Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD c0000135 user32.dll missing in win 7


  • This topic is locked This topic is locked
10 replies to this topic

#1 mitsu3rd

mitsu3rd

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 28 December 2015 - 10:37 AM

So at first i googled the "c0000135 missing %h win 7" problem,

then came to the point to this site that tell me to use FRST tool.

I followed the instructions, then i post this report so anybody can help me.

 

Thank you

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

FRST.txt

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:27-12-2015
Ran by SYSTEM on MININT-8781G59 (28-12-2015 22:22:37)
Running from g:\
Platform: Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [GfxServiceInstall] => C:\Windows\system32\GfxCUIServiceInstall.vbs [131 2013-11-04] ()
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-12] (Microsoft Corporation)
HKLM\...\Run: [mbot_id_014010056] => [X]
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\RunOnce: [SH4_RestoreHibernation] => C:\Windows\System32\powercfg.exe [59392 2009-07-13] (Microsoft Corporation)
HKU\ACERD270\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [718208 2010-03-15] (Microsoft Corporation)
HKU\ACERD270\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
S2 comyninu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\hnsl3890.tmp [X]
S2 gopibeko; C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98\snsg673E.tmp [X]
S2 hyverumu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\jnsa16CB.tmp [X]
S2 IhPul; C:\Users\ACERD270\AppData\Roaming\TSv\TSvr.exe [X]
S2 jycywihy; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\knsaE9FB.tmpfs [X]
S2 KMService; C:\Windows\system32\srvany.exe [X]
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 athr; C:\Windows\System32\DRIVERS\athr.sys [3236864 2013-09-23] (Qualcomm Atheros Communications, Inc.)
S3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [270552 2014-01-07] (Realtek Semiconductor Corp.)
S3 TSSK; C:\Windows\System32\tssk.sys [67896 2015-08-17] (电脑管家)
S1 QMUdisk; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16443.223\QMUdisk.sys [X]
S3 TS888; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16443.223\TS888.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys ==> MD5 is legit
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\athr.sys CC407D8606B95F5386D0CDB5B63B3A84
C:\Windows\system32\drivers\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys FCAFAEF6798D7B51FF029F99A9898961
C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\dmvsc.sys 2A958EF85DB1B61FFCA65044FA4BCE9E
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\system32\drivers\evbdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fvevol.sys ==> MD5 is legit
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\System32\drivers\HdAudio.sys A5EF29D5315111C80A5C1ABAD14C8972
C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys 51D115C4C8A7BD8EB732D0221664E8C9
C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\idmwfp.sys 2714BB9E5C05BEBF8488207A1B5A5F62
C:\Windows\System32\DRIVERS\igddim32.sys 0F4B490A9E6A8DA661B4D3FC6CA46DAC
C:\Windows\System32\DRIVERS\igdkmd32.sys 53702AB884124DDDA57B430855D37A99
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHDA.sys F540BD2DB864551684E54823����
 
*note : in last line i got very long "����", so i cut it because it was pain for anyone who see it
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++
search.txt
+++++++++++++++++++++++++++++++++++++++++++++++++++++
 

Farbar Recovery Scan Tool (x86) Version:27-12-2015
Ran by SYSTEM (2015-12-28 22:27:23)
Running from g:\
Boot Mode: Recovery
 
================== Search Files: "user32.dll" =============
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[2010-11-20 13:29][2010-11-20 13:29] 0811520 ____A (Microsoft Corporation) F1DD3ACAEE5E6B4BBC69BC6DF75CEF66
 
X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[2010-11-20 01:06][2010-11-20 04:21] 0811520 ____A (Microsoft Corporation) F1DD3ACAEE5E6B4BBC69BC6DF75CEF66
 
X:\Windows\System32\user32.dll
[2010-11-20 01:06][2010-11-20 04:21] 0811520 ____A (Microsoft Corporation) F1DD3ACAEE5E6B4BBC69BC6DF75CEF66
 
====== End of Search ======

Edited by hamluis, 28 December 2015 - 02:18 PM.
Moved from Crashes/BSODs to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 mitsu3rd

mitsu3rd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 28 December 2015 - 10:55 AM

EDIT

 

the FRST.txt File was corrupted, here the correct one :

