Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender error 80073b01


  • This topic is locked This topic is locked
3 replies to this topic

#1 alangant

alangant

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 12 June 2015 - 12:27 PM

Windows Defender will not start, with error 80073b01.  Defender Offline states that no system disk is found, possibly corrupted or encrypted.  I believe this started when a popup appeared to update Adobe Flash.

 

I ran malwarebytes free, and hitmanpro; both found numerous adware infections and removed them.  hitmanprokickstart would not run, hanging on keyboard selection with a non-responsive USB keyboard.

 

Thanks for any help you may provide!

Alan

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2015
Ran by Ethan (administrator) on ERG on 12-06-2015 11:51:58
Running from C:\Users\Ethan\Downloads
Loaded Profiles: Ethan (Available Profiles: Alan & Ethan & Samantha & HTPCuser)
Platform: Windows 8.1 Pro with Media Center (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(American Power Conversion Corporation) C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(CrashPlan) C:\Program Files\CrashPlan\CrashPlanService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\msosync.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Spotify Ltd) C:\Users\Ethan\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Code 42 Software, Inc.) C:\Program Files\CrashPlan\CrashPlanTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(American Power Conversion Corporation) C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(LastPass) C:\Users\Ethan\AppData\LocalLow\LastPass\LastPassBroker.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\wermgr.exe
(Microsoft Corporation) C:\Windows\System32\wermgr.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogMeIn GUI] => "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-04-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKU\S-1-5-21-3637927715-3650498846-3315996173-1003\...\Run: [Spotify Web Helper] => C:\Users\Ethan\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2021944 2015-06-03] (Spotify Ltd)
HKU\S-1-5-21-3637927715-3650498846-3315996173-1003\...\Run: [Spotify] => C:\Users\Ethan\AppData\Roaming\Spotify\Spotify.exe [7323192 2015-06-03] (Spotify Ltd)
HKU\S-1-5-21-3637927715-3650498846-3315996173-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [11776 2014-10-28] (Microsoft Corporation)
AppInit_DLLs-x32: c:/progra~3/{db813~1/192~1.1/cato.dll => "c:\progra~3\{db813~1\192~1.1\cato.dll" File not found
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\APC UPS Status.lnk [2011-04-26]
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CrashPlan Tray.lnk [2012-11-01]
ShortcutTarget: CrashPlan Tray.lnk -> C:\Program Files\CrashPlan\CrashPlanTray.exe (Code 42 Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk [2015-01-14]
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2015-01-14]
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe ()
Startup: C:\Users\Ethan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-01-31]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3637927715-3650498846-3315996173-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSE1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-3637927715-3650498846-3315996173-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-3637927715-3650498846-3315996173-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2015-01-14] (LastPass)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2015-01-14] (LastPass)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{76FD201B-5C9A-4C0F-A0AD-A807482DE863}: [NameServer] 192.168.137.1
Tcpip\..\Interfaces\{B3C22DA1-B10E-4AA3-8AF4-A94AA6BB5004}: [NameServer] 208.67.222.222,208.67.220.220
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\btcn245n.default
FF DefaultSearchEngine: Bing
FF DefaultSearchEngine.US: Bing
FF SelectedSearchEngine: Bing
FF Homepage: about:newtab
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_18_0_0_160.dll [2015-06-11] ()
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2015-01-14] (LastPass)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_160.dll [2015-06-11] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-01-11] (Foxit Corporation)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2015-01-14] (LastPass)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-11] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npFoxitReaderPlugin.dll [2011-04-02] (Foxit Software Company)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2014-03-16] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2014-03-16] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2014-03-16] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2014-03-16] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2014-03-16] (Apple Inc.)
