23:14 - 2009-07-14 06:45 - 00025088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-02 21:51 - 2014-04-22 23:21 - 00000000 ____D C:\Users\dub_cm_auto
2015-06-02 21:48 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini
2015-06-01 23:02 - 2012-01-20 09:47 - 00118488 _____ C:\Users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-01 23:01 - 2014-08-08 05:20 - 00000000 ____D C:\Program Files (x86)\Steam
2015-06-01 23:01 - 2013-04-12 22:07 - 00000000 ____D C:\Windows\Minidump
2015-06-01 23:01 - 2012-03-05 06:46 - 00000000 ____D C:\Users\Owner\AppData\Roaming\uTorrent
2015-06-01 22:45 - 2012-01-20 09:46 - 00000000 ____D C:\Users\Owner
2015-06-01 22:43 - 2009-07-14 06:45 - 00460728 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-01 22:36 - 2012-10-06 21:46 - 00000000 ____D C:\Users\Owner\AppData\Roaming\vlc
2015-06-01 21:28 - 2012-02-11 12:33 - 00000000 ____D C:\ProgramData\Norton
2015-05-31 14:08 - 2012-02-11 11:31 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4103599219-1354955145-788884429-1000Core.job
2015-05-31 00:39 - 2012-02-11 13:47 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Skype
2015-05-30 12:36 - 2014-07-24 21:54 - 00021726 _____ C:\Users\Owner\Documents\Maandelijks Budget 2014-2015.xlsx
2015-05-26 18:39 - 2012-12-08 15:21 - 00000000 ____D C:\Users\Owner\School
2015-05-22 06:37 - 2012-03-07 09:06 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-05-22 06:34 - 2014-11-18 21:36 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-05-21 06:29 - 2015-04-05 00:42 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-05-21 06:29 - 2015-04-05 00:42 - 00000000 ___SD C:\Windows\system32\GWX
2015-05-20 21:13 - 2012-02-11 13:47 - 00000000 ____D C:\ProgramData\Skype
2015-05-18 13:49 - 2012-08-08 13:41 - 00000000 ____D C:\Users\Owner\Documents\Ned Zaken
2015-05-17 14:03 - 2012-02-11 11:31 - 00003878 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4103599219-1354955145-788884429-1000UA
2015-05-17 14:03 - 2012-02-11 11:31 - 00003482 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4103599219-1354955145-788884429-1000Core
2015-05-14 16:16 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2015-05-14 10:24 - 2009-07-14 09:45 - 00000000 ____D C:\Program Files\Windows Journal
2015-05-14 10:24 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2015-05-14 01:54 - 2014-03-25 18:12 - 00000039 _____ C:\Windows\vbaddin.ini
2015-05-14 01:53 - 2013-07-20 21:41 - 00000000 ____D C:\Windows\system32\MRT
2015-05-14 01:43 - 2012-02-14 05:28 - 140425016 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-14 01:36 - 2012-05-10 16:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-14 01:35 - 2012-05-10 16:35 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-14 01:35 - 2012-05-10 16:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-05-08 05:05 - 2014-11-18 21:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
 
==================== Files in the root of some directories =======
 
2013-12-19 01:28 - 2014-01-29 08:44 - 0000137 _____ () C:\Users\Owner\AppData\Roaming\WB.CFG
2014-01-04 17:24 - 2014-01-04 17:26 - 0004096 ____H () C:\Users\Owner\AppData\Local\keyfile3.drm
2013-03-01 22:25 - 2015-06-03 17:45 - 0007599 _____ () C:\Users\Owner\AppData\Local\resmon.resmoncfg
2015-06-03 12:52 - 2015-06-03 12:52 - 0105210 _____ () C:\ProgramData\1433328734.bdinstall.bin
2012-09-04 19:19 - 2012-09-04 19:19 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-11-23 09:57 - 2011-11-23 09:58 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2011-11-23 09:57 - 2011-11-23 09:57 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-05-24 11:42
 
==================== End of log ============================

 

 

 

 

 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 08 June 2015 - 02:23 AM


Hi S-Works,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
     

Let's get started....