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:27-12-2015
Ran by SYSTEM on MININT-FCR4EUS (28-12-2015 21:07:46)
Running from g:\
Platform: Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [GfxServiceInstall] => C:\Windows\system32\GfxCUIServiceInstall.vbs [131 2013-11-04] ()
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-12] (Microsoft Corporation)
HKLM\...\Run: [mbot_id_014010056] => [X]
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\RunOnce: [SH4_RestoreHibernation] => C:\Windows\System32\powercfg.exe [59392 2009-07-13] (Microsoft Corporation)
HKU\ACERD270\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [718208 2010-03-15] (Microsoft Corporation)
HKU\ACERD270\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
S2 comyninu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\hnsl3890.tmp [X]
S2 gopibeko; C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98\snsg673E.tmp [X]
S2 hyverumu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\jnsa16CB.tmp [X]
S2 IhPul; C:\Users\ACERD270\AppData\Roaming\TSv\TSvr.exe [X]
S2 jycywihy; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\knsaE9FB.tmpfs [X]
S2 KMService; C:\Windows\system32\srvany.exe [X]
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 athr; C:\Windows\System32\DRIVERS\athr.sys [3236864 2013-09-23] (Qualcomm Atheros Communications, Inc.)
S3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [270552 2014-01-07] (Realtek Semiconductor Corp.)
S3 TSSK; C:\Windows\System32\tssk.sys [67896 2015-08-17] (电脑管家)
S1 QMUdisk; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16443.223\QMUdisk.sys [X]
S3 TS888; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16443.223\TS888.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys ==> MD5 is legit
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\athr.sys CC407D8606B95F5386D0CDB5B63B3A84
C:\Windows\system32\drivers\bxvbdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60x.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys FCAFAEF6798D7B51FF029F99A9898961
C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\dmvsc.sys 2A958EF85DB1B61FFCA65044FA4BCE9E
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\system32\drivers\evbdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legitB
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fvevol.sys ==> MD5 is legit
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\System32\drivers\HdAudio.sys A5EF29D5315111C80A5C1ABAD14C8972
C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys 51D115C4C8A7BD8EB732D0221664E8C9
C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\idmwfp.sys 2714BB9E5C05BEBF8488207A1B5A5F62
C:\Windows\System32\DRIVERS\igddim32.sys 0F4B490A9E6A8DA661B4D3FC6CA46DAC
C:\Windows\System32\DRIVERS\igdkmd32.sys 53702AB884124DDDA57B430855D37A99
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHDA.sys F540BD2DB864551684E548233F0F297E
C:\Windows\System32\DRIVERS\IntcDAud.sys 8F4D251F1EA15FA97E8399128A72CC83
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecpkg.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit
C:\Windows\system32\drivers\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys B272B4C3E085EA860C12F2E4FAF2FFA2
C:\Windows\System32\DRIVERS\mrxsmb10.sys 9AC33EF26C8A3AD0F117D00EB7301D03
C:\Windows\System32\DRIVERS\mrxsmb20.sys E0ABDB5ED7E199E242A7D028E76C1D3A
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\drivers\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\parvdm.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\drivers\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RtsPStor.sys 9CF5974AE24CBA872AF8DAC9890ED5F2
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt86win7.sys 9960143FF7DFE7C3A4A100EF05E5545E
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\serenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 112127C3B2E64D7680CC39CD0A39DD7E
C:\Windows\System32\DRIVERS\srv2.sys E5DD784A4EE5EBC72A86C677C988FCDB
C:\Windows\System32\DRIVERS\srvnet.sys CDBE627E16CC9E98F343D73F8E81D258
C:\Windows\system32\drivers\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\synth3dvsc.sys F2AD8960812FD111E20E84659EF19D43
C:\Windows\System32\drivers\tcpip.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tcpip.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpipreg.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\termdd.sys ==> MD5 is legit
C:\Windows\system32\drivers\terminpt.sys 052306FD76793D5D5AB5D9891FD1ADBB
C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit
C:\Windows\System32\tssk.sys C2FA19BAAB0C5C8A79574BE75F60C3EC
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\system32\drivers\TsUsbGD.sys 01246F0BAAD7B68EC0F472AA41E33282
C:\Windows\System32\drivers\tsusbhub.sys 045ACB987C650D8186C6B4A692223860
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbhub.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbohci.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbuhci.sys ==> MD5 is legit
C:\Windows\System32\Drivers\usbvideo.sys 45F4E7BF43DB40A6C6B4D92C76CBC3F2
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\system32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys 7090D3436EEB4E7DA3373090A23448F7
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\drivers\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys A67E5F9A400F3BD1BE3D80613B45F708
C:\Windows\System32\DRIVERS\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WUDFRd.sys ==> MD5 is legit
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-28 21:07 - 2015-12-28 21:07 - 00000000 ____D C:\FRST
2015-12-27 19:34 - 2015-12-27 19:36 - 00188170 _____ C:\Windows\ntbtlog.txt
2015-12-27 19:19 - 2015-12-27 19:21 - 00442022 _____ C:\native log.txt
2015-12-27 19:14 - 2015-12-27 19:21 - 00659289 _____ C:\spyhunter.fix
2015-12-27 19:14 - 2015-12-27 19:14 - 00000000 ___HD C:\HSzfdgk3M8wuNnvb
2015-12-26 00:43 - 2015-12-26 00:47 - 13049969 _____ C:\Users\ACERD270\Downloads\New folder (8).rar.part
2015-12-23 19:03 - 2015-12-23 19:03 - 00000000 ____D C:\Users\ACERD270\AppData\Local\Oberon Media
2015-12-23 19:03 - 2015-12-23 19:03 - 00000000 ____D C:\ProgramData\Oberon Media
2015-12-22 15:53 - 2015-12-22 15:53 - 236929137 _____ C:\Windows\MEMORY.DMP
2015-12-22 15:53 - 2015-12-22 15:53 - 00168048 _____ C:\Windows\Minidump\122315-21559-01.dmp
2015-12-22 15:53 - 2015-12-22 15:53 - 00000000 ____D C:\Windows\Minidump
2015-12-13 00:26 - 2015-12-13 03:31 - 00000000 ____D C:\Users\ACERD270\Desktop\games
2015-12-12 23:54 - 2015-12-13 00:00 - 00000000 ____D C:\Program Files\GameHouse
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-27 19:34 - 2009-07-13 18:37 - 00000000 ____D C:\Windows
2015-12-27 19:21 - 2015-08-05 20:21 - 00000000 ____D C:\users\ACERD270
2015-12-27 19:19 - 2015-08-09 22:38 - 00000000 ____D C:\Program Files\baidu
2015-12-27 19:19 - 2009-07-13 20:34 - 00020640 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-27 19:19 - 2009-07-13 20:34 - 00020640 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-27 19:18 - 2015-08-05 20:48 - 00000000 ____D C:\Users\ACERD270\AppData\Roaming\DMCache
2015-12-27 18:31 - 2015-08-14 20:56 - 00000109 _____ C:\Windows\Ulead32.ini
2015-12-27 18:29 - 2015-08-09 22:52 - 00000000 ____D C:\Users\ACERD270\AppData\Roaming\IQIYI Video
2015-12-27 18:18 - 2010-11-20 13:01 - 00713888 _____ C:\Windows\System32\PerfStringBackup.INI
2015-12-27 18:18 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\inf
2015-12-22 15:51 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\LiveKernelReports
2015-12-13 00:27 - 2015-08-05 20:54 - 00000000 ____D C:\Program Files\SMADAV
2015-12-13 00:22 - 2015-08-05 20:54 - 00000000 __SHD C:\[Smad-Cage]
2015-12-12 23:55 - 2009-07-13 18:04 - 00000528 _____ C:\Windows\win.ini
2015-12-09 03:13 - 2015-08-14 20:46 - 00000000 ____D C:\Program Files\KAIJIN dictionary
 
