Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

oziris and buy-targeted-traffic adware (Chrome)


  • This topic is locked This topic is locked
25 replies to this topic

#1 nonstopaz

nonstopaz

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 08 February 2016 - 10:33 AM

Hello, 

 

So i got the same virus as people in these topics:

http://www.bleepingcomputer.com/forums/t/601196/reccuring-malwareadware-issue/?hl=%2Boziris

http://www.bleepingcomputer.com/forums/t/590266/really-annoying-adware-issue/?hl=%2Boziris

 

I got it after downloading doulCi tool for bypassing icloud, which is similar to one of these existing topics.

I'm not sure if i should follow the same instructions as he did so i just made my topic.

 

It was probably on February 3rd.

Tried a bunch on antimalware stuff (malware bytes, hitman, rkill and others...) didn't help. You are my last resort.

 

Addition.txt attached

 

Thanks !

 

Here is my FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by Edvinas (administrator) on EDVINAS-PC (08-02-2016 17:25:10)
Running from C:\Users\Edvinas\Desktop
Loaded Profiles: Edvinas (Available Profiles: Edvinas & DefaultAppPool)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Innova Co S.a r.l.) C:\Program Files (x86)\4game\3.5.8.180\4game-service.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(OCZ Storage Solutions Inc.) C:\Program Files (x86)\OCZ Storage Solutions\SSD Guru\SSDGuru.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(NVIDIA Corporation) C:\Users\Edvinas\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Nota Inc.) C:\Program Files (x86)\Gyazo\GyStation.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(SteelSeries ApS) C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows\WER\wermgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8484056 2015-06-12] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2787264 2016-01-12] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [707496 2014-08-15] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [wermgr] => C:\ProgramData\Microsoft\Windows\WER\wermgr.exe [6786560 2015-01-09] (Microsoft Corporation)
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [3586848 2016-01-19] (Nota Inc.)
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [465920 2015-10-30] (Microsoft Corporation)
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\Run: [SteelSeries Engine] => C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [87040 2014-10-09] (SteelSeries ApS)
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50378880 2015-12-17] (Skype Technologies S.A.)
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\RunOnce: [Uninstall C:\Users\Edvinas\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Edvinas\AppData\Local\Microsoft\OneDrive\17.3.6201.1019_1\amd64"
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\RunOnce: [Uninstall C:\Users\Edvinas\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Edvinas\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk [2015-05-07]
ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe (SteelSeries ApS)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 212.59.1.1
Tcpip\..\Interfaces\{2badca9e-056e-4aac-9c1a-8e89b9516e0c}: [DhcpNameServer] 192.168.1.254 212.59.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=625119&clcid=0x419
SearchScopes: HKU\S-1-5-21-1732074429-4140833615-1459944318-1000 -> DefaultScope {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
 