FF Extension: LastPass - C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\btcn245n.default\Extensions\support@lastpass.com [2015-04-25]
FF Extension: WOT - C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\btcn245n.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-06-04]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]
R2 APC UPS Service; C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe [689408 2007-07-19] (American Power Conversion Corporation)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
R2 CrashPlanService; C:\Program Files\CrashPlan\CrashPlanService.exe [222720 2012-08-16] (CrashPlan) [File not signed]
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-06-12] (SurfRight B.V.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-01-18] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-01-18] (Hewlett-Packard) [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
S2 4b1be855; "C:\WINDOWS\system32\rundll32.exe" "c:\Program Files (x86)\PathFoobar\PathFoobar.dll",serv
S2 HitmanPro37CrusaderBoot; "F:\HitManPro\RenamedforSafety_x64_hmp.exe" /crusader:boot [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
S4 LMIRfsClientNP; No ImagePath
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [136408 2015-06-12] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R3 RTL8168; C:\Windows\system32\DRIVERS\rtlh64.sys [681688 2015-01-21] (Inventec                                            )
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
U3 idsvc; No ImagePath
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-12 11:51 - 2015-06-12 11:52 - 00000000 ____D C:\FRST
2015-06-12 11:51 - 2015-06-12 11:51 - 02108928 _____ (Farbar) C:\Users\Ethan\Downloads\FRST64.exe
2015-06-12 11:51 - 2015-06-12 11:51 - 00013956 _____ C:\Users\Ethan\Downloads\FRST.txt
2015-06-12 11:48 - 2015-06-12 11:48 - 00000000 ____D C:\WINDOWS\LastGood
2015-06-12 09:53 - 2015-06-12 09:53 - 00001051 _____ C:\MWB20150612.txt
2015-06-12 08:52 - 2015-06-12 08:52 - 00136408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-06-12 08:51 - 2015-06-12 08:51 - 00001118 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-12 08:51 - 2015-06-12 08:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-12 08:51 - 2015-06-12 08:51 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-12 08:51 - 2015-06-12 08:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-12 08:51 - 2015-04-14 09:38 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-06-12 08:51 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-06-12 08:51 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-06-12 08:26 - 2015-06-12 08:26 - 00001909 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-06-12 08:26 - 2015-06-12 08:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-06-12 08:26 - 2015-06-12 08:26 - 00000000 ____D C:\Program Files\HitmanPro
2015-06-12 08:17 - 2015-06-12 08:17 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2015-06-12 08:17 - 2015-06-12 08:17 - 00007964 _____ C:\WINDOWS\system32\.crusader
2015-06-12 07:55 - 2015-06-12 08:25 - 00000000 ____D C:\ProgramData\HitmanPro
2015-06-11 20:13 - 2015-06-11 20:13 - 03480040 _____ (McAfee, Inc.) C:\Users\Ethan\Downloads\McAfeeRemovalToolMCPR.exe
2015-06-09 20:31 - 2015-04-24 21:34 - 00653824 _____ (Microsoft Corporation) C:\WINDOWS\system32\comctl32.dll
2015-06-09 20:31 - 2015-04-24 21:33 - 00549888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\comctl32.dll
2015-06-09 20:30 - 2015-05-27 09:35 - 24917504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-06-09 20:30 - 2015-05-27 09:08 - 19607040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-06-09 20:30 - 2015-05-22 22:15 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-06-09 20:30 - 2015-05-22 22:14 - 00341504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\html.iec
2015-06-09 20:30 - 2015-05-22 22:10 - 02278912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-06-09 20:30 - 2015-05-22 22:05 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-06-09 20:30 - 2015-05-22 22:04 - 00620032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9diag.dll
2015-06-09 20:30 - 2015-05-22 21:47 - 04305920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-06-09 20:30 - 2015-05-22 21:38 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-06-09 20:30 - 2015-05-22 21:28 - 12829696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-06-09 20:30 - 2015-05-22 21:20 - 01950720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-06-09 20:30 - 2015-05-22 21:16 - 01309696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-06-09 20:30 - 2015-05-22 14:00 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-06-09 20:30 - 2015-05-22 14:00 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-06-09 20:30 - 2015-05-22 14:00 - 00417792 _____ (Microsoft Corporation) C:\WINDOWS\system32\html.iec