==================== Known DLLs (Whitelisted) =========================
 
C:\Windows\System32\user32.dll IS MISSING <==== ATTENTION
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll
[2010-11-20 13:29] - [2015-08-09 23:06] - 0270336 ____A (Microsoft Corporation) 5622508CF3050581F9BF8D86014E16BC
 
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE Association (Whitelisted) =============
 
 
==================== Restore Points  =========================
 
Restore point date: 2015-10-08 15:10
Restore point date: 2015-10-27 01:15
Restore point date: 2015-11-11 07:01
Restore point date: 2015-12-04 20:34
Restore point date: 2015-12-22 15:41
 
==================== Memory info =========================== 
 
Percentage of memory in use: 20%
Total physical RAM: 2036.3 MB
Available physical RAM: 1624.05 MB
Total Virtual: 2036.3 MB
Available Virtual: 1629.24 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:63.62 GB) (Free:43.99 GB) NTFS
Drive e: () (Fixed) (Total:117.19 GB) (Free:106.41 GB) NTFS
Drive f: () (Fixed) (Total:117.19 GB) (Free:79.44 GB) NTFS
Drive g: () (Removable) (Total:3.9 GB) (Free:3.9 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: C518BD7A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=63.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=117.2 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=117.2 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 3.9 GB) (Disk ID: 2C6B7369)
No partition Table on disk 1.
 
 
LastRegBack: 2015-12-27 19:14
 
==================== End of FRST.txt ============================

Edited by hamluis, 28 December 2015 - 02:19 PM.


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:11 AM

Posted 28 December 2015 - 02:21 PM

Hi mitsu3rd,
 
Running a fix Using Farbar's Recovery Scan Tool in the Recovery Environment:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM\...\Run: [mbot_id_014010056] => [X]
S2 comyninu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\hnsl3890.tmp [X]
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98
S2 gopibeko; C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98\snsg673E.tmp [X]
C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98
S2 hyverumu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\jnsa16CB.tmp [X]
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98
S2 IhPul; C:\Users\ACERD270\AppData\Roaming\TSv\TSvr.exe [X]
S2 jycywihy; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\knsaE9FB.tmpfs [X]
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98
S2 KMService; C:\Windows\system32\srvany.exe [X]
Replace: X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll C:\Windows\System32\User32.dll
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recovery Scan Tool.

On a clean machine, please download Farbar Recovery Scan Tool and save it to the USB (feel free to use the frst download from my last instructions, if you still have it on the USB).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========
 
On the System Recovery Options menu you will get the following options:
 
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
Select Command Prompt
 
==========
 
Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Reboot and see if you can log into windows normally.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 mitsu3rd

mitsu3rd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 29 December 2015 - 08:22 AM

Whoaaa it worked! But i encountered something strange.

At first it show some alert window after booting and then suddenly it showed a progress bar and then closed by itself.

It so fast i couldnt read anything, then the laptop restarted by itself.

Well after that it booted normally without showing any suspicious thing.

Is it normal?

 

 

Btw, thank you very much, and here is the log :

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version:27-12-2015
Ran by SYSTEM (2015-12-29 20:13:42) Run:1
Running from g:\
Boot Mode: Recovery
 
==============================================
 
fixlist content:
*****************
HKLM\...\Run: [mbot_id_014010056] => [X]
S2 comyninu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\hnsl3890.tmp [X]
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98
S2 gopibeko; C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98\snsg673E.tmp [X]
C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98
S2 hyverumu; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\jnsa16CB.tmp [X]
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98
S2 IhPul; C:\Users\ACERD270\AppData\Roaming\TSv\TSvr.exe [X]
S2 jycywihy; C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98\knsaE9FB.tmpfs [X]
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98
S2 KMService; C:\Windows\system32\srvany.exe [X]
Replace: X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll C:\Windows\System32\User32.dll
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\mbot_id_014010056 => value removed successfully.
comyninu => service removed successfully.
C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98 => moved successfully
gopibeko => service removed successfully.
"C:\Users\ACERD270\AppData\Local\FA64C5B7-1439214839-9247-AA57-089E0165DC98" => not found.
hyverumu => service removed successfully.
"C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98" => not found.
IhPul => service removed successfully.
jycywihy => service removed successfully.
"C:\Program Files\FA64C5B7-1439189536-9247-AA57-089E0165DC98" => not found.
KMService => service removed successfully.
"C:\Windows\System32\User32.dll" => not found
X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll copied successfully to C:\Windows\System32\User32.dll
 
==== End of Fixlog 20:13:43 ====


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:11 AM

Posted 29 December 2015 - 08:59 AM

Hi mitsu3rd,
 
That definitely sounds odd, could be down to the fact we replaced a windows file and removed some other things.
 