Edge: 
======
Edge HomeButtonPage: HKU\S-1-5-21-1732074429-4140833615-1459944318-1000 -> hxxp://www.15min.lt/
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @4game.com/plugin -> C:\Program Files (x86)\4game\3.5.8.180\npplugin4game.dll [2015-12-25] (Innova Co S.a r.l.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-03] (Intel Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-01-23] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-01-23] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.2\npGoogleUpdate3.dll [2016-01-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.2\npGoogleUpdate3.dll [2016-01-30] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> D:\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.15min.lt/
CHR StartupUrls: Default -> "hxxp://www.google.com/ig"
CHR Profile: C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (BetterTTV) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2015-07-12]
CHR Extension: (Google Docs) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-07]
CHR Extension: (Google Drive) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Steam inventory helper) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmeakgjggjdlcpncigglobpjbkabhmjl [2016-02-03]
CHR Extension: (Google Search) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-29]
CHR Extension: (Multiple Account Checker for Gmail™) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnimhgelcnggigekhdjlifjpndgmnglm [2015-05-07]
CHR Extension: (Lounge Assistant) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\enjonnlehciedbcidabdglnnihcncbml [2015-12-07]
CHR Extension: (Google Sheets) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-07]
CHR Extension: (AdBlock) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-02-06]
CHR Extension: (Google Mail Checker) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2015-05-07]
CHR Extension: (Grass) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmiboiefncpfjihjdedpaoammipkilla [2016-02-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-25]
CHR Extension: (Gmail) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-07]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 4game-service; C:\Program Files (x86)\4game\3.5.8.180\4game-service.exe [1561312 2015-12-25] (Innova Co S.a r.l.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-01-12] (NVIDIA Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-09-03] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-01-12] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [6308288 2016-01-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [4812736 2016-01-12] (NVIDIA Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [22216 2014-05-27] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [22728 2014-05-27] ()
R3 ISCT; C:\Windows\System32\drivers\ISCTD.sys [44744 2014-05-27] ()
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-03] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-01-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [47760 2015-12-18] (NVIDIA Corporation)
R3 SAlphamHid; C:\Windows\System32\drivers\SAlpham64.sys [39168 2014-10-08] (SteelSeries Corporation)
S3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [25088 2015-04-14] (SteelSeries ApS)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-17] (Apple, Inc.) [File not signed]
S3 vpnva; C:\Windows\System32\drivers\vpnva64-6.sys [52592 2014-08-15] (Cisco Systems, Inc.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 XtuAcpiDriver; C:\Windows\System32\drivers\XtuAcpiDriver.sys [63840 2015-06-06] (Intel Corporation)
U3 idsvc; no ImagePath
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-08 17:25 - 2016-02-08 17:25 - 00015201 _____ C:\Users\Edvinas\Desktop\FRST.txt
2016-02-08 17:24 - 2016-02-08 17:25 - 00000000 ____D C:\FRST
2016-02-08 17:24 - 2016-02-08 17:24 - 00000000 ___HD C:\OneDriveTemp
2016-02-08 17:22 - 2016-02-08 17:24 - 02370560 _____ (Farbar) C:\Users\Edvinas\Desktop\FRST64.exe
2016-02-06 19:18 - 2016-02-06 19:20 - 00000000 ____D C:\ProgramData\HitmanPro
2016-02-06 19:03 - 2016-02-06 19:17 - 00000000 ____D C:\ProgramData\RogueKiller
2016-02-06 19:03 - 2016-02-06 19:03 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2016-02-06 14:46 - 2016-02-06 14:46 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-02-06 11:41 - 2016-02-06 11:41 - 00261128 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-02-05 22:46 - 2016-02-05 22:46 - 00002864 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2016-02-05 22:46 - 2016-02-05 22:46 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-02-05 22:46 - 2016-02-05 22:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-02-05 22:46 - 2016-02-05 22:46 - 00000000 ____D C:\Program Files\CCleaner
2016-01-30 11:53 - 2016-01-30 12:36 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\VMware
2016-01-30 11:53 - 2016-01-30 12:36 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Andy
2016-01-30 11:52 - 2016-01-30 12:37 - 00000000 ____D C:\ProgramData\VMware
2016-01-30 11:51 - 2016-01-30 11:51 - 00000000 ____D C:\Program Files\AndyOfflineInstaller46.2