While I go over the logs you have provided, can you please post the C:\combofix.txt log file? Thank you.

 

Also, from your post it seems you would like to have 360 running as your security program; is this correct?


Edited by dbrisendine, 08 June 2015 - 02:30 AM.
Inquiry about security sw

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 09 June 2015 - 04:01 PM

Let's get started....

While I go over the logs you have provided, can you please post the C:\combofix.txt log file? Thank you.

 

Also, from your post it seems you would like to have 360 running as your security program; is this correct?

 

Hi dbrisendine, thanks for your reply!

 

I've searched everywhere, I can't seem to find the combofix.txt file, although combofix is still installed on my PC. Should I run it again?

 

Yes, I am running 360 Total Security, however it has yet to complete a virus scan.. because it gets stuck at 99%. I left it overnight last time, thinking I was just being inpatient but 12 hours later it was still stuck at 99%.


Edited by S-Works, 09 June 2015 - 04:01 PM.


#4 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 10 June 2015 - 09:29 AM

Do not run ComboFix unless I instruct you to.  Interesting that the log can not be found as FRST shows it at C:\ComboFix.txt.

 

Also, why is FRST running from H: drive and not the desktop?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#5 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 10 June 2015 - 10:17 AM

Do not run ComboFix unless I instruct you to.  Interesting that the log can not be found as FRST shows it at C:\ComboFix.txt.

 

Also, why is FRST running from H: drive and not the desktop?

 

Okay, I won't. I searched for it via the start menu and I tried going directly the the file myself through C:\ . ComboFix is there but when I double click it it just goes back to my computer.. 

 

I ran FRST from the USB stick I had it on before posting this thread. From now on I will run everything from the desktop as you have instructed me. 

 

What should I do now? 


Edited by S-Works, 10 June 2015 - 10:18 AM.


#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 10 June 2015 - 10:58 AM

Both posted at same time it seems: LOL.

Please move FRST from the USB stick to your desktop. Don't worry; we will not be leaving much (if any) of our tools & logs on the desktop when finished. I always clean up when done.
 


FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

YTD Toolbar v9.2

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

 