Let's get a log to see how the computer is doing now:
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 mitsu3rd

mitsu3rd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 29 December 2015 - 09:18 AM

Here is the result :
 
[FRST.text]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:27-12-2015
Ran by ACERD270 (administrator) on ACERD270-PC (29-12-2015 21:12:02)
Running from F:\
Loaded Profiles: ACERD270 (Available Profiles: ACERD270)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Smadsoft) C:\Program Files\SMADAV\SMΔRTP.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [GfxServiceInstall] => C:\Windows\system32\GfxCUIServiceInstall.vbs [0 2015-12-29] ()
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [718208 2010-03-16] (Microsoft Corporation)
HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [0 2015-12-29] ()
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Tonec\IDMShellExt.dll [2011-05-30] (Tonec Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:56925;https=127.0.0.1:56925;
AutoConfigURL: [.DEFAULT] => http=127.0.0.1:56925;https=127.0.0.1:56925;
Winsock: Catalog9 01 C:\Windows\system32\Peakoar.dll [283488 2015-08-02] ()
Winsock: Catalog9 02 C:\Windows\system32\Peakoar.dll [283488 2015-08-02] ()
Winsock: Catalog9 03 C:\Windows\system32\Peakoar.dll [283488 2015-08-02] ()
Winsock: Catalog9 04 C:\Windows\system32\Peakoar.dll [283488 2015-08-02] ()
Winsock: Catalog9 15 C:\Windows\system32\Peakoar.dll [283488 2015-08-02] ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.allgameshome.com/
HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://home.allgameshome.com/
SearchScopes: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll [2015-08-20] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll [2015-08-20] (Oracle Corporation)
Toolbar: HKLM - AllGamesHome Toolbar - {5FC86FB3-A8B1-400B-8BE7-0EAF0D857F5D} - C:\Program Files\AllGamesHome Toolbar\tbcore3.dll No File
Toolbar: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000 -> AllGamesHome Toolbar - {5FC86FB3-A8B1-400B-8BE7-0EAF0D857F5D} - C:\Program Files\AllGamesHome Toolbar\tbcore3.dll No File
 
FireFox:
========
FF ProfilePath: C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default
FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2015-08-20] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2015-08-20] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @qq.com/npAndroidAssistant -> C:\Program Files\Common Files\Tencent\QQPhoneManager\2.0.201.3198\npQQPhoneManagerExt.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-27] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3416037556-3212162192-2537629955-1000: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin HKU\S-1-5-21-3416037556-3212162192-2537629955-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\ACERD270\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-12-05] (Unity Technologies ApS)
FF SearchPlugin: C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\searchplugins\allgameshome-search.xml [2011-11-10]
FF SearchPlugin: C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\searchplugins\oursurfing.xml [2015-08-16]
FF Extension: AllGamesHome Toolbar - C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\extensions\{C178BB02-BFCF-4E69-AB7C-DED3BD0291BD} [2015-08-15] [not signed]
FF Extension: No Name - C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\extensions\veggy@veggyAddon.com [not found]
FF Extension: No Name - C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\extensions\default_newtabff@gmail.com [2015-12-28] [not signed]
FF Extension: No Name - C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\extensions\yahooprotected@gmail.com.xpi [not found]
FF Extension: Magnify It - C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\extensions\{fbe097fa-b079-08fc-ec93-09c009ea9c98} [2015-12-26] [not signed]
FF HKLM\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\ACERD270\AppData\Roaming\Mozilla\Firefox\Profiles\qtr70x4d.default\extensions\default_newtabff@gmail.com
FF HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\ACERD270\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\ACERD270\AppData\Roaming\IDM\idmmzcc5 [2015-10-16] [not signed]
FF HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\ACERD270\AppData\Roaming\IDM\idmmzcc5
 