2016-01-30 11:51 - 2016-01-30 11:51 - 00000000 ____D C:\Program Files (x86)\VMware
2016-01-30 11:50 - 2016-01-30 12:37 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Andy
2016-01-29 16:34 - 2016-01-16 08:37 - 00202472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscapi.dll
2016-01-29 16:34 - 2016-01-16 08:36 - 01173344 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-01-29 16:34 - 2016-01-16 08:36 - 00713568 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-01-29 16:34 - 2016-01-16 08:34 - 00513888 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-01-29 16:34 - 2016-01-16 08:24 - 00538632 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWanAPI.dll
2016-01-29 16:34 - 2016-01-16 08:23 - 08728920 _____ (Microsoft Corp.) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
2016-01-29 16:34 - 2016-01-16 08:23 - 00848160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
2016-01-29 16:34 - 2016-01-16 08:23 - 00785088 _____ (Microsoft Corporation) C:\WINDOWS\system32\evr.dll
2016-01-29 16:34 - 2016-01-16 08:23 - 00536256 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2016-01-29 16:34 - 2016-01-16 08:23 - 00408120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2016-01-29 16:34 - 2016-01-16 08:23 - 00369912 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
2016-01-29 16:34 - 2016-01-16 08:21 - 22572624 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-01-29 16:34 - 2016-01-16 08:21 - 01750440 _____ (Microsoft Corporation) C:\WINDOWS\system32\WpcMon.exe
2016-01-29 16:34 - 2016-01-16 08:20 - 06971752 _____ (Microsoft Corp.) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
2016-01-29 16:34 - 2016-01-16 08:20 - 06600904 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll
2016-01-29 16:34 - 2016-01-16 08:20 - 00652312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
2016-01-29 16:34 - 2016-01-16 08:20 - 00431240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWanAPI.dll
2016-01-29 16:34 - 2016-01-16 08:20 - 00366224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2016-01-29 16:34 - 2016-01-16 08:19 - 00709688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2016-01-29 16:34 - 2016-01-16 08:19 - 00405568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2016-01-29 16:34 - 2016-01-16 08:17 - 21125400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-01-29 16:34 - 2016-01-16 08:16 - 05238360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll
2016-01-29 16:34 - 2016-01-16 08:13 - 01998168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-01-29 16:34 - 2016-01-16 08:13 - 00576864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-01-29 16:34 - 2016-01-16 08:12 - 01415200 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
2016-01-29 16:34 - 2016-01-16 08:09 - 01089880 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2016-01-29 16:34 - 2016-01-16 08:08 - 01174008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
2016-01-29 16:34 - 2016-01-16 08:08 - 00440152 _____ (Microsoft Corporation) C:\WINDOWS\system32\services.exe
2016-01-29 16:34 - 2016-01-16 07:46 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbser.sys
2016-01-29 16:34 - 2016-01-16 07:45 - 16986112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2016-01-29 16:34 - 2016-01-16 07:44 - 22394368 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-01-29 16:34 - 2016-01-16 07:44 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-01-29 16:34 - 2016-01-16 07:44 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasadhlp.dll
2016-01-29 16:34 - 2016-01-16 07:44 - 00013824 _____ (Microsoft Corporation) C:\WINDOWS\system32\rastlsext.dll
2016-01-29 16:34 - 2016-01-16 07:43 - 00097280 _____ (Microsoft Corporation) C:\WINDOWS\system32\winhttpcom.dll
2016-01-29 16:34 - 2016-01-16 07:42 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsBtSvc.dll
2016-01-29 16:34 - 2016-01-16 07:42 - 00013824 _____ (Microsoft Corporation) C:\WINDOWS\system32\sscoreext.dll
2016-01-29 16:34 - 2016-01-16 07:41 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe
2016-01-29 16:34 - 2016-01-16 07:40 - 11545088 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-01-29 16:34 - 2016-01-16 07:40 - 00106496 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasauto.dll
2016-01-29 16:34 - 2016-01-16 07:40 - 00049152 _____ (Microsoft Corporation) C:\WINDOWS\system32\pcaui.exe
2016-01-29 16:34 - 2016-01-16 07:40 - 00019456 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasautou.exe
2016-01-29 16:34 - 2016-01-16 07:39 - 00149504 _____ (Microsoft Corporation) C:\WINDOWS\system32\FilterDS.dll
2016-01-29 16:34 - 2016-01-16 07:38 - 07979008 _____ (Microsoft Corporation) C:\WINDOWS\system32\mos.dll
2016-01-29 16:34 - 2016-01-16 07:38 - 00406528 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2016-01-29 16:34 - 2016-01-16 07:38 - 00193024 _____ (Microsoft Corporation) C:\WINDOWS\system32\SimCfg.dll
2016-01-29 16:34 - 2016-01-16 07:38 - 00130560 _____ (Microsoft Corporation) C:\WINDOWS\system32\winbio.dll
2016-01-29 16:34 - 2016-01-16 07:37 - 00617984 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorSvc.dll
