Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost takes huge part of memory; cant delete some *.pdf; cursor freezes; lags


  • This topic is locked This topic is locked
28 replies to this topic

#1 Saxer

Saxer

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 09 July 2015 - 07:17 AM

Hello, as topic, Ihave some problems with my PC...:

-usually svchost take 99% of memory

-cant enable Windows FireWall <wtf>

-cant del some *.pdf files from disc (i download this files from my university, strange...) (ok, after restart comp this files was deleted)

-some times mouse cursor have freezes, its take around 2-5s

-in all system is slow... 

 

I use tips form here:

http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/

and no efect :/ (maybe little bit faster bot no shock effect)

 

I add logs from FARBAR and HiJackThis. Thanks for help, I dont want to reinstall my system :(

Attached Files


Edited by Saxer, 09 July 2015 - 07:18 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 12 July 2015 - 08:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled

Turn System Restore on - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Microsoft Corporation) C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
R2 VSSS; C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [102467904 2015-06-23] (Microsoft Corporation) [File not signed] <==== ATTENTION
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

How is the computer running now?

#3 Saxer

Saxer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 13 July 2015 - 05:02 PM

Hello nasdaq, thanks for response and help.

 

There is still freezes ;/

i think its cuz it: 

process.png

 

Addition, as i said early, I cant launch windows firewall... Some seconds after launch ComboFix i get blue screen, I tried once again - same effect... I cant open Malwarebytes Anti-Malware too... Nothing doesn't happend after double click.

 

 

Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:13-07-2015

Ran by Saxer at 2015-07-13 23:27:51 Run:1
Running from C:\Users\Saxer\Desktop
Loaded Profiles: Saxer (Available Profiles: Saxer)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(Microsoft Corporation) C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
R2 VSSS; C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [102467904 2015-06-23] (Microsoft Corporation) [File not signed] <==== ATTENTION
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
[2072] C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe => process closed successfully.
VSSS => Service removed successfully
Synth3dVsc => Service removed successfully
tsusbhub => Service removed successfully
VGPU => Service removed successfully
C:\Users\Saxer\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe => moved successfully.
EmptyTemp: => 3.4 GB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 23:30:39 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 14 July 2015 - 08:16 AM

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

======

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

p.s.
Your Windows Firewall may be disable by your Karspersky protection software.
Do you know if this software comes with a Firewall?

#5 Saxer

Saxer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 16 July 2015 - 06:31 AM

You have right, kaspersky have own firewall technology and block system FW. After turn off KAS FW I can launch windows FW. Svchost launching with system start and later was turning-off. Sometimes turns on again.  

 

 

Log from Security check:


 

Results of screen317's Security Check version 1.005  

 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
``````````````Antivirus/Firewall Check:`````````````` 
Kaspersky Internet Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 45  
  Adobe Flash Player 17.0.0.191 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox 35.0.1 Firefox out of Date!  
 Google Chrome (43.0.2357.130) 
 Google Chrome (43.0.2357.132) 
````````Process Check: objlist.exe by Laurent````````  
 Kaspersky Lab Kaspersky Internet Security 15.0.2 avp.exe  
 Kaspersky Lab Kaspersky Internet Security 15.0.2 avpui.exe  
 Kaspersky Lab Kaspersky Internet Security 15.0.2 avp.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log`````````````````````` 
 

 

 

 

And FFS log:


 

Farbar Service Scanner Version: 17-01-2015

Ran by Saxer (administrator) on 16-07-2015 at 13:19:02
Running from "C:\Users\Saxer\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 16 July 2015 - 07:46 AM



Go to this page.
http://download.bleepingcomputer.com/win-services/7/

Download this file you your desktop.
WinDefend.reg

double click on it to execute and merge into registry.
Then restart your computer once.

How is the computer running now?

p.s.
You can delete the WinDefend.reg when done.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 22 July 2015 - 07:24 AM

Are you still with me?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 28 July 2015 - 07:20 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 09 August 2015 - 01:05 PM

This topic has been re-opened at the request of the person who originally posted.