Chrome: 
=======
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx <not found>
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\System32\DRIVERS\athr.sys [3236864 2013-09-24] (Qualcomm Atheros Communications, Inc.)
R3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [270552 2014-01-07] (Realtek Semiconductor Corp.)
S3 TSSK; C:\Windows\System32\tssk.sys [67896 2015-08-18] (电脑管家)
S1 QMUdisk; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16443.223\QMUdisk.sys [X]
S3 TS888; \??\C:\Program Files\Tencent\QQPCMgr\10.10.16443.223\TS888.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-30 11:13 - 2010-11-20 19:21 - 00811520 _____ (Microsoft Corporation) C:\Windows\system32\User32.dll
2015-12-29 13:49 - 2015-12-29 13:49 - 00000000 _____ C:\Program1
2015-12-29 12:07 - 2015-12-29 21:12 - 00000000 ____D C:\FRST
2015-12-28 10:34 - 2015-12-28 10:36 - 00188170 _____ C:\Windows\ntbtlog.txt
2015-12-28 10:19 - 2015-12-28 10:21 - 00442022 _____ C:\native log.txt
2015-12-28 10:14 - 2015-12-28 10:21 - 00659289 _____ C:\spyhunter.fix
2015-12-28 10:14 - 2015-12-28 10:14 - 00000000 ___HD C:\HSzfdgk3M8wuNnvb
2015-12-26 15:43 - 2015-12-26 15:47 - 13049969 _____ C:\Users\ACERD270\Downloads\New folder (8).rar.part
2015-12-24 10:03 - 2015-12-24 10:03 - 00000000 ____D C:\Users\ACERD270\AppData\Local\Oberon Media
2015-12-24 10:03 - 2015-12-24 10:03 - 00000000 ____D C:\ProgramData\Oberon Media
2015-12-23 06:53 - 2015-12-23 06:53 - 236929137 _____ C:\Windows\MEMORY.DMP
2015-12-23 06:53 - 2015-12-23 06:53 - 00168048 _____ C:\Windows\Minidump\122315-21559-01.dmp
2015-12-23 06:53 - 2015-12-23 06:53 - 00000000 ____D C:\Windows\Minidump
2015-12-13 15:26 - 2015-12-13 18:31 - 00000000 ____D C:\Users\ACERD270\Desktop\games
2015-12-13 14:54 - 2015-12-13 15:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GameHouse
2015-12-13 14:54 - 2015-12-13 15:00 - 00000000 ____D C:\Program Files\GameHouse
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-29 20:30 - 2010-11-21 04:01 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-29 20:30 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\inf
2015-12-29 20:26 - 2015-08-10 13:52 - 00000000 ____D C:\Users\ACERD270\AppData\Roaming\IQIYI Video
2015-12-29 20:23 - 2009-07-14 11:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-29 20:22 - 2009-07-14 11:34 - 00020640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-29 20:22 - 2009-07-14 11:34 - 00020640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-29 13:49 - 2015-08-06 11:32 - 00000000 _____ C:\Windows\system32\GfxCUIServiceInstall.vbs
2015-12-29 13:49 - 2009-07-14 06:41 - 00000000 _____ C:\Windows\system32\StikyNot.exe
2015-12-29 13:49 - 2009-07-14 06:16 - 00000000 _____ C:\Windows\system32\powercfg.exe
2015-12-28 10:34 - 2009-07-14 09:37 - 00000000 ____D C:\Windows
2015-12-28 10:21 - 2015-08-06 11:21 - 00000000 ____D C:\Users\ACERD270
2015-12-28 10:20 - 2015-08-10 13:38 - 00000000 ____D C:\Program Files\baidu
2015-12-28 10:18 - 2015-08-06 11:48 - 00000000 ____D C:\Users\ACERD270\AppData\Roaming\DMCache
2015-12-28 09:31 - 2015-08-15 11:56 - 00000109 _____ C:\Windows\Ulead32.ini
2015-12-23 06:51 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\LiveKernelReports
2015-12-23 06:45 - 2009-07-14 11:53 - 00032630 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-13 15:27 - 2015-08-06 11:54 - 00000000 ____D C:\Program Files\SMADAV
2015-12-13 15:22 - 2015-08-06 11:54 - 00000000 __SHD C:\[Smad-Cage]
2015-12-13 14:55 - 2009-07-14 09:04 - 00000528 _____ C:\Windows\win.ini
2015-12-09 18:13 - 2015-08-15 11:46 - 00000000 ____D C:\Program Files\KAIJIN dictionary
2015-12-09 07:49 - 2015-08-27 15:13 - 00002033 _____ C:\Users\ACERD270\AppData\Roaming\Microsoft\Windows\Start Menu\AllGamesHome Games.lnk
 
==================== Files in the root of some directories =======
 
2015-08-06 15:24 - 2015-08-06 15:24 - 0000017 _____ () C:\Users\ACERD270\AppData\Local\resmon.resmoncfg
2015-08-06 11:32 - 2015-08-06 11:32 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some zero byte size files/folders:
==========================
C:\Windows\System32\powercfg.exe
C:\Windows\System32\StikyNot.exe
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll
[2010-11-21 04:29] - [2015-08-10 14:06] - 0270336 ____A (Microsoft Corporation) 5622508CF3050581F9BF8D86014E16BC
 
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-28 10:14
 
==================== End of FRST.txt ============================
 
 
 