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FancyStart daemon.lnk [2011-11-23]
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()
C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4103599219-1354955145-788884429-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR Extension: (Hola Better Internet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2014-06-13]
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
S4 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
S2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163600 2015-04-21] (Panda Security, S.L.)
S2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2015-02-25] (Panda Security, S.L.)
S1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197392 2015-02-25] (Panda Security, S.L.)
S2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124176 2015-02-25] (Panda Security, S.L.)
S2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [133904 2015-02-25] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
C:\Windows\System32\DRIVERS\NNSAlpc.sys
C:\Windows\System32\DRIVERS\NNSHttp.sys
C:\Windows\System32\DRIVERS\NNSHttps.sys
C:\Windows\System32\DRIVERS\NNSIds.sys
C:\Windows\System32\DRIVERS\NNSPicc.sys
C:\Windows\System32\DRIVERS\NNSPihsw.sys
C:\Windows\System32\DRIVERS\NNSPop3.sys
C:\Windows\System32\DRIVERS\NNSProt.sys
C:\Windows\System32\DRIVERS\NNSPrv.sys
C:\Windows\System32\DRIVERS\NNSSmtp.sys
C:\Windows\System32\DRIVERS\NNSStrm.sys
C:\Windows\System32\DRIVERS\NNSTlsc.sys
C:\Windows\System32\DRIVERS\PSINAflt.sys
C:\Windows\System32\DRIVERS\PSINFile.sys
C:\Windows\System32\DRIVERS\psinknc.sys
C:\Windows\System32\DRIVERS\PSINProc.sys
C:\Windows\System32\DRIVERS\PSINProt.sys
C:\Windows\System32\DRIVERS\PSINReg.sys
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\ComboFix\catchme.sys
2015-06-02 17:41 - 2015-06-02 17:41 - 00000000 ____D C:\Program Files\HitmanPro
2015-06-02 17:39 - 2015-06-02 17:39 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-06-02 17:15 - 2015-06-02 17:15 - 00000000 ____D C:\Users\Owner\AppData\Roaming\QuickScan
2015-06-01 23:02 - 2015-06-01 23:02 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Panda Security
2015-06-01 22:19 - 2015-06-03 10:51 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-06-01 17:47 - 2015-06-01 22:19 - 00000000 ____D C:\ProgramData\Panda Security
2015-06-01 07:51 - 2015-06-01 07:51 - 00013182 _____ C:\Windows\system32\.crusader
2015-06-01 07:29 - 2015-06-01 07:52 - 00000000 ____D C:\ProgramData\HitmanPro
2015-06-01 07:29 - 2015-06-01 07:29 - 11024496 _____ (SurfRight B.V.) C:\Users\Owner\Downloads\HitmanPro_x64.exe
2015-06-03 12:52 - 2015-06-03 12:52 - 0105210 _____ () C:\ProgramData\1433328734.bdinstall.bin
Task: {3F9C8BE8-CAE1-48FE-93E5-A117BF688A6D} - System32\Tasks\{C9C83A97-466B-4547-A299-9565FACEF482} => pcalua.exe -a C:\Users\Owner\Downloads\MouseTest.exe -d C:\Users\Owner\Downloads
Task: {415F748C-8623-43B9-B71A-5C0D458D7AF8} - System32\Tasks\{7252944D-1D4A-497A-9FD8-27118AC45C9E} => pcalua.exe -a C:\Users\Owner\Downloads\lgs510.exe -d C:\Users\Owner\Downloads
Task: {43B907EC-24C8-4602-A944-930CF9FD0057} - \updater.exe No Task File <==== ATTENTION
Task: {465A26CA-B2DB-4984-A664-64377F869780} - System32\Tasks\{220B5F08-D6F4-4204-BCAF-0DFBDD619992} => pcalua.exe -a C:\Users\Owner\Downloads\PlagueInc.exe -d C:\Users\Owner\Downloads
Task: {FDFCF8E7-9A83-44BE-942C-A694E4B64A9E} - System32\Tasks\{D6EF58BC-1962-4A55-99F6-CEA79CBC3885} => pcalua.exe -a "C:\Program Files (x86)\FreeHDSport TV V6.0\Uninstall.exe" -c /fromcontrolpanel=1
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
RemoveProxy:
Cmd: type C:\ComboFix.txt
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


Edited by dbrisendine, 10 June 2015 - 11:02 AM.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 10 June 2015 - 01:49 PM

I found YTD Toolbar v9.2 under Programs and Features but when I tried uninstalling it, I got the following error:

 

"The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

 

What do you recommend I do? 



#8 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 10 June 2015 - 09:02 PM

Don't worry about the uninstall then (we will deal with the installer issue later).  Thank you for checking back before going ahead.

 

Please run the FRST Fixlist.txt script run and post the Fixlog.txt file text. 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#9 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 11 June 2015 - 04:27 AM

Don't worry about the uninstall then (we will deal with the installer issue later).  Thank you for checking back before going ahead.

 

Please run the FRST Fixlist.txt script run and post the Fixlog.txt file text. 

 

Alrighty. :)

 