#10 Saxer

Saxer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 10 August 2015 - 04:07 AM

svchost didn't take all free memory during scan:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-08-2015

Ran by Saxer (administrator) on SAXER-PC (10-08-2015 11:03:18)
Running from C:\Users\Saxer\Desktop\Nowy folder (6)
Loaded Profiles: Saxer (Available Profiles: Saxer)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Polski (Polska)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Autodesk Inc.) C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
(Autodesk, Inc.) D:\Inventor\inv 15\Inventor 2015\Moldflow\bin\mitsijm.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avpui.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Dassault Systèmes SolidWorks Corp.) D:\SolidWorks\SolidWorks\sldworks_fs.exe
() C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2199840 2014-04-30] (NVIDIA Corporation)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3100440 2014-05-19] (Logitech, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672152 2014-05-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] => C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [5579624 2015-08-03] (LogMeIn Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk [2014-11-03]
ShortcutTarget: SolidWorks 2013 Fast Start.lnk -> C:\Windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk [2015-03-24]
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2014-02-07] (Autodesk, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2513284149-2394579172-224337169-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/pl-pl/?ocid=iehp
BHO: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x64\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Virtual Keyboard Plugin -> {4A66AD60-A03D-4D01-86F0-5F0F7C0EF1AD} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-07-09] (Oracle Corporation)
BHO-x32: Content Blocker Plugin -> {93BC2EA7-2F17-4729-948A-D2E03FFB2412} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: Safe Money Plugin -> {AB379017-4C03-4E00-8EDF-E6D6AF7CCF82} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\IEExt\ie_plugin.dll [2014-12-23] (Kaspersky Lab ZAO)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2014-05-19] (Logitech, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-07-09] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{17558BA8-4A1E-4670-9712-F3F97FCD9D37}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{6C2D89F2-DBB0-4A1D-A974-4FAA6F8B1EDA}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{810E4418-556F-41F1-9AD6-C37E943D2A32}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{94BFF633-2BD2-4AC9-8FD0-9B4FAAA7DD0A}: [DhcpNameServer] 8.8.8.8 91.196.8.2
Tcpip\..\Interfaces\{E1FF63A3-C4C6-4430-8A54-E709DB97D600}: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Saxer\AppData\Roaming\Mozilla\Firefox\Profiles\od954122.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-16] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-16] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-07-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-07-09] (Oracle Corporation)
FF Plugin-x32: @kaspersky.com/content_blocker_663BE84DBCC949E88C7600F63CA7F098 -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\content_blocker@kaspersky.com [2015-06-23] ()
FF Plugin-x32: @kaspersky.com/online_banking_08806E753BE44495B44E90AA2513BDC5 -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com [2015-06-23] ()
FF Plugin-x32: @kaspersky.com/virtual_keyboard_07402848C2F6470194F131B0F3DE025E -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2015-06-23] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-05-20] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-05-20] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2513284149-2394579172-224337169-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Saxer\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-12-05] (Unity Technologies ApS)
FF Extension: Adblock Plus - C:\Users\Saxer\AppData\Roaming\Mozilla\Firefox\Profiles\od954122.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-23]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-07-22]
FF HKLM-x32\...\Firefox\Extensions: [content_blocker_663BE84DBCC949E88C7600F63CA7F098@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\content_blocker@kaspersky.com
FF Extension: Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\content_blocker@kaspersky.com [2015-06-23]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard_07402848C2F6470194F131B0F3DE025E@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\virtual_keyboard@kaspersky.com [2015-06-23]
FF HKLM-x32\...\Firefox\Extensions: [online_banking_08806E753BE44495B44E90AA2513BDC5@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com
FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com [2015-06-23]
 