2015-06-09 20:30 - 2015-05-22 13:52 - 06026240 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-06-09 20:30 - 2015-05-22 13:47 - 00816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-06-09 20:30 - 2015-05-22 13:06 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-06-09 20:30 - 2015-05-22 13:05 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-06-09 20:30 - 2015-05-22 12:57 - 14404096 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-06-09 20:30 - 2015-05-22 12:50 - 02426880 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-06-09 20:30 - 2015-05-22 12:49 - 02865152 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-06-09 20:30 - 2015-05-22 12:38 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-06-09 20:29 - 2015-05-22 21:48 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-06-09 20:29 - 2015-05-22 21:47 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-06-09 20:29 - 2015-05-22 21:47 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-06-09 20:29 - 2015-05-22 21:43 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-06-09 20:29 - 2015-05-22 21:38 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-06-09 20:29 - 2015-05-22 21:37 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-06-09 20:29 - 2015-05-22 21:28 - 01042944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\actxprxy.dll
2015-06-09 20:29 - 2015-05-22 21:14 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-06-09 20:29 - 2015-05-22 13:48 - 00633856 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-06-09 20:29 - 2015-05-22 13:47 - 00814080 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9diag.dll
2015-06-09 20:29 - 2015-05-22 13:24 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-06-09 20:29 - 2015-05-22 13:23 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2015-06-09 20:29 - 2015-05-22 13:21 - 00316928 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-06-09 20:29 - 2015-05-22 13:15 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-06-09 20:29 - 2015-05-22 13:09 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-06-09 20:29 - 2015-05-22 13:08 - 00374272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-06-09 20:29 - 2015-05-22 12:26 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-06-09 20:28 - 2015-05-21 11:47 - 04177920 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-06-09 20:26 - 2015-06-12 08:46 - 00000362 _____ C:\WINDOWS\Tasks\VacayExpert.job
2015-06-09 20:26 - 2015-06-12 08:17 - 00000000 ____D C:\ProgramData\{8a397691-33a1-bce5-8a39-9769133ada44}
2015-06-09 20:26 - 2015-06-09 20:26 - 00004096 _____ C:\WINDOWS\SysWOW64\ntwdblib.dll
2015-06-07 19:39 - 2015-06-12 09:53 - 00000000 ____D C:\Program Files (x86)\offfaErappe
2015-06-07 19:39 - 2015-06-12 09:53 - 00000000 ____D C:\Program Files (x86)\Block Sender
2015-06-07 19:37 - 2015-06-12 09:53 - 00000000 ____D C:\Program Files (x86)\OffERoappi
2015-06-03 22:43 - 2015-01-05 22:01 - 00072192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndproxy.sys
2015-06-03 22:43 - 2015-01-05 21:59 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wanarp.sys
2015-06-03 22:43 - 2015-01-05 20:12 - 00185856 _____ (Microsoft Corporation) C:\WINDOWS\system32\rascfg.dll
2015-06-03 22:43 - 2015-01-05 20:02 - 00164864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rascfg.dll
2015-06-03 22:41 - 2015-05-22 08:08 - 00700416 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-06-03 22:41 - 2015-05-21 08:08 - 01119232 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-06-03 22:41 - 2015-05-21 08:08 - 01020928 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-06-03 22:41 - 2015-05-21 08:08 - 00756736 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-06-03 22:41 - 2015-05-21 08:08 - 00422912 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-06-03 22:41 - 2015-05-21 08:08 - 00193536 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2015-06-03 22:41 - 2015-05-21 08:08 - 00045568 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-06-03 22:41 - 2015-04-16 17:07 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
2015-06-03 22:41 - 2015-04-08 17:07 - 00410336 _____ C:\WINDOWS\system32\ApnDatabase.xml
2015-06-03 22:40 - 2015-05-15 17:01 - 00133288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-06-03 22:40 - 2015-05-15 16:05 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2015-06-03 22:40 - 2015-05-15 15:47 - 00355328 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