I ran FRST with the fixlist.txt. Here is the log text:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:03-06-2015
Ran by Owner at 2015-06-11 10:23:16 Run:1
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner)
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FancyStart daemon.lnk [2011-11-23]
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe ()
C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4103599219-1354955145-788884429-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR Extension: (Hola Better Internet) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2014-06-13]
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
S4 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
S2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163600 2015-04-21] (Panda Security, S.L.)
S2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2015-02-25] (Panda Security, S.L.)
S1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197392 2015-02-25] (Panda Security, S.L.)
S2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124176 2015-02-25] (Panda Security, S.L.)
S2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [133904 2015-02-25] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
C:\Windows\System32\DRIVERS\NNSAlpc.sys
C:\Windows\System32\DRIVERS\NNSHttp.sys
C:\Windows\System32\DRIVERS\NNSHttps.sys
C:\Windows\System32\DRIVERS\NNSIds.sys
C:\Windows\System32\DRIVERS\NNSPicc.sys
C:\Windows\System32\DRIVERS\NNSPihsw.sys
C:\Windows\System32\DRIVERS\NNSPop3.sys
C:\Windows\System32\DRIVERS\NNSProt.sys
C:\Windows\System32\DRIVERS\NNSPrv.sys
C:\Windows\System32\DRIVERS\NNSSmtp.sys
C:\Windows\System32\DRIVERS\NNSStrm.sys
C:\Windows\System32\DRIVERS\NNSTlsc.sys
C:\Windows\System32\DRIVERS\PSINAflt.sys
C:\Windows\System32\DRIVERS\PSINFile.sys
C:\Windows\System32\DRIVERS\psinknc.sys
C:\Windows\System32\DRIVERS\PSINProc.sys
C:\Windows\System32\DRIVERS\PSINProt.sys
C:\Windows\System32\DRIVERS\PSINReg.sys
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
C:\ComboFix\catchme.sys
2015-06-02 17:41 - 2015-06-02 17:41 - 00000000 ____D C:\Program Files\HitmanPro
2015-06-02 17:39 - 2015-06-02 17:39 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2015-06-02 17:15 - 2015-06-02 17:15 - 00000000 ____D C:\Users\Owner\AppData\Roaming\QuickScan
2015-06-01 23:02 - 2015-06-01 23:02 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Panda Security
2015-06-01 22:19 - 2015-06-03 10:51 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-06-01 17:47 - 2015-06-01 22:19 - 00000000 ____D C:\ProgramData\Panda Security
2015-06-01 07:51 - 2015-06-01 07:51 - 00013182 _____ C:\Windows\system32\.crusader
2015-06-01 07:29 - 2015-06-01 07:52 - 00000000 ____D C:\ProgramData\HitmanPro
2015-06-01 07:29 - 2015-06-01 07:29 - 11024496 _____ (SurfRight B.V.) C:\Users\Owner\Downloads\HitmanPro_x64.exe
2015-06-03 12:52 - 2015-06-03 12:52 - 0105210 _____ () C:\ProgramData\1433328734.bdinstall.bin
Task: {3F9C8BE8-CAE1-48FE-93E5-A117BF688A6D} - System32\Tasks\{C9C83A97-466B-4547-A299-9565FACEF482} => pcalua.exe -a C:\Users\Owner\Downloads\MouseTest.exe -d C:\Users\Owner\Downloads
Task: {415F748C-8623-43B9-B71A-5C0D458D7AF8} - System32\Tasks\{7252944D-1D4A-497A-9FD8-27118AC45C9E} => pcalua.exe -a C:\Users\Owner\Downloads\lgs510.exe -d C:\Users\Owner\Downloads
Task: {43B907EC-24C8-4602-A944-930CF9FD0057} - \updater.exe No Task File <==== ATTENTION
Task: {465A26CA-B2DB-4984-A664-64377F869780} - System32\Tasks\{220B5F08-D6F4-4204-BCAF-0DFBDD619992} => pcalua.exe -a C:\Users\Owner\Downloads\PlagueInc.exe -d C:\Users\Owner\Downloads
Task: {FDFCF8E7-9A83-44BE-942C-A694E4B64A9E} - System32\Tasks\{D6EF58BC-1962-4A55-99F6-CEA79CBC3885} => pcalua.exe -a "C:\Program Files (x86)\FreeHDSport TV V6.0\Uninstall.exe" -c /fromcontrolpanel=1
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
RemoveProxy:
Cmd: type C:\ComboFix.txt
Reboot:
end
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FancyStart daemon.lnk => moved successfully.
C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe => moved successfully.
C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A} => moved successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found. 
"HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio folder not found
"C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio" => File/Folder not found.