 
[Addition.txt]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version:27-12-2015
Ran by ACERD270 (2015-12-29 21:13:21)
Running from F:\
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) (2015-08-06 04:19:48)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
ACERD270 (S-1-5-21-3416037556-3212162192-2537629955-1000 - Administrator - Enabled) => C:\Users\ACERD270
Administrator (S-1-5-21-3416037556-3212162192-2537629955-500 - Administrator - Disabled)
Guest (S-1-5-21-3416037556-3212162192-2537629955-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader XI (11.0.13) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.13 - Adobe Systems Incorporated)
Alex Gordon (HKLM\...\Alex Gordon_is1) (Version: 1.0 - My World My Apps Ltd.)
AllGamesHome Toolbar (HKLM\...\AllGamesHome Toolbar) (Version: 1.0.26 - MyPlayCity, Inc.)
Angry Daddy (HKLM\...\Angry Daddy_is1) (Version: 1.0 - My World My Apps Ltd.)
Big Fish: Game Manager (HKLM\...\BFGC) (Version: 3.3.0.2 - )
Cake Shop 2 (HKLM\...\Cake Shop 2_is1) (Version: 1.0 - My World My Apps Ltd.)
Chicken Invaders 2 - The Next Wave Remastered (HKLM\...\Chicken Invaders 2 - The Next Wave Remastered_is1) (Version: 1.0 - My World My Apps Ltd.)
Corel Graphics - Windows Shell Extension (HKLM\...\_{72DB27D3-FE05-4227-AF5A-11CD101ECF09}) (Version: 15.1.0.588 - Corel Corporation)
Corel Graphics - Windows Shell Extension (Version: 15.1.588 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Capture (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Common (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Connect (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Custom Data (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Draw (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - EN (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Filters (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - FontNav (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - IPM (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - PHOTO-PAINT (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Photozoom Plugin (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Redist (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Setup Files (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - VBA (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - VideoBrowser (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - VSTA (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - WT (Version: 15.1 -  Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 (Version: 15.1 - Corel Corporation) Hidden
CorelDRAW® Graphics Suite X5 (HKLM\...\_{CE54DCE1-E00A-4D91-ACB9-A2D916C24051}) (Version: 15.1.0.588 - Corel Corporation)
Detective Riddles - Sherlocks Heritage 2 (HKLM\...\Detective Riddles - Sherlocks Heritage 2_is1) (Version: 1.0 - My World My Apps Ltd.)
Fishdom 3 (HKLM\...\Fishdom 3_is1) (Version: 1.0 - My World My Apps Ltd.)
GOM Player (HKLM\...\GOM Player) (Version: 2.2.57.5189 - Gretech Corporation)
Internet Download Manager version 7.1 (HKLM\...\{15249A89-18CC-47CC-8D4A-C08B4DA17698}_is1) (Version: 7.1 - Tonec, Inc.)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
KAIJIN dictionary (HKLM\...\KAIJIN dictionary) (Version:  - )
K-Lite Codec Pack 10.4.5 Full (HKLM\...\KLiteCodecPack_is1) (Version: 10.4.5 - )
Magic Griddlers 2 (HKLM\...\Magic Griddlers 2_is1) (Version: 1.0 - My World My Apps Ltd.)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (HKLM\...\{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 Runtime (HKLM\...\{299C0434-4F4E-341F-A916-4E07AEB35E79}) (Version: 9.0.30729 - Microsoft Corporation)
ModooMarble (Remove only) (HKLM\...\{7B2562F1-02DC-415F-8960-446E64BE9BBE}_is1) (Version: 1.0 - PT.CJ Internet Indonesia)
Mozilla Firefox 40.0 (x86 en-US) (HKLM\...\Mozilla Firefox 40.0 (x86 en-US)) (Version: 40.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 40.0.0.5694 - Mozilla)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7161 - Realtek Semiconductor Corp.)
Season Match (HKLM\...\Season Match_is1) (Version: 1.0 - My World My Apps Ltd.)
SMADAV version 10.1.1 (HKLM\...\{8B9FA5FF-3E61-4658-B0DA-E6DDB46D6BAD}_is1) (Version: 10.1.1 - SmadSoft)
SmartSound Quicktracks Plugin (HKLM\...\InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}) (Version: 3.0.2.7 - SmartSound Software Inc)
SmartSound Quicktracks Plugin (Version: 3.0.2.7 - SmartSound Software Inc) Hidden
Stormfall (HKLM\...\Stormfall_is1) (Version: 1.0 - My World My Apps Ltd.) <==== ATTENTION
Ulead VideoStudio 10 (HKLM\...\{E188D820-1218-4E28-8BCA-91134C3664C2}) (Version: 10.0 - Ulead Systems)
Unity Web Player (HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\...\UnityWebPlayer) (Version: 4.6.1f1 - Unity Technologies ApS)
Winamp (HKLM\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
爱奇艺万能播放器 (HKLM\...\GeePlayer) (Version: 1.5.14.1506 - 爱奇艺) <==== ATTENTION
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\ACERD270\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS)
CustomCLSID: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000_Classes\CLSID\{61CED8F3-2CB2-4C3C-9484-7530E1127A58}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll => No File <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000_Classes\CLSID\{D96C1D26-5CDF-4506-9244-57233C3984DF}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll => No File <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-3416037556-3212162192-2537629955-1000_Classes\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF-NOT}\InprocServer32 -> C:\IQIYI Video\LStyle\npWebPlayer.dll => No File <==== ATTENTION