2016-01-29 16:34 - 2016-01-16 07:37 - 00274944 _____ (Microsoft Corporation) C:\WINDOWS\system32\DisplayManager.dll
2016-01-29 16:34 - 2016-01-16 07:37 - 00190464 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscsvc.dll
2016-01-29 16:34 - 2016-01-16 07:37 - 00073728 _____ (Microsoft Corporation) C:\WINDOWS\system32\SMSRouter.dll
2016-01-29 16:34 - 2016-01-16 07:36 - 00638464 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2016-01-29 16:34 - 2016-01-16 07:36 - 00475648 _____ (Microsoft Corporation) C:\WINDOWS\system32\DDDS.dll
2016-01-29 16:34 - 2016-01-16 07:36 - 00221696 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-01-29 16:34 - 2016-01-16 07:36 - 00160768 _____ (Microsoft Corporation) C:\WINDOWS\system32\SimAuth.dll
2016-01-29 16:34 - 2016-01-16 07:36 - 00011776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rastlsext.dll
2016-01-29 16:34 - 2016-01-16 07:35 - 13018624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2016-01-29 16:34 - 2016-01-16 07:35 - 00383488 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-01-29 16:34 - 2016-01-16 07:35 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rasadhlp.dll
2016-01-29 16:34 - 2016-01-16 07:34 - 00610816 _____ (Microsoft Corporation) C:\WINDOWS\system32\rastls.dll
2016-01-29 16:34 - 2016-01-16 07:34 - 00590848 _____ (Microsoft Corporation) C:\WINDOWS\system32\SmsRouterSvc.dll
2016-01-29 16:34 - 2016-01-16 07:34 - 00477696 _____ (Microsoft Corporation) C:\WINDOWS\system32\srcore.dll
2016-01-29 16:34 - 2016-01-16 07:34 - 00275456 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2016-01-29 16:34 - 2016-01-16 07:34 - 00079360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttpcom.dll
2016-01-29 16:34 - 2016-01-16 07:33 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlidcli.dll
2016-01-29 16:34 - 2016-01-16 07:33 - 00574976 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Networking.UX.EapRequestHandler.dll
2016-01-29 16:34 - 2016-01-16 07:33 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapsBtSvc.dll
2016-01-29 16:34 - 2016-01-16 07:32 - 24602624 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-01-29 16:34 - 2016-01-16 07:32 - 00621568 _____ (Microsoft Corporation) C:\WINDOWS\system32\wbiosrvc.dll
2016-01-29 16:34 - 2016-01-16 07:32 - 00041984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pcaui.exe
2016-01-29 16:34 - 2016-01-16 07:31 - 00851456 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsStore.dll
2016-01-29 16:34 - 2016-01-16 07:31 - 00794112 _____ (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2016-01-29 16:34 - 2016-01-16 07:31 - 00440320 _____ (Microsoft Corporation) C:\WINDOWS\system32\CredProvDataModel.dll
2016-01-29 16:34 - 2016-01-16 07:31 - 00343552 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsApi.dll
2016-01-29 16:34 - 2016-01-16 07:31 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rasautou.exe
2016-01-29 16:34 - 2016-01-16 07:30 - 13382656 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-01-29 16:34 - 2016-01-16 07:30 - 02127360 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-01-29 16:34 - 2016-01-16 07:30 - 01053696 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2016-01-29 16:34 - 2016-01-16 07:30 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-01-29 16:34 - 2016-01-16 07:30 - 00157696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SimCfg.dll
2016-01-29 16:34 - 2016-01-16 07:30 - 00093696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winbio.dll
2016-01-29 16:34 - 2016-01-16 07:29 - 01500672 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe
2016-01-29 16:34 - 2016-01-16 07:29 - 00200704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DisplayManager.dll
2016-01-29 16:34 - 2016-01-16 07:28 - 09918976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-01-29 16:34 - 2016-01-16 07:28 - 02624512 _____ (Microsoft Corporation) C:\WINDOWS\system32\InputService.dll
2016-01-29 16:34 - 2016-01-16 07:28 - 01318912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wifinetworkmanager.dll
2016-01-29 16:34 - 2016-01-16 07:28 - 00884736 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasdlg.dll
2016-01-29 16:34 - 2016-01-16 07:28 - 00129024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SimAuth.dll
2016-01-29 16:34 - 2016-01-16 07:27 - 00335872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-01-29 16:34 - 2016-01-16 07:26 - 19338752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-01-29 16:34 - 2016-01-16 07:26 - 00535040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rastls.dll
2016-01-29 16:34 - 2016-01-16 07:26 - 00345600 _____ (Microsoft Corporation) C:\WINDOWS\system32\TextInputFramework.dll
2016-01-29 16:34 - 2016-01-16 07:26 - 00260608 _____ C:\WINDOWS\system32\MTFServer.dll
2016-01-29 16:34 - 2016-01-16 07:26 - 00175616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Core.TextInput.dll
2016-01-29 16:34 - 2016-01-16 07:25 - 00510976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wlidcli.dll
2016-01-29 16:34 - 2016-01-16 07:25 - 00457728 _____ (Microsoft Corporation) C:\WINDOWS\system32\ipnathlp.dll
2016-01-29 16:34 - 2016-01-16 07:25 - 00235008 _____ C:\WINDOWS\system32\MTF.dll