NNSALPC => Service removed successfully
NNSHTTP => Service removed successfully
NNSHTTPS => Service removed successfully
NNSIDS => Service removed successfully
NNSPICC => Service removed successfully
NNSPIHSW => Service removed successfully
NNSPOP3 => Service removed successfully
NNSPROT => Service removed successfully
NNSPRV => Service removed successfully
NNSSMTP => Service removed successfully
NNSSTRM => Service removed successfully
NNSTLSC => Service removed successfully
PSINAflt => Service removed successfully
PSINFile => Service removed successfully
PSINKNC => Service removed successfully
PSINProc => Service removed successfully
PSINProt => Service removed successfully
PSINReg => Service removed successfully
C:\Windows\System32\DRIVERS\NNSAlpc.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSHttp.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSHttps.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSIds.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSPicc.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSPihsw.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSPop3.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSProt.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSPrv.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSSmtp.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSStrm.sys => moved successfully.
C:\Windows\System32\DRIVERS\NNSTlsc.sys => moved successfully.
C:\Windows\System32\DRIVERS\PSINAflt.sys => moved successfully.
C:\Windows\System32\DRIVERS\PSINFile.sys => moved successfully.
C:\Windows\System32\DRIVERS\psinknc.sys => moved successfully.
C:\Windows\System32\DRIVERS\PSINProc.sys => moved successfully.
C:\Windows\System32\DRIVERS\PSINProt.sys => moved successfully.
C:\Windows\System32\DRIVERS\PSINReg.sys => moved successfully.
catchme => Service removed successfully
"C:\ComboFix\catchme.sys" => File/Folder not found.
C:\Program Files\HitmanPro => moved successfully.
C:\Windows\system32\bootdelete.exe => moved successfully.
C:\Users\Owner\AppData\Roaming\QuickScan => moved successfully.
C:\Users\Owner\AppData\Roaming\Panda Security => moved successfully.
C:\Program Files (x86)\Panda Security => moved successfully.
C:\ProgramData\Panda Security => moved successfully.
C:\Windows\system32\.crusader => moved successfully.
C:\ProgramData\HitmanPro => moved successfully.
C:\Users\Owner\Downloads\HitmanPro_x64.exe => moved successfully.
"C:\ProgramData\1433328734.bdinstall.bin" => File/Folder not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3F9C8BE8-CAE1-48FE-93E5-A117BF688A6D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F9C8BE8-CAE1-48FE-93E5-A117BF688A6D}" => key removed successfully
C:\Windows\System32\Tasks\{C9C83A97-466B-4547-A299-9565FACEF482} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C9C83A97-466B-4547-A299-9565FACEF482}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{415F748C-8623-43B9-B71A-5C0D458D7AF8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{415F748C-8623-43B9-B71A-5C0D458D7AF8}" => key removed successfully
C:\Windows\System32\Tasks\{7252944D-1D4A-497A-9FD8-27118AC45C9E} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7252944D-1D4A-497A-9FD8-27118AC45C9E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{43B907EC-24C8-4602-A944-930CF9FD0057}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{43B907EC-24C8-4602-A944-930CF9FD0057}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\updater.exe" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{465A26CA-B2DB-4984-A664-64377F869780}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{465A26CA-B2DB-4984-A664-64377F869780}" => key removed successfully
C:\Windows\System32\Tasks\{220B5F08-D6F4-4204-BCAF-0DFBDD619992} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{220B5F08-D6F4-4204-BCAF-0DFBDD619992}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FDFCF8E7-9A83-44BE-942C-A694E4B64A9E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDFCF8E7-9A83-44BE-942C-A694E4B64A9E}" => key removed successfully
C:\Windows\System32\Tasks\{D6EF58BC-1962-4A55-99F6-CEA79CBC3885} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D6EF58BC-1962-4A55-99F6-CEA79CBC3885}" => key removed successfully
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to connect to BITS - 0x8007042c
The dependency service or group failed to start.
 