2015-06-03 22:40 - 2015-05-15 15:23 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2015-06-03 22:40 - 2015-05-15 14:42 - 03682304 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-06-03 22:40 - 2015-05-15 14:32 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-06-03 22:40 - 2015-05-15 14:31 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-06-03 22:40 - 2015-05-15 14:28 - 02223104 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-06-03 22:40 - 2015-05-15 14:28 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-06-03 22:40 - 2015-05-15 14:28 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-06-03 22:40 - 2015-05-15 14:27 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-06-03 22:40 - 2015-05-15 14:21 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-06-03 22:40 - 2015-05-15 14:21 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-06-03 22:40 - 2015-05-15 14:19 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-06-03 22:40 - 2015-05-15 14:19 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-06-03 22:40 - 2015-03-19 22:49 - 00309760 _____ (Microsoft Corporation) C:\WINDOWS\system32\compstui.dll
2015-06-03 22:40 - 2015-03-19 22:08 - 00477184 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2015-06-03 22:40 - 2015-03-19 21:37 - 00367104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\puiobj.dll
2015-06-03 22:40 - 2015-03-19 21:07 - 01091072 _____ (Microsoft Corporation) C:\WINDOWS\system32\localspl.dll
2015-06-03 22:39 - 2015-05-25 08:23 - 00036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\UtcResources.dll
2015-06-03 22:39 - 2015-05-25 08:07 - 01430528 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2015-06-03 22:39 - 2015-03-01 20:43 - 00222208 _____ (Microsoft Corporation) C:\WINDOWS\system32\rastapi.dll
2015-06-03 22:39 - 2015-03-01 20:21 - 00207872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rastapi.dll
2015-06-03 22:38 - 2015-04-13 17:37 - 00275968 _____ (Microsoft Corporation) C:\WINDOWS\system32\authz.dll
2015-06-03 22:38 - 2015-04-13 17:34 - 00180224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authz.dll
2015-06-03 22:38 - 2015-04-09 19:40 - 01249280 _____ (Microsoft Corporation) C:\WINDOWS\system32\UIAutomationCore.dll
2015-06-03 22:38 - 2015-04-09 19:17 - 01018880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UIAutomationCore.dll
2015-06-03 22:38 - 2015-04-08 17:41 - 00158720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rgb9rast.dll
2015-06-03 22:38 - 2015-04-01 17:42 - 03097600 _____ (Microsoft Corporation) C:\WINDOWS\system32\msftedit.dll
2015-06-03 22:38 - 2015-04-01 17:30 - 02483712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msftedit.dll
2015-06-03 22:37 - 2015-04-16 01:17 - 00325464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBXHCI.SYS
2015-06-03 22:37 - 2015-03-31 23:21 - 00337408 _____ (Microsoft Corporation) C:\WINDOWS\system32\SearchProtocolHost.exe
2015-06-03 22:37 - 2015-03-31 23:18 - 00468480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssph.dll
2015-06-03 22:37 - 2015-03-31 23:17 - 00248832 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssphtb.dll
2015-06-03 22:37 - 2015-03-31 23:08 - 00774144 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssvp.dll
2015-06-03 22:37 - 2015-03-31 22:46 - 03633664 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll
2015-06-03 22:37 - 2015-03-31 22:17 - 02551808 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssrch.dll
2015-06-03 22:37 - 2015-03-31 22:17 - 00903168 _____ (Microsoft Corporation) C:\WINDOWS\system32\SearchIndexer.exe
2015-06-03 22:37 - 2015-03-31 21:53 - 00391680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssph.dll
2015-06-03 22:37 - 2015-03-31 21:53 - 00272896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchProtocolHost.exe
2015-06-03 22:37 - 2015-03-31 21:45 - 02749952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll
2015-06-03 22:37 - 2015-03-31 21:45 - 00699392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssvp.dll
2015-06-03 22:37 - 2015-03-31 21:14 - 01920000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssrch.dll
2015-06-03 22:37 - 2015-03-31 21:12 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchIndexer.exe
2015-06-03 13:51 - 2015-06-03 13:51 - 00000000 ____D C:\Users\Ethan\AppData\Local\GWX
2015-05-24 08:52 - 2015-05-24 08:52 - 00000000 _____ C:\Users\Ethan\AppData\Local\Temp.dat
2015-05-20 19:07 - 2015-06-12 09:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-05-20 14:51 - 2015-06-03 11:18 - 00792568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-05-20 14:51 - 2015-06-03 11:18 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-05-18 15:46 - 2015-06-12 08:17 - 00000000 ___HD C:\OneDriveTemp