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {624F246B-74CF-44E4-B4AA-AC2D63669CC2} - System32\Tasks\F5FF1F80-4AB9-4D66-9EC-3C7E042863B => C:\Users\ACERD270\AppData\Local\F5FF1F80-4AB9-4D66-9EC-3C7E042863B\F5FF1F80-4AB9-4D66-9EC-3C7E042863B.exe <==== ATTENTION
Task: {6B7AC694-8D6D-481B-9DD8-2A3A741ADA6D} - System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem => C:\Windows\System32\powercfg.exe [2015-12-29] ()
Task: {7473844A-67FF-4087-86A0-0F8C053A7502} - System32\Tasks\SpyHunter4Startup => D:\SpyHunter4.21.10.4585.p.kuyhAa\SpyHunter4.exe [2015-12-21] (Enigma Software Group USA, LLC.)
Task: {76FFDB64-4D3A-4F9D-B033-38BECA18F3E4} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {9426C1DA-2D09-4359-9468-88B440D38A83} - \AmiUpdXp -> No File <==== ATTENTION
Task: {9A319F11-50EF-4EFF-85B8-5D27FFB9AC15} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {B1A82749-3878-4D55-BD66-87358919E729} - System32\Tasks\Games\UpdateCheck_S-1-5-21-3416037556-3212162192-2537629955-1000
Task: {B9913C48-91E5-47B7-8CFC-D1DD3D3C8243} - System32\Tasks\smadav => C:\Program Files\Smadav\SMΔRTP.exe [2015-05-03] (Smadsoft)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\ACERD270\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1445942381&z=<!DOCTYPE HTML>
<html>
<head>
<noscript>
<meta http-equiv="refresh"content="0;URL=hxxp://ads.indosat.com/ads-request?t=3&j=0&i=168311352&a=hxxp://www.delta-homes.com/logic/z.php"/>
</noscript>
<link hre
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.delta-homes.com/?type=sc&ts=1445942381&z=<!DOCTYPE HTML>
<html>
<head>
<noscript>
<meta http-equiv="refresh"content="0;URL=hxxp://ads.indosat.com/ads-request?t=3&j=0&i=168311352&a=hxxp://www.delta-homes.com/logic/z.php"/>
</noscript>
<link hre
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-08-10 14:10 - 2015-08-02 21:50 - 00283488 _____ () C:\Windows\system32\Peakoar.dll
2010-01-30 02:41 - 2010-01-30 02:41 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-03-24 21:17 - 2010-03-24 21:17 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP => ""="service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 09:04 - 2015-08-06 12:16 - 00000921 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 genuine.microsoft.com
127.0.0.1 mpa.one.microsoft.com
127.0.0.1 sls.microsoft.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3416037556-3212162192-2537629955-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\ACERD270\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{C5F6BF5E-A521-45A6-BC9B-36D145120CE2}] => (Allow) C:\Program Files\Winamp\winamp.exe
FirewallRules: [{C7209958-3E25-443B-AE80-3180BBDC787E}] => (Allow) C:\Program Files\Winamp\winamp.exe
FirewallRules: [{674DB0EC-BFF7-4220-A913-8FA6C9274FD2}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3D5EE124-19AF-4552-874E-CDA2C74EB22B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{7315F035-3DE5-4EEE-8A77-9205DAC2197D}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\LStyle\GpUpdate.exe
FirewallRules: [{5B78CD2C-B309-4143-BFD8-827B26E54ECF}] => (Allow) C:\IQIYI Video\GeePlayer\GeePlayer.exe
FirewallRules: [{90A48059-DC26-4FF8-AF01-4D5D46B5F2EA}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe
FirewallRules: [{E42EEFEF-F8A7-4267-9FA5-6809D786494E}] => (Allow) C:\IQIYI Video\LStyle\QyClient.exe
FirewallRules: [{1B478A2F-C9B8-4DCB-9351-2BCBE6406932}] => (Allow) C:\IQIYI Video\LStyle\QyWebPlayer.exe
FirewallRules: [{B4BF982F-A124-4735-99A3-78AFB0E38A3F}] => (Allow) C:\IQIYI Video\Common\QyKernel.exe
FirewallRules: [{9137BF53-07E7-4A53-AFCD-E17EAB49A6F3}] => (Allow) C:\IQIYI Video\LStyle\QyPlayer.exe
FirewallRules: [{3119E933-65C0-4C04-951D-4218DFA18C58}] => (Allow) C:\program files\common files\tencent\qqdownload\130\tencentdl.exe
FirewallRules: [{B4F2756D-E257-4067-8BCC-276FE2E6141E}] => (Allow) C:\program files\common files\tencent\qqdownload\130\bugreport_xf.exe
FirewallRules: [{11B930C6-0C3D-4C06-9A1B-9C082A628C28}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe
FirewallRules: [{F8F336BC-C23B-49AC-941B-4A056A3B1873}] => (Allow) C:\IQIYI Video\LStyle\QyClient.exe
FirewallRules: [{0C324746-6856-4B25-A0AE-102985BC73F7}] => (Allow) C:\IQIYI Video\LStyle\QyWebPlayer.exe
FirewallRules: [{2EEE2F51-9C1A-4732-BDBF-A5ABC7C2B4B2}] => (Allow) C:\IQIYI Video\Common\QyKernel.exe
FirewallRules: [{C809EE16-7CB2-436D-B588-45420808203E}] => (Allow) C:\IQIYI Video\LStyle\QyPlayer.exe
FirewallRules: [{B1100A00-2BDE-400B-9D39-02C666BB3B37}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\LStyle\GpUpdate.exe
FirewallRules: [{F9CCB760-C079-4AD1-946A-DDE8D13728B0}] => (Allow) C:\IQIYI Video\GeePlayer\GeePlayer\GeePlayer.exe
FirewallRules: [{A0EB8F95-347C-4C2D-8175-8B9CAA96B6C6}] => (Allow) C:\program files\common files\tencent\qqdownload\130\tencentdl.exe
FirewallRules: [{5D7F8AAE-A6F2-4FBC-85EA-6315214A94A0}] => (Allow) C:\program files\common files\tencent\qqdownload\130\bugreport_xf.exe
FirewallRules: [{99A1B048-C750-43B1-97F6-A6687525E9A9}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\GeePlayer\GpUpdate.exe
FirewallRules: [{3FA100FD-E1C7-4771-997B-9ABD9C507110}] => (Allow) C:\IQIYI Video\GeePlayer\GeePlayer\GeePlayer.exe
FirewallRules: [{F845E612-2AD7-440B-AAB1-45A66619D236}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\GeePlayer\GpUpdate.exe
FirewallRules: [{F964B79F-7BA5-4EEC-BDCE-EC3D12C9E265}] => (Allow) C:\IQIYI Video\GeePlayer\GeePlayer\GeePlayer.exe
FirewallRules: [{6D719227-93DF-4E59-A50D-1B4AAA919874}] => (Allow) C:\Users\ACERD270\AppData\Roaming\IQIYI Video\GeePlayer\GpUpdate.exe
FirewallRules: [{AB495754-67A3-4246-AE31-46F9B78B0F8C}] => (Allow) C:\IQIYI Video\GeePlayer\GeePlayer\GeePlayer.exe
 