Chrome: 
=======
CHR Profile: C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-22]
CHR Extension: (Google Drive) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-22]
CHR Extension: (YouTube) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-22]
CHR Extension: (Adblock Plus) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-07-22]
CHR Extension: (Google Search) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-22]
CHR Extension: (Kaspersky Protection) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho [2015-06-24]
CHR Extension: (AgarioMods Evergreen Script) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhjgdbihpkphlammdaeicdemggagfbdo [2015-06-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-22]
CHR Extension: (Gmail) - C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-22]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdAppMgrSvc; C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe [599944 2014-12-05] (Autodesk Inc.)
R2 AVP15.0.2; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avp.exe [194000 2015-06-23] (Kaspersky Lab ZAO)
S3 CoordinatorServiceHost; D:\SolidWorks\SolidWorks\swScheduler\DTSCoordinatorService.exe [77352 2013-03-28] (Dassault Systèmes SolidWorks Corp.)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [417552 2015-08-03] (LogMeIn, Inc.)
R2 mitsijm2015; D:\Inventor\inv 15\Inventor 2015\Moldflow\bin\mitsijm.exe [968480 2013-10-12] (Autodesk, Inc.)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1617696 2014-04-30] (NVIDIA Corporation)
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2014-11-03] (SolidWorks) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AtcL001; C:\Windows\System32\DRIVERS\l160x64.sys [58368 2009-06-25] (Atheros Communications, Inc.)
R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [247016 2015-06-23] (Kaspersky Lab UK Ltd)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-10-06] (Disc Soft Ltd)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [478392 2015-06-23] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [64368 2015-06-23] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [159960 2015-06-23] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [225976 2015-07-07] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [850608 2015-06-23] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [39280 2015-06-23] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [40304 2015-06-23] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [39280 2015-06-23] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [24944 2015-06-23] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [65208 2015-06-23] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [85360 2015-06-23] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [190648 2015-06-23] (Kaspersky Lab ZAO)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_cdcecm; system32\DRIVERS\ew_jucdcecm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-09 15:00 - 2015-08-10 11:02 - 00000000 ____D C:\Users\Saxer\Desktop\Nowy folder (6)
2015-08-07 20:59 - 2015-08-07 20:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
2015-08-07 20:59 - 2015-08-07 20:59 - 00000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2015-07-16 15:26 - 2015-07-16 15:26 - 00007586 _____ C:\Users\Saxer\Downloads\WinDefend.reg
2015-07-13 22:23 - 2015-07-13 22:24 - 01415680 _____ (wj32) C:\Program Files\I2M6K2MU.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-10 11:03 - 2015-07-09 13:56 - 00000000 ____D C:\FRST
2015-08-10 11:01 - 2014-07-22 17:29 - 01633721 _____ C:\Windows\WindowsUpdate.log
2015-08-10 10:58 - 2015-01-17 17:56 - 00000000 ____D C:\Users\Saxer\AppData\Local\LogMeIn Hamachi
2015-08-10 10:57 - 2015-06-23 12:26 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-08-10 10:57 - 2014-07-22 23:32 - 00000000 ____D C:\ProgramData\NVIDIA
2015-08-10 10:57 - 2014-07-22 18:58 - 00001044 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-10 10:57 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-10 10:57 - 2009-07-14 06:51 - 00103724 _____ C:\Windows\setupact.log
2015-08-09 19:05 - 2014-08-07 01:14 - 00000000 ____D C:\Users\Saxer\AppData\Roaming\AIMP3
2015-08-09 19:05 - 2009-07-14 06:45 - 00013904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-09 19:05 - 2009-07-14 06:45 - 00013904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-09 18:00 - 2014-07-22 18:58 - 00001048 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-09 17:23 - 2014-07-27 11:50 - 00000930 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-09 15:04 - 2009-07-14 07:08 - 00032604 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-07 21:18 - 2014-07-22 18:59 - 00002149 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-03 12:12 - 2015-03-24 22:26 - 00033856 ____H (LogMeIn, Inc.) C:\Windows\system32\hamachi.sys
2015-07-17 12:11 - 2014-08-09 16:55 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-07-17 12:10 - 2014-12-23 21:03 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-07-16 15:28 - 2014-07-23 00:11 - 00154374 _____ C:\Windows\PFRO.log
2015-07-16 14:23 - 2014-07-27 11:50 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-16 14:23 - 2014-07-27 11:50 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-16 14:23 - 2014-07-27 11:50 - 00003868 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-16 13:53 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\Cursors
2015-07-16 13:40 - 2014-07-22 18:58 - 00004044 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-07-16 13:40 - 2014-07-22 18:58 - 00003792 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-07-16 13:28 - 2015-07-09 17:23 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
 