2015-05-18 10:04 - 2015-04-30 15:35 - 00124112 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-18 10:04 - 2015-04-30 15:35 - 00102608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-05-18 09:48 - 2015-04-30 18:05 - 00429568 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2015-05-18 09:48 - 2015-04-30 17:48 - 00358912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2015-05-18 09:45 - 2015-04-09 19:34 - 02256896 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwmcore.dll
2015-05-18 09:45 - 2015-04-09 19:11 - 01943040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dwmcore.dll
2015-05-18 09:45 - 2015-03-17 12:26 - 00467776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBHUB3.SYS
2015-05-18 09:45 - 2015-03-08 21:02 - 00057856 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthhfenum.sys
2015-05-18 09:44 - 2015-03-19 20:56 - 00080384 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-05-18 09:44 - 2015-03-03 20:32 - 00172544 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Input.Inking.dll
2015-05-18 09:44 - 2015-03-03 20:12 - 00141824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Input.Inking.dll
2015-05-18 09:44 - 2015-01-29 19:53 - 02819584 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers.dll
2015-05-13 18:57 - 2015-04-09 20:00 - 01996800 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll
2015-05-13 18:57 - 2015-04-09 19:50 - 01387008 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll
2015-05-13 18:57 - 2015-04-09 19:26 - 01560576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWrite.dll
2015-05-13 18:57 - 2015-04-08 17:55 - 00410128 _____ (Microsoft Corporation) C:\WINDOWS\system32\services.exe
2015-05-13 18:57 - 2015-04-02 19:35 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhotoMetadataHandler.dll
2015-05-13 18:57 - 2015-04-02 19:14 - 00364544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PhotoMetadataHandler.dll
2015-05-13 18:57 - 2015-04-01 17:22 - 02985984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2015-05-13 18:57 - 2015-04-01 17:20 - 04417536 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2015-05-13 18:57 - 2015-03-31 22:45 - 01491456 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbghelp.dll
2015-05-13 18:57 - 2015-03-31 21:31 - 01207296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbghelp.dll
2015-05-13 18:57 - 2015-03-12 21:02 - 00316416 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\udfs.sys
2015-05-13 18:57 - 2015-03-12 20:11 - 02162176 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2015-05-13 18:57 - 2015-03-12 19:39 - 01812992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
2015-05-13 18:56 - 2015-04-21 11:13 - 00107520 _____ (Microsoft Corporation) C:\WINDOWS\system32\inseng.dll
2015-05-13 18:56 - 2015-04-21 10:49 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-05-13 18:56 - 2015-04-21 10:28 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-05-13 18:56 - 2015-03-30 00:47 - 00561928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2015-05-13 18:56 - 2015-03-26 22:27 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-05-13 18:56 - 2015-03-26 21:50 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-05-13 18:56 - 2015-03-26 21:48 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-05-13 18:56 - 2015-03-12 23:03 - 00239424 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\sdbus.sys
2015-05-13 18:56 - 2015-03-12 23:03 - 00154432 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dumpsd.sys
2015-05-13 18:56 - 2015-03-10 20:49 - 00024576 _____ (Microsoft Corporation) C:\WINDOWS\system32\sdbinst.exe
2015-05-13 18:56 - 2015-03-10 20:09 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sdbinst.exe
2015-05-13 18:56 - 2015-03-05 22:08 - 02067968 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpdshext.dll
2015-05-13 18:56 - 2015-03-05 21:47 - 01696256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wevtsvc.dll
2015-05-13 18:56 - 2015-03-05 21:43 - 01969664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wpdshext.dll
2015-05-13 18:56 - 2015-02-17 18:19 - 00186368 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapisrv.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-12 11:52 - 2014-09-10 19:48 - 00004952 _____ C:\WINDOWS\System32\Tasks\Microsoft Office 15 Sync Maintenance for ERG-Ethan ERG
2015-06-12 11:51 - 2014-04-24 21:21 - 01797822 _____ C:\WINDOWS\WindowsUpdate.log
2015-06-12 11:41 - 2014-05-04 12:47 - 00003906 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{0A6018F9-9D8E-4EF5-B33D-8B329FE23CAD}