 
 
========= End of CMD: =========
 
 
=========  DEL %TEMP%\*.* /F /S /Q =========
 
Deleted file - C:\Users\Owner\AppData\Local\Temp\AdobeARM.log
Deleted file - C:\Users\Owner\AppData\Local\Temp\adwcleaner.db
Deleted file - C:\Users\Owner\AppData\Local\Temp\AdwCleaner.jpg
Deleted file - C:\Users\Owner\AppData\Local\Temp\ArmUI.ini
Deleted file - C:\Users\Owner\AppData\Local\Temp\Cleaning.ico
Deleted file - C:\Users\Owner\AppData\Local\Temp\D301.tmp
Deleted file - C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\E2D2.tmp
Deleted file - C:\Users\Owner\AppData\Local\Temp\EULA.txt
C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt
The process cannot access the file because it is being used by another process.
Deleted file - C:\Users\Owner\AppData\Local\Temp\JRT.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\JRT2.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\msoia.exe_c2rdll(201506022302211310).log
Deleted file - C:\Users\Owner\AppData\Local\Temp\PsNanoLog_20F9.zip
Deleted file - C:\Users\Owner\AppData\Local\Temp\PsNanoLog_E467.zip
Deleted file - C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
Deleted file - C:\Users\Owner\AppData\Local\Temp\Report.ico
Deleted file - C:\Users\Owner\AppData\Local\Temp\Scan.ico
Deleted file - C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\Uninstall.ico
Deleted file - C:\Users\Owner\AppData\Local\Temp\WINWORD.EXE_c2rdll(20150604193514720).log
Deleted file - C:\Users\Owner\AppData\Local\Temp\WINWORD.EXE_c2rdll(20150609000023648).log
Deleted file - C:\Users\Owner\AppData\Local\Temp\WINWORD.EXE_c2rdll(20150609000023654).log
Deleted file - C:\Users\Owner\AppData\Local\Temp\WINWORD.EXE_c2rdll(201506090000556C8).log
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\appinit64_null.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\appinit_null.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\ask.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\askCLSID.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\askregkey_x64.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\askregkey_x86.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\askregvalue_x64.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\askregvalue_x86.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badAPPINIT.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badFOLDERS.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badFOLDERScom.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badFOLDERSstart.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badLNK.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badLNK2.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badTASKS.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\badvalues.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\browsermngr_keys.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\browsermngr_values.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\chrome.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\chrome_pref.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CHRregkey_x64.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CHRregkey_x86.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CHR_extensions.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CHR_open_x64.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CHR_open_x86.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CHR_storage.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\clean_shortcut.vbs
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\currentmd5
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\CUT.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\datamngr_del.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\defaultscope.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\delfolders.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\ev_clear.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFbrowsermngr.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFextensions.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFpluginREG.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFplugins.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFprefs.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFregkey_x64.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFregkey_x86.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFwhtlist.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFXML.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FFXPI.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FF_open_x64.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\FF_open_x86.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\firefox.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\get.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\GREP.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\IEwhtlst.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\iexplore.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\IE_open_x64.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\IE_open_x86.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\IFEO.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\JQ.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\libiconv2.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\libintl3.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\medfos.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\misc.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\mws.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\NIRCMD.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\pcre3.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\prelim.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\regex2.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\runvalues.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\runvalues_x64.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\runvalues_x86.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\searchlnk.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\SED.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\services.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\serviceseventlog.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\SHORTCUT.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\surfvox.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\TDL4.bat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\WGET.DAT
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\winlogon.reg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\wl_bhoclsid.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\wl_processes.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\wl_toolbars.cfg
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\nfo\GNU utilities for Win32.url
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\nfo\sed.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\nfo\shortcut.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\nfo\Tweaking.com Registry Backup.url
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\nfo\wget.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\temp\null.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\change_log.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\data.dat
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\keywords.txt
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\MSINET.Ocx
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\pcwintech_tasksch.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\Settings.ini
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\SSubTmr6.dll
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\TweakingFormControls.ocx
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\TweakingImgCtl.ocx
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\TweakingRegistryBackup.exe
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\TweakingRegistryBackup.exe.manifest
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\tweaking_com_treeview.ocx
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\tweaking_tabs.ocx
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\vbalIml6.ocx
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\files\dosdev.exe
Deleted file - C:\Users\Owner\AppData\Local\Temp\jrt\tweaking.com_registry_backup_portable\files\recovery_console.reg
 
========= End of CMD: =========
 
 
=========  RD /S /Q %TEMP% =========
 
C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-4103599219-1354955145-788884429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========  type C:\ComboFix.txt =========
 
The system cannot find the file specified.
 