==================== Files in the root of some directories =======
 
2015-07-09 17:24 - 2015-07-09 17:24 - 1415680 _____ (wj32) C:\Program Files\AMKUY26E.exe
2015-07-13 22:23 - 2015-07-13 22:24 - 1415680 _____ (wj32) C:\Program Files\I2M6K2MU.exe
2015-07-09 17:23 - 2015-07-09 17:23 - 1415680 _____ (wj32) C:\Program Files\IUEYI2MU.exe
2015-07-09 17:24 - 2015-07-09 17:24 - 1415680 _____ (wj32) C:\Program Files\UY26AEI6.exe
2014-11-04 02:08 - 2014-12-11 00:32 - 0000000 _____ () C:\Users\Saxer\AppData\Local\Temptable.xml
2014-08-07 01:05 - 2014-08-07 01:05 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-08-09 16:59
 
==================== End of log ============================

 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 10 August 2015 - 08:31 AM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_cdcecm; system32\DRIVERS\ew_jucdcecm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
C:\Program Files\AMKUY26E.exe
C:\Program Files\I2M6K2MU.exe
C:\Program Files\IUEYI2MU.exe
C:\Program Files\UY26AEI6.exe

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#12 Saxer

Saxer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 10 August 2015 - 04:45 PM

Still same...

DO_KASACJI.png

 

logs

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-08-2015

Ran by Saxer (2015-08-10 23:31:02) Run:2
Running from C:\Users\Saxer\Desktop\Nowy folder (6)
Loaded Profiles: Saxer (Available Profiles: Saxer)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 ew_usbenumfilter; system32\DRIVERS\ew_usbenumfilter.sys [X]
S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]
S3 huawei_cdcecm; system32\DRIVERS\ew_jucdcecm.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]
C:\Program Files\AMKUY26E.exe
C:\Program Files\I2M6K2MU.exe
C:\Program Files\IUEYI2MU.exe
C:\Program Files\UY26AEI6.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
ew_hwusbdev => service removed successfully
ew_usbenumfilter => service removed successfully
huawei_cdcacm => service removed successfully
huawei_cdcecm => service removed successfully
huawei_enumerator => service removed successfully
huawei_ext_ctrl => service removed successfully
C:\Program Files\AMKUY26E.exe => moved successfully.
C:\Program Files\I2M6K2MU.exe => moved successfully.
C:\Program Files\IUEYI2MU.exe => moved successfully.
C:\Program Files\UY26AEI6.exe => moved successfully.
EmptyTemp: => 245.7 MB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 23:31:44 ====


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 11 August 2015 - 07:35 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 PM

Posted 17 August 2015 - 07:36 AM

Are you still with me?

#15 Saxer

Saxer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 18 August 2015 - 09:13 AM

Yes, sorry, my brother was getting married... :)

 

Logs:

 

 

 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Saxer on 2015-08-18 at 15:32:42,27.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Saxer\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2015-08-18 15:34:10 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\direct deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\COMMON~1\Designer deleted successfully
C:\PROGRA~3\RedApp deleted successfully
C:\PROGRA~3\Reprise deleted successfully
C:\PROGRA~3\Simpoe deleted successfully
C:\Users\Saxer\AppData\Roaming\EDrawings deleted successfully
C:\Users\Saxer\AppData\Local\DassaultSystemes deleted successfully
C:\Users\Saxer\AppData\Local\The Witcher deleted successfully
C:\Users\Saxer\AppData\Local\WorldofTanks deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\AGEIA Technologies not found
C:\PROGRA~2\direct not found
C:\Users\Saxer\AppData\Roaming\Factorio deleted
C:\Users\Saxer\.android deleted
C:\PROGRA~2\Driver-Soft deleted
C:\PROGRA~3\DriverGenius deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Genius deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"online_banking_08806E753BE44495B44E90AA2513BDC5@kaspersky.com"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\FFExt\online_banking@kaspersky.com" [2015-06-23 12:26]
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\Saxer\AppData\Roaming\Mozilla\Firefox\Profiles\od954122.default
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\Saxer\AppData\Roaming\Mozilla\Firefox\Profiles\od954122.default
5950D438CD3DDF2DD50D9FA4E07A6C1C - C:\Users\Saxer\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player
 