2015-06-12 11:35 - 2015-03-25 19:14 - 00000000 ____D C:\Users\Ethan\AppData\Local\Spotify
2015-06-12 11:34 - 2015-03-25 19:14 - 00000000 ____D C:\Users\Ethan\AppData\Roaming\Spotify
2015-06-12 11:34 - 2013-02-19 14:14 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3637927715-3650498846-3315996173-1003
2015-06-12 11:33 - 2014-09-10 19:11 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-06-12 11:33 - 2013-04-02 16:04 - 00000000 __RDO C:\Users\Ethan\OneDrive
2015-06-12 11:29 - 2013-08-22 09:46 - 00404063 _____ C:\WINDOWS\setupact.log
2015-06-12 11:29 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-06-12 10:05 - 2015-02-16 16:45 - 00000000 __SHD C:\Users\Ethan\AppData\Local\EmieBrowserModeList
2015-06-12 10:05 - 2014-05-04 12:47 - 00000000 __SHD C:\Users\Ethan\AppData\Local\EmieUserList
2015-06-12 10:05 - 2014-05-04 12:47 - 00000000 __SHD C:\Users\Ethan\AppData\Local\EmieSiteList
2015-06-12 10:00 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-06-12 09:54 - 2014-03-18 04:52 - 00046460 _____ C:\WINDOWS\PFRO.log
2015-06-12 09:53 - 2015-04-09 03:00 - 00000000 ____D C:\Program Files (x86)\multiNotifier for multiple Gmail accounts
2015-06-12 09:53 - 2015-03-19 20:52 - 00000000 ____D C:\ProgramData\shoppilation
2015-06-12 09:53 - 2015-02-28 10:29 - 00000000 ____D C:\Users\Ethan\AppData\Local\Binkiland
2015-06-12 08:46 - 2013-08-22 08:25 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2015-06-12 08:19 - 2015-03-19 20:30 - 00000000 ____D C:\Program Files (x86)\PathFoobar
2015-06-12 08:17 - 2015-02-28 10:27 - 00000000 ____D C:\ProgramData\{5b35a79b-ad51-1631-5b35-5a79bad59e6e}
2015-06-12 07:57 - 2014-03-18 05:02 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-06-11 19:55 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-06-11 19:35 - 2014-09-10 19:11 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-06-11 19:35 - 2013-02-20 14:57 - 00000000 ____D C:\Users\Ethan\AppData\Local\Adobe
2015-06-11 19:25 - 2013-08-22 09:44 - 00473984 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-06-11 19:21 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2015-06-11 19:15 - 2013-07-11 12:09 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-06-11 19:03 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-06-11 19:03 - 2011-04-02 21:41 - 140135120 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-06-11 18:59 - 2015-01-24 10:48 - 00000000 ____D C:\Users\Ethan\AppData\Roaming\Skype
2015-06-11 08:00 - 2014-05-04 13:32 - 00000000 ____D C:\Users\Ethan\AppData\Roaming\.minecraft
2015-06-11 00:29 - 2015-02-28 11:29 - 00000128 _____ C:\Users\Ethan\AppData\Roaming\WB.CFG
2015-06-09 12:32 - 2014-11-25 14:32 - 18169520 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe
2015-06-07 19:39 - 2015-03-10 18:09 - 00000000 ____D C:\ProgramData\9306187726240782670
2015-06-04 15:54 - 2012-08-21 09:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-04 15:50 - 2015-04-20 16:11 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-06-04 15:50 - 2014-11-28 18:43 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2015-06-04 15:50 - 2013-08-22 10:36 - 00000000 ___RD C:\WINDOWS\ToastData
2015-05-20 20:16 - 2015-01-24 10:47 - 00000000 ____D C:\ProgramData\Skype
2015-05-20 15:19 - 2013-05-12 11:35 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-05-20 15:15 - 2013-02-20 14:56 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-20 15:06 - 2013-02-19 14:08 - 00000000 ____D C:\Users\Ethan\AppData\Local\Packages
2015-05-20 14:48 - 2012-07-15 12:41 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-20 14:48 - 2012-07-15 12:41 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-05-20 08:47 - 2015-04-06 07:31 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-05-20 08:47 - 2015-04-06 07:31 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-05-20 08:47 - 2013-08-22 10:36 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2015-05-20 08:47 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\AdvancedInstallers
2015-05-20 06:04 - 2013-02-05 13:21 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3637927715-3650498846-3315996173-1004
2015-05-20 05:42 - 2012-07-15 12:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-18 15:02 - 2013-04-02 15:38 - 00000000 ___DO C:\Users\Samantha\OneDrive
2015-05-18 09:37 - 2013-07-16 16:06 - 00000000 ____D C:\Users\Samantha\Documents\Outlook Files
2015-05-18 09:34 - 2014-03-18 04:43 - 00000000 ____D C:\Program Files\Windows Journal
2015-05-18 09:34 - 2012-12-14 15:54 - 00000000 ____D C:\Users\Samantha\AppData\Roaming\cubby
2015-05-18 09:29 - 2011-04-14 21:21 - 00000000 ____D C:\Users\Samantha\AppData\Roaming\LastPass
2015-05-18 09:26 - 2012-11-01 17:03 - 00000000 ____D C:\Program Files\CrashPlan