2016-01-29 16:34 - 2016-01-16 07:24 - 18678272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-01-29 16:34 - 2016-01-16 07:24 - 02057216 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlidsvc.dll
2016-01-29 16:34 - 2016-01-16 07:24 - 00613888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2016-01-29 16:34 - 2016-01-16 07:24 - 00350720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CredProvDataModel.dll
2016-01-29 16:34 - 2016-01-16 07:24 - 00273408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsApi.dll
2016-01-29 16:34 - 2016-01-16 07:23 - 02050048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-01-29 16:34 - 2016-01-16 07:23 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-01-29 16:34 - 2016-01-16 07:21 - 06297088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mos.dll
2016-01-29 16:34 - 2016-01-16 07:20 - 07199232 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingMaps.dll
2016-01-29 16:34 - 2016-01-16 07:20 - 02597888 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
2016-01-29 16:34 - 2016-01-16 07:20 - 01944576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InputService.dll
2016-01-29 16:34 - 2016-01-16 07:20 - 00799744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rasdlg.dll
2016-01-29 16:34 - 2016-01-16 07:19 - 12126208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-01-29 16:34 - 2016-01-16 07:19 - 00733184 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasapi32.dll
2016-01-29 16:34 - 2016-01-16 07:19 - 00245760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TextInputFramework.dll
2016-01-29 16:34 - 2016-01-16 07:19 - 00162816 _____ C:\WINDOWS\SysWOW64\MTF.dll
2016-01-29 16:34 - 2016-01-16 07:19 - 00133632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Core.TextInput.dll
2016-01-29 16:34 - 2016-01-16 07:18 - 03593216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-01-29 16:34 - 2016-01-16 07:18 - 01674240 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2016-01-29 16:34 - 2016-01-16 07:17 - 05503488 _____ (Microsoft Corporation) C:\WINDOWS\system32\d2d1.dll
2016-01-29 16:34 - 2016-01-16 07:16 - 05202944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BingMaps.dll
2016-01-29 16:34 - 2016-01-16 07:16 - 01542656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
2016-01-29 16:34 - 2016-01-16 07:15 - 04759040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d2d1.dll
2016-01-29 16:34 - 2016-01-16 07:14 - 01946624 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwmcore.dll
2016-01-29 16:34 - 2016-01-16 07:14 - 01626624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dwmcore.dll
2016-01-29 16:34 - 2016-01-16 07:11 - 00653312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rasapi32.dll
2016-01-29 16:34 - 2016-01-16 07:09 - 01087488 _____ (Microsoft Corporation) C:\WINDOWS\system32\reseteng.dll
2016-01-27 21:32 - 2016-02-06 18:52 - 00000000 ____D C:\Users\Edvinas\AppData\Local\CrashDumps
2016-01-27 19:56 - 2016-01-23 02:47 - 00110016 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvStreaming.exe
2016-01-27 19:55 - 2016-01-23 05:31 - 42983992 _____ C:\WINDOWS\system32\nvcompiler.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 37615040 _____ C:\WINDOWS\SysWOW64\nvcompiler.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 31115712 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 21202488 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 20741880 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 17632544 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 17224664 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 02543160 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 02187712 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 01924152 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6436175.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 01571776 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6436175.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00948672 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvFBC64.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00882232 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00786872 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFTH264.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00745408 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00689600 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00632336 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFTH264.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00541184 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvumdshimx.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00445912 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvumdshim.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00423360 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00385080 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvDecMFTMjpeg.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00378784 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncodeAPI64.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00377792 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00348216 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvDecMFTMjpeg.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00316960 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00175368 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvinitx.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00153208 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvinit.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00151184 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglshim64.dll