 
==== Chromium Look ======================
 
Google Chrome Version: 44.0.2403.155
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
 
AgarioMod - Saxer\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhjgdbihpkphlammdaeicdemggagfbdo
 
==== Chromium Startpages ======================
 
C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Preferences
20000,\"name\":\"ISO_A3\",\"vendor_id\":\"8\",\"width_microns\":297000},{\"custom_display_name\":\"A4\",\"height_microns\":297000,\"is_default\":true,\"name\":\"ISO_A4\",\"vendor_id\":\"9\",\"width_microns\":210000},{\"custom_display_name\":\"B4 (JIS)\",\"height_microns\":364000,\"name\":\"JIS_B4\",\"vendor_id\":\"12\",\"width_microns\":257000},{\"custom_display_name\":\"B5 (JIS)\",\"height_microns\":257000,\"name\":\"JIS_B5\",\"vendor_id\":\"13\",\"width_microns\":182000},{\"custom_display_name\":\"Koperta #10\",\"height_microns\":241300,\"name\":\"NA_NUMBER_10\",\"vendor_id\":\"20\",\"width_microns\":104700},{\"custom_display_name\":\"Koperta Monarch\",\"height_microns\":190500,\"name\":\"NA_MONARCH\",\"vendor_id\":\"37\",\"width_microns\":98400}]},\"page_orientation\":{\"option\":[{\"is_default\":true,\"type\":\"PORTRAIT\"},{\"type\":\"LANDSCAPE\"},{\"type\":\"AUTO\"}]},\"supported_content_type\":[{\"content_type\":\"application/pdf\"}]},\"version\":\"1.0\"},\"selectedDestinationName\":\"Wyślij do programu OneNote 2010\",\"mediaSize\":{\"custom_display_name\":\"A4\",\"height_microns\":297000,\"is_default\":true,\"name\":\"ISO_A4\",\"vendor_id\":\"9\",\"width_microns\":210000}}"}},"profile":{"avatar_bubble_tutorial_shown":1,"avatar_index":0,"content_settings":{"clear_on_exit_migrated":true,"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{"[*.]www.download.net.pl,*":{"setting":2}},"cookies":{},"fullscreen":{"[*.]centralainternetu.pl,*":{"setting":1},"[*.]jebzdzidy.wrzuta.pl,*":{"setting":1},"[*.]joemonster.org,*":{"setting":1},"[*.]seansik.tv,*":{"setting":1},"[*.]videomega.tv,*":{"setting":1},"https://[*.]www.facebook.com:443,*":{"setting":1},"https://[*.]www.youtube.com:443,*":{"setting":1}},"geolocation":{},"images":{},"javascript":{"gsasarzyna.pl,*":{"setting":2}},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{"[*.]player.pl,*":{"setting":1},"[*.]www.classicdosgames.com,*":{"setting":1},"[*.]www.kongregate.com,*":{"setting":1}},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"[*.]centralainternetu.pl,*":{"fullscreen":1},"[*.]jebzdzidy.wrzuta.pl,*":{"fullscreen":1},"[*.]joemonster.org,*":{"fullscreen":1},"[*.]player.pl,*":{"plugins":1},"[*.]seansik.tv,*":{"fullscreen":1},"[*.]videomega.tv,*":{"fullscreen":1},"[*.]www.classicdosgames.com,*":{"plugins":1},"[*.]www.download.net.pl,*":{"multiple-automatic-downloads":2},"[*.]www.kongregate.com,*":{"plugins":1},"gsasarzyna.pl,*":{"javascript":2},"https://[*.]www.facebook.com:443,*":{"fullscreen":1},"https://[*.]www.youtube.com:443,*":{"fullscreen":1}},"pref_version":1},"created_by_version":"36.0.1985.125","default_content_settings":{},"exit_type":"Normal","exited_cleanly":true,"icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Pierwszy