==================== Files in the root of some directories =======

2015-05-05 13:29 - 2015-05-05 13:29 - 0000079 _____ () C:\Program Files (x86)\prefs.js
2011-04-10 23:19 - 2015-01-14 20:09 - 14147584 _____ () C:\Program Files (x86)\Common Files\lpuninstall.exe
2015-02-28 11:29 - 2015-06-11 00:29 - 0000128 _____ () C:\Users\Ethan\AppData\Roaming\WB.CFG
2015-03-02 01:29 - 2015-03-02 01:29 - 0000010 _____ () C:\Users\Ethan\AppData\Local\DSI.DAT
2015-04-14 12:37 - 2015-04-29 18:31 - 0000800 _____ () C:\Users\Ethan\AppData\Local\Temp-log.txt
2015-05-24 08:52 - 2015-05-24 08:52 - 0000000 _____ () C:\Users\Ethan\AppData\Local\Temp.dat
2011-04-03 09:02 - 2015-02-01 13:46 - 0016978 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\Alan\AppData\Local\Temp\devcon.exe
C:\Users\Alan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Ethan\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Ethan\AppData\Local\Temp\ntwdblib.dll
C:\Users\Ethan\AppData\Local\Temp\setacl.exe
C:\Users\Ethan\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Ethan\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Ethan\AppData\Local\Temp\xmlUpdater.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

TDL4: custom:26000022 <===== ATTENTION!

LastRegBack: 2015-06-11 23:55

==================== End of log ============================



BC AdBot (Login to Remove)

 


#2 alangant

alangant
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 PM

Posted 14 June 2015 - 02:37 PM

A little additional information:

 

This infection has hit 2 computers in my home on the same day.  On a third, clean computer, I downloaded and created a CD with Windows Defender Offline.  When I boot this disk in the infected computers, it fails to see a system disk and aborts, with error code 8004cc01.  I suspect ransomware, but have not received any notification yet.  I keep both machines powered off, except when booting from an alternate drive.

 

I took one of my data drives out of an infected computer, and used a SATA-to-USB adapter to add it to a known clean computer.  I booted that computer normally, and I could see some of the attached drive, but not all.  I then shut down, and booted Defender Offline from a CD, and that system no longer had a recognizable boot drive, error 8004cc01.  Apparently, this infection can propagate from an infected data drive, if connected via USB!  (Wow, it must be delivering a driver from that SATA drive which can propagate the infection.  This computer has not been connected to the internet in any way since the infection arrived in my network.)

 

On one computer, I have now reloaded Windows 8 from DVD installation media, first formatting the system drive to remove any infection.  That system now appears clean, passing Defender Offline and other system scans.

 

The second computer has remained unplugged.  I can reinstall Windows on the system drive, but I really would like to recover files from the data drives from that system.  Some, but not all, of my data was backed up.

 

Thanks!

 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 16 June 2015 - 07:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
CloseProcesses:

AppInit_DLLs-x32: c:/progra~3/{db813~1/192~1.1/cato.dll => "c:\progra~3\{db813~1\192~1.1\cato.dll" File not found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
S2 4b1be855; "C:\WINDOWS\system32\rundll32.exe" "c:\Program Files (x86)\PathFoobar\PathFoobar.dll",serv
S2 HitmanPro37CrusaderBoot; "F:\HitManPro\RenamedforSafety_x64_hmp.exe" /crusader:boot [X]
S4 LMIRfsClientNP; No ImagePath
U3 idsvc; No ImagePath
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
c:\Program Files (x86)\PathFoobar\PathFoobar.dll
C:\Users\Alan\AppData\Local\Temp\devcon.exe
C:\Users\Alan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Ethan\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Ethan\AppData\Local\Temp\ntwdblib.dll
C:\Users\Ethan\AppData\Local\Temp\setacl.exe
C:\Users\Ethan\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Ethan\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Ethan\AppData\Local\Temp\xmlUpdater.exe

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


CHR dev: Chrome dev build detected! <======= ATTENTION


Your copy of Chrome has been compromised

Re-install Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants.

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

===

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

How is the computer running now?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 21 June 2015 - 08:11 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users