========= End of CMD: =========
 
 
 
The system needed a reboot.. 
 
==== End of Fixlog 10:23:20 ====


#10 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 12 June 2015 - 01:23 AM

FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v4111_zpsn56hzjza.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#11 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 12 June 2015 - 05:02 AM

Junkware Removal Tool log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Home Premium x64
Ran by Owner on 12/06/2015 at 11:59:45.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Chrome
 
 
[C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 12/06/2015 at 12:03:01.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#12 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 12 June 2015 - 06:56 AM

Adware log file.
 
# AdwCleaner v4.206 - Logfile created 12/06/2015 at 14:04:26
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17801
 
 
-\\ Mozilla Firefox v10.0.2 (en-US)
 
 
-\\ Google Chrome v
 
 
*************************
 
AdwCleaner[R0].txt - [280 bytes] - [02/06/2015 20:01:39]
AdwCleaner[R1].txt - [4311 bytes] - [02/06/2015 20:21:52]
AdwCleaner[R2].txt - [1598 bytes] - [06/06/2015 22:16:15]
AdwCleaner[R3].txt - [302 bytes] - [12/06/2015 12:25:49]
AdwCleaner[R4].txt - [1126 bytes] - [12/06/2015 13:55:17]
AdwCleaner[S0].txt - [4181 bytes] - [02/06/2015 20:49:14]
AdwCleaner[S1].txt - [1670 bytes] - [06/06/2015 22:22:05]
AdwCleaner[S2].txt - [1052 bytes] - [12/06/2015 14:04:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1111  bytes] ##########

Edited by S-Works, 12 June 2015 - 08:20 AM.


#13 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 13 June 2015 - 01:45 AM

How is your system running now?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#14 S-Works

S-Works
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 13 June 2015 - 02:44 AM

How is your system running now?

 

No, no noticeable difference unfortunately. :(

 

In safe mode the processes that cause problems seem to be disabled as the PC runs fine then with the HDD indicator light just intermittently blinking like I'm accustomed to.

 

But in normal mode, it's still takes about 10 minutes for windows explorer to even show the desktop and then another 10 after that before I hear the start up tone. After that the computer just barely responds to minor input like opening the documents folder and this take ages. During all this the HDD indicator light is constantly on (almost solid, not even blinking), dunno what kind of activity it could be running that causes this. 



#15 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:09:49 PM

Posted 14 June 2015 - 02:58 AM

Tweaking.com - Windows Repair All-In-One (Portable)

- Download Windows Repair All-In-One (Portable Version) from here.

- Extract tweaking.com_windows_repair_aio.zip to your Desktop.

- Disable all your antivirus and antimalware software - see how to do that here.
- Right click on QfBzvq1.png and select Run as Administrator (XP users just double click) to start Windows Repair All-In-One.
(Windows Vista/7/8 users: Accept UAC warning if it is enabled.)

- A window will appear. Click Step 2.
2f8o60N.png

- Click the Open Pre-Scan button, then click Start Scan. Wait for Windows Repair to finish scanning.

- Depending on which error Windows Repair found, click Repair Reparse Point or Repair Environment Variable accordingly. When the button changes to "Done!", click the close button to return to Windows Repair.

- Go to Step 3, then click Check in the See If Check Disk Is Needed.

- If Windows Repair stated that errors are found, click Open Check Disk At Next Boot. Choose (/R) Fixes errors on the disk also locate bad sectors and recovers readable information, then click Add To Next Boot. Reboot the computer to let Windows check the disk.
Ymy7crZ.png

- Go to Step 4, then click Do It.
zDtdN75.png

- Go to Step 5. Under Registry Backup click Backup.  Under System Restore click Create.
f7lEe1N.png

- Go to Repairs and click Open Repairs. Leave all checkmarks as they are, then click Start Repairs.
PGv2vtD.png

- By default Windows Repair All-In-One will create a "Logs" folder in its folder on the Desktop. Please post the contents of the log in your next reply.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users