użytkownik","password_manager_groups_for_domains":[0,null,null,null,null,null,0],"per_host_zoom_levels":{}},"protection":{"macs":{}},"savefile":{"default_directory":"C:\\Users\\Saxer\\Desktop\\podzielnica","type":1},"selectfile":{"last_directory":"C:\\Users\\Saxer\\Desktop"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13050521966977139"},"sync":{"memory_warning_count":1517},"sync_promo":{"startup_count":10},"translate_accepted_count":{"de":0,"en":0,"es":0,"hu":0,"pt":0,"ru":0},"translate_blocked_languages":["pl"],"translate_denied_count":{"de":2,"en":249,"es":4,"hu":1,"pt":134,"ru":2},"translate_denied_count_for_language":{"en":2},"translate_last_denied_time":1413981328816.827,"translate_last_denied_time_for_language":{"en":1439125584026.615},"translate_too_often_denied":true,"translate_too_often_denied_for_language":{"en":true},"translate_whitelists":{},"zerosuggest":{"cachedresults":""}}
eapis.com/*"],"update_url":"https://clients2.google.com/service/update2/crx","version":"0.1.2.0"},"path":"nmmhkkegccagdldgiimedpiccmgmieda\\0.1.2.0_0","preferences":{},"regular_only_preferences":{},"running":false,"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"pafkbggdmjlpgkdkcbjmhmfcdpncadgh":{"active_permissions":{"api":["alarms","gcm","identity","metricsPrivate","notifications","storage","tabs","webstorePrivate"],"explicit_host":["*://*.google.com/*","*://*.gstatic.com/*","https://*.googleapis.com/*","https://*.googleusercontent.com/*"],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":["alarms.onAlarm","gcm.onMessage","identity.onSignInChanged","notifications.onButtonClicked","notifications.onClicked","notifications.onClosed","notifications.onPermissionLevelChanged","notifications.onShowSettings","pushMessaging.onMessage","runtime.onInstalled","runtime.onStartup","runtime.onSuspend","storage.onChanged"],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13050539474850661","location":5,"manifest":{"background":{"persistent":false,"scripts":["utility.js","cards.js","background.js"]},"description":"Integrates Google Now into Chrome.","icons":{"128":"images/icon128.png","16":"images/icon16.png","48":"images/icon48.png"},"key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkhqJr32OFD/bMXW4Md7jMfd7LbwHXVc6x5bBQG5U+dloofoxrICDR20yur/40mQ8O//0sS1b8srvbab1CRlSrxoNCr9T80NAkfzx0gHyVS+p1Zow+1FzLMu9PiGwwFyN80HIB7GI/dIa0wC9K/2OrrzcHEhVH96DacTtWQqjfDVtZPjT7Xwv23dgoWcpbkRC86jMJot3dmX9xnn0KzoVc9gDOHSIkBLbkkr6Sp3LGXCCM4L0DJgxdFwaLr5WBzgC3y5x0/wwPIwN4PtIaK3BhH6njlksfnKwwIJ9iRT41V4BqbWu4mszO/7VJ3HJyw2DBpIc2grU9ZRRxrV3fRQG4wIDAQAB","manifest_version":2,"name":"Google Now","oauth2":{"auto_approve":true,"scopes":["https://www.googleapis.com/auth/googlenow"]},"optional_permissions":["background"],"permissions":["alarms","identity","metricsPrivate","notifications","pushMessaging","storage","tabs","webstorePrivate","\u003Call_urls>"],"version":"1.2.0.1"},"path":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\36.0.1985.125\\resources\\google_now","preferences":{},"regular_only_preferences":{},"was_installed_by_default":false,"was_installed_by_oem":false},"pjkljhegncpnkpknbcohdijeoejaedia":{"ack_external":true,"active_permissions":{"api":["notifications"],"manifest_permissions":[]},"app_launcher_ordinal":"y","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["notifications"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13072033858552618","lastpingday":"13083663603654673","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"https://mail.google.com/mail/ca"},"urls":["*://mail.google.com/mail/ca"]},"current_locale":"pl","default_locale":"en","description":"Szybka usługa poczty e-mail z możliwością wyszukiwania i mniejszą ilością spamu.