2016-01-27 19:55 - 2016-01-23 05:31 - 00128696 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglshim32.dll
2016-01-27 19:24 - 2015-12-18 08:10 - 00099472 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvaudcap64v.dll
2016-01-27 19:24 - 2015-12-18 08:10 - 00090768 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvaudcap32v.dll
2016-01-15 19:05 - 2016-01-31 11:18 - 00000000 ____D C:\PathOfExile
2016-01-15 19:05 - 2009-09-04 17:29 - 01974616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\D3DCompiler_42.dll
2016-01-15 19:05 - 2009-09-04 17:29 - 01892184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\D3DX9_42.dll
2016-01-13 20:48 - 2016-01-13 20:48 - 00000000 ____D C:\WINDOWS\PCHEALTH
2016-01-13 17:25 - 2016-01-05 04:51 - 07477600 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-01-13 17:25 - 2016-01-05 04:51 - 01317640 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2016-01-13 17:25 - 2016-01-05 04:51 - 01141496 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2016-01-13 17:25 - 2016-01-05 04:50 - 00671472 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2016-01-13 17:25 - 2016-01-05 04:48 - 00499432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2016-01-13 17:25 - 2016-01-05 04:45 - 02587696 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml6.dll
2016-01-13 17:25 - 2016-01-05 04:42 - 02026736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
2016-01-13 17:25 - 2016-01-05 04:37 - 02544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2016-01-13 17:25 - 2016-01-05 04:37 - 01299504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
2016-01-13 17:25 - 2016-01-05 04:37 - 00858952 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2016-01-13 17:25 - 2016-01-05 04:37 - 00245840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
2016-01-13 17:25 - 2016-01-05 04:37 - 00234504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mftranscode.dll
2016-01-13 17:25 - 2016-01-05 04:36 - 00808800 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-01-13 17:25 - 2016-01-05 04:33 - 02180128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2016-01-13 17:25 - 2016-01-05 04:33 - 01118208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2016-01-13 17:25 - 2016-01-05 04:33 - 00701384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2016-01-13 17:25 - 2016-01-05 04:33 - 00208176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mftranscode.dll
2016-01-13 17:25 - 2016-01-05 04:33 - 00116728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
2016-01-13 17:25 - 2016-01-05 04:31 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-01-13 17:25 - 2016-01-05 04:27 - 01594408 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-01-13 17:25 - 2016-01-05 04:24 - 00796352 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-01-13 17:25 - 2016-01-05 04:23 - 01804664 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMALFXGFXDSP.dll
2016-01-13 17:25 - 2016-01-05 04:23 - 01309376 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-01-13 17:25 - 2016-01-05 04:23 - 00786696 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOD.DLL
2016-01-13 17:25 - 2016-01-05 04:23 - 00119320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP3DMOD.DLL
2016-01-13 17:25 - 2016-01-05 04:21 - 01371792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-01-13 17:25 - 2016-01-05 04:17 - 00695752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOD.DLL
2016-01-13 17:25 - 2016-01-05 04:16 - 00100160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP3DMOD.DLL
2016-01-13 17:25 - 2016-01-05 03:57 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\system32\RMSRoamingSecurity.dll
2016-01-13 17:25 - 2016-01-05 03:57 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgrcli.dll
2016-01-13 17:25 - 2016-01-05 03:56 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\omadmclient.exe
2016-01-13 17:25 - 2016-01-05 03:54 - 00162816 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2016-01-13 17:25 - 2016-01-05 03:53 - 00148992 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshom.ocx
2016-01-13 17:25 - 2016-01-05 03:52 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-01-13 17:25 - 2016-01-05 03:51 - 00472576 _____ (Microsoft Corporation) C:\WINDOWS\system32\DscCore.dll
2016-01-13 17:25 - 2016-01-05 03:51 - 00248832 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserMgrProxy.dll
2016-01-13 17:25 - 2016-01-05 03:50 - 00644096 _____ (Microsoft Corporation) C:\WINDOWS\system32\uReFS.dll