==================== Restore Points =========================
 
16-09-2015 05:40:42 Scheduled Checkpoint
09-10-2015 06:10:29 Scheduled Checkpoint
27-10-2015 16:15:26 Scheduled Checkpoint
11-11-2015 22:00:52 Scheduled Checkpoint
05-12-2015 11:34:23 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices =============
 
Name: tencent QMUdisk
Description: tencent QMUdisk
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: QMUdisk
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/29/2015 08:25:42 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x00000000.
 
Error: (12/29/2015 08:25:42 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
0x800401F9
 
Error: (12/29/2015 08:25:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/29/2015 08:16:42 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x00000000.
 
Error: (12/29/2015 08:16:42 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
0x800401F9
 
Error: (12/29/2015 08:16:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/28/2015 09:09:55 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (12/28/2015 09:08:21 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x00000000.
 
Error: (12/28/2015 09:08:21 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
0x800401F9
 
Error: (12/26/2015 03:41:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (12/29/2015 08:23:42 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (12/29/2015 08:23:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Ulead Burning Helper service failed to start due to the following error: 
%%2
 
Error: (12/29/2015 08:14:54 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (12/29/2015 08:14:52 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Ulead Burning Helper service failed to start due to the following error: 
%%193
 
Error: (12/28/2015 09:08:11 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
cherimoya
 
Error: (12/28/2015 09:08:08 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Surf Video Camera service failed to start due to the following error: 
%%2
 
Error: (12/28/2015 09:08:08 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Key In Bold Italic service failed to start due to the following error: 
%%2
 
Error: (12/28/2015 09:08:08 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Kerning Down service failed to start due to the following error: 
%%2
 
Error: (12/28/2015 09:08:08 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Wire Professional Version service failed to start due to the following error: 
%%2
 
Error: (12/26/2015 03:40:12 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
cherimoya
 
 
==================== Memory info =========================== 
 
Processor: Intel® Atom™ CPU N2600 @ 1.60GHz
Percentage of memory in use: 35%
Total physical RAM: 2036.3 MB
Available physical RAM: 1318.94 MB
Total Virtual: 4072.6 MB
Available Virtual: 3161.53 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:63.62 GB) (Free:43.98 GB) NTFS
Drive d: () (Fixed) (Total:117.19 GB) (Free:106.41 GB) NTFS
Drive e: () (Fixed) (Total:117.19 GB) (Free:79.44 GB) NTFS
Drive f: (TORA ~^V^~) (Removable) (Total:3.9 GB) (Free:3.9 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: C518BD7A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=63.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=117.2 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=117.2 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 3.9 GB) (Disk ID: 500A0DFF)
No partition Table on disk 1.
 
==================== End of Addition.txt ============================


#7 mitsu3rd

mitsu3rd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 29 December 2015 - 09:24 AM

Oh and this program 爱奇艺万能播放器 (IQIYI Video something) cant be uninstalled, and it started annoying.

 I never install this but this program always pop up everywhere



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:11 AM

Posted 30 December 2015 - 08:39 AM

Hi mitsu3rd,
 
I will use another tool to remove this program then :)
 
Do you use of the programs from My World My Apps Ltd?
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:56925;https=127.0.0.1:56925;
AutoConfigURL: [.DEFAULT] => http=127.0.0.1:56925;https=127.0.0.1:56925;
CMD: sfc /scannow
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------

We need to search for a file with FRST:

  • Double-click on FRST.exe/FRST64.exe on your desktop to open it, in the search box, type the following: dnsapi.dll; powercfg.exe; StikyNot.exe
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply

--------------
 
Please download the free version of GeekUninstall:

  • Please create a system restore point before continuing with the instructions.
  • Open the geek.zip file and run the geek.exe file inside of it.
  • A window will open, please from the list of programs click on the listed program(s), or anything similar, to remove it:
AllGamesHome Toolbar
Stormfall
爱奇艺万能播放器
  • Click on Action on the top menu and then select Force Removal.
  • When asked if you are sure you want to perform a forced removal, click Yes.
  • A window will appear telling the File System and Registry locations, click Finish.
  • Once all traces are removed, click Close.
  • Repeat for each of the programs on the list.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 mitsu3rd

mitsu3rd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 31 December 2015 - 02:37 AM

Yayy it worked, thank you xXToffeeXx ~



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:11 AM

Posted 31 December 2015 - 05:57 AM

Hi mitsu3rd,
 
Glad to hear that, but we still have some work until your computer is completely clean, so if you don't mind can you continue with my instructions :)
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:11 AM

Posted 13 January 2016 - 04:26 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users