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCuGglK43iAz3J9BEYK/Mz6ZhloIMMDqQSAaf3vJt4eHbTbSDsu4WdQ9dQDRcKlg8nwQdePBt0C3PSUBtiSNSS37Z3qEGfS7LCju3h6pI1Yr9MQtxw+jUa7kXXIS09VV73pEFUT/F7c6Qe8L5ZxgAcBvXBh1Fie63qb02I9XQ/CQIDAQAB","manifest_version":2,"name":"Gmail","options_page":"https://mail.google.com/mail/ca/#settings","permissions":["notifications"],"update_url":"http://clients2.google.com/service/update2/crx","version":"8.1"},"page_ordinal":"n","path":"pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false}}},"pinned_tabs":[],"protection":{"macs":{"browser":{"show_home_button":"46507EFAE3DCEB382E407DF12FEB2BF08429D3C20214156DB45ABF8D3B83216C"},"default_search_provider":{"keyword":"C6C0F981B6E57AB1C6496FAA6363B9DA869EFA91CF2FEB68D661E0265B1B2B49","name":"C90DE1BA993C52228CDA69E87C0A0ED8B6E8F79D6F72E30CD952FE8517395FF2","search_url":"EBCADD0FE85C3EB069F71497978AB19B5CF521A59D125E0C63E0C5D1BF644AAA"},"default_search_provider_data":{"template_url_data":"50347F82099CED0A40ECFA9FC90359D05D7B78304CB30182F1D4CAA619F21537"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":"82BF6D08DCF7A8593636B2C18AB2B8AAB5C8FE78C9B77BD5E0D8A96758A29052","aohghmighlieiainnegkcijnfilokake":"99921D7D49C75554D9E257A3EEBE47AC0466AE4B3E2515971A76B05017FF73EA","apdfllckaahabafndbhieahigkjlhalf":"E55E5590B50DDD258AD85CF6BADAEFA32C31F7CADCC6FBB6262CFACB67841BB9","bepbmhgboaologfdajaanbcjmnhjmhfn":"D99CBC7D52D229628405D78A3E2233AF40448067DC09AAD309224E51DE3A4A45","blpcfgokakmgnkcojhhkbfbldkacnbeo":"A93F4BE6A9C3773B0A3E1B48A9074131251A26463C2A6DD55DA8C2740CBB6A61","cfhdojbkjhnklbpkdaibdccddilifddb":"F2F057DA373541D4B2D41F9AEE592565E245084FB7DC5759034C7E77F2A6F6DE","coobgpohoikkiipiblmjeljniedjpjpf":"E7F075901A0A3942599C45E3A2C2488FDBCC658C9E0507471D6648998F576787","dbhjdbfgekjfcfkkfjjmlmojhbllhbho":"B12319CF71B4AB1DCD83FA0485A1B76EBCB1D49CF3C149B1EA02048527BF2905","eemcgdkfndhakfknompkggombfjjjeno":"3D2EA865FCA1D54FD9066BAD88EBE93DC0B84EEE06203B8284B00DDE594724A0","ennkphjdgehloodpbhlhldgbnhmacadg":"2BB477710EB1EB9C201F29D5A397769B7931207C4730BE6AFC395658F0D43739","gfdkimpbcpahaombhbimeihdjnejgicl":"F0C1D762D01767E0FEDEB809ECC7F4F596E0F40E2A797474B639737086D18CF6","kmendfapggjehodndflmmgagdbamhnfd":"7E5994CF56159B72E5C359359800A0800A48F02D9C194696ADF3A37D1E86B674","mfehgcgbbipciphmccgaenjidiccnmng":"85D3361B10EE8B2E2FDE7B479952B80A3A892F3A54AB3D0E41EE88A7CEB66C46","mfffpogegjflfpflabcdkioaeobkgjik":"F139784FAE6E25B43F6067AFA00845EB9EA2BDB8CA0BF4E801DBCC660B0409AB","mgndgikekgjfcpckkfioiadnlibdjbkf":"9783086B18D98123E3E785B37C0F2C7EA72E5680B7BB3611EBB8935D815EFE2C","mhjfbmdgcfjbbpaeojofohoefgiehjai":"6AA29D7AA4B93CC7EBBC4F148E4CFD42FD1C93F325C141D3CEE0733A8278F3D1","neajdppkdcdipfabeoofebfddakdcjhd":"9B54AC888EF809D06A7CE7FFC986D32E50D83858EEFFBB002200BF725730D168","nhjgdbihpkphlammdaeicdemggagfbdo":"64B999D1C4FF7F0C2BF41DE60D4EFEDD3F9C4B5FDB5E20DA2E7CAF1610F1223E","nkeimhogjdpnpccoofpliimaahmaaome":"5685ED90C136B6FA79C8A63983C0F8DF8DBEB9C89C71B87D68A84B2B8CBB7C1B","nmmhkkegccagdldgiimedpiccmgmieda":"B8F2BF758AFC7F678420A2653E23A2421201D49A77273E5DA825C60B00559729","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"8078911D717EA589760C071317631A139F1876D8D00875E5DF96C66C5CE49290","pjkljhegncpnkpknbcohdijeoejaedia":"9EAED4677A118B3C779E9B17A05F6A5C0C4BDCC10DC4E7BC557A5950B6AA1163"}},"google":{"services":{"account_id":"02EDAE7ACF61774611FD3CD6A827447EB4FEFF4AE89257839EE02F372DF6FCE3","last_username":"7B1A55F3BBB4E84D7B10AF28D4D88ED877461EB1BD202FAF7CE47A3500C21854","username":"AC3847D38FA06EA4E4493FDCCFF7258A298C921ACBC5F51EC29AC1D9C15AB7D7"}},"homepage":"B0496056C14B08301CD1CDA2285DDA8FBBFF78BEADAA9280B45BFAB80E08C4A9","homepage_is_newtabpage":"9B0E378F63D1646163AD38D7DE71D0D976F98FBBD3A506E502C3C91E5CF571CD","pinned_tabs":"E844C91B733569CB2AB26ED33E3782A65CA65DF04FD8F28A39D49A739C1B7180","prefs":{"preference_reset_time":"6C948F6C4817CA9B37B1A1A30766BCBA17C7CCE9EFC904489960C69A7B82C9AC"},"profile":{"reset_prompt_memento":"06832751535FFFDBA2286C2BEE862B52852B5FA959325C6936946D72F3507AC4"},"safebrowsing":{"incidents_sent":"C3ECB2A3896A17EC9E551CB1639ACFB2EC780A95AF3B4837DA7B93E0DC68F13D"},"search_provider_overrides":"E0B6DCA56F373F43A558DC2B19F01BAEE80AAB87175A155972A82799CED9AE18","session":{"restore_on_startup":"8DB254A0743EC506F13FCA685C8EEEB19395674F37B2F33F5A63D02862FF7560","startup_urls":"8FE905B1B8A731FEE821B6344795976850EBCD756C135BB2EF122FA7A2456807"},"software_reporter":{"prompt_reason":"1881DC5F12581A741BDCBDFC6453562A83965F0496B9B06B0E563E0F6C98D9BC","prompt_seed":"A36F2250813A649B487ECF77B1E4C8CEAD9D7091690D1D0772D3EB31D424FFCF","prompt_version":"09DE072F3E0812CEFB83A1228D92CFDA0514A99C5257892B0865DD1A9C8BA218"},"sync":{"remaining_rollback_tries":"3DA4CBA88C095E300797AA0F696BEE30A89E6E934700B4E2B1D5F578156E8DC1"}},"super_mac":"2B87900D13304A2B408E9F3C7B7E353320D28D31D63D4CFEE49BC83A09006880"},"sync":{"remaining_rollback_tries":0}}
 
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Driver Genius_is1 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX230 Series deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MurGee.com Auto Clicker deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Saxer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
 
==== Empty FireFox Cache ======================
 
No FireFox Cache found
 
==== Empty Chrome Cache ======================
 
C:\Users\Saxer\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=112 folders=47 1138796387 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Saxer\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Saxer\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Users\Saxer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" deleted
 
==== EOF on 2015-08-18 at 16:08:21,07 ======================
 

 

and there is still svchost.exe, that uses almost all memory... :(






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users