2016-01-13 17:25 - 2016-01-05 03:50 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2016-01-13 17:25 - 2016-01-05 03:49 - 01582080 _____ (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2016-01-13 17:25 - 2016-01-05 03:49 - 01255936 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOE.DLL
2016-01-13 17:25 - 2016-01-05 03:49 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-01-13 17:25 - 2016-01-05 03:49 - 00749056 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhoneService.dll
2016-01-13 17:25 - 2016-01-05 03:49 - 00167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProximityCommon.dll
2016-01-13 17:25 - 2016-01-05 03:48 - 01009152 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOD.DLL
2016-01-13 17:25 - 2016-01-05 03:48 - 00387072 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
2016-01-13 17:25 - 2016-01-05 03:48 - 00034816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usermgrcli.dll
2016-01-13 17:25 - 2016-01-05 03:47 - 00628736 _____ (Microsoft Corporation) C:\WINDOWS\system32\MessagingDataModel2.dll
2016-01-13 17:25 - 2016-01-05 03:47 - 00479232 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-01-13 17:25 - 2016-01-05 03:47 - 00305664 _____ (Microsoft Corporation) C:\WINDOWS\system32\ksproxy.ax
2016-01-13 17:25 - 2016-01-05 03:45 - 00678912 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
2016-01-13 17:25 - 2016-01-05 03:45 - 00275968 _____ (Microsoft Corporation) C:\WINDOWS\system32\facecredentialprovider.dll
2016-01-13 17:25 - 2016-01-05 03:44 - 00125440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshom.ocx
2016-01-13 17:25 - 2016-01-05 03:43 - 00912384 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgr.dll
2016-01-13 17:25 - 2016-01-05 03:43 - 00604672 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-01-13 17:25 - 2016-01-05 03:43 - 00584704 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2016-01-13 17:25 - 2016-01-05 03:42 - 00166912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserMgrProxy.dll
2016-01-13 17:25 - 2016-01-05 03:41 - 01070080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOE.DLL
2016-01-13 17:25 - 2016-01-05 03:41 - 00558592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\uReFS.dll
2016-01-13 17:25 - 2016-01-05 03:40 - 00890880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOD.DLL
2016-01-13 17:25 - 2016-01-05 03:40 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ProximityCommon.dll
2016-01-13 17:25 - 2016-01-05 03:39 - 03428864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
2016-01-13 17:25 - 2016-01-05 03:39 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
2016-01-13 17:25 - 2016-01-05 03:39 - 00498176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MessagingDataModel2.dll
2016-01-13 17:25 - 2016-01-05 03:39 - 00235008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ksproxy.ax
2016-01-13 17:25 - 2016-01-05 03:38 - 00389120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-01-13 17:25 - 2016-01-05 03:36 - 00573440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
2016-01-13 17:25 - 2016-01-05 03:36 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-01-13 17:25 - 2016-01-05 03:30 - 02796032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2016-01-13 17:25 - 2016-01-05 03:30 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-01-13 17:25 - 2016-01-05 03:29 - 03667456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-01-13 17:25 - 2016-01-05 03:28 - 07826432 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-01-13 17:25 - 2016-01-05 03:28 - 04894720 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-01-13 17:25 - 2016-01-05 03:25 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-01-10 21:38 - 2016-02-07 21:08 - 00000000 ____D C:\Users\Edvinas\Desktop\Car Music
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-08 17:25 - 2015-07-25 19:23 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Skype
2016-02-08 17:24 - 2015-12-06 16:26 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-08 17:24 - 2015-12-06 16:22 - 00000000 ____D C:\ProgramData\NVIDIA
2016-02-08 17:24 - 2015-07-31 14:33 - 00000000 ___RD C:\Users\Edvinas\OneDrive
2016-02-08 17:24 - 2015-05-07 20:04 - 00000936 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-08 17:23 - 2015-10-30 08:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-02-08 17:13 - 2015-12-05 09:54 - 00004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{1CAA268A-E859-4D32-89BF-40077C2EFD56}
2016-02-07 22:31 - 2015-05-07 21:09 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\foobar2000
2016-02-07 22:28 - 2015-05-09 09:56 - 00000000 ____D C:\Users\Edvinas\AppData\Local\Battle.net
2016-02-07 22:26 - 2015-06-16 18:27 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\HearthstoneDeckTracker
2016-02-07 21:41 - 2015-05-07 20:04 - 00000940 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-07 09:10 - 2015-12-06 16:23 - 01009692 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-02-07 09:10 - 2015-10-30 09:21 - 00000000 ____D C:\WINDOWS\INF
2016-02-06 19:29 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-02-05 22:48 - 2015-08-25 16:50 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\TS3Client
2016-02-05 22:48 - 2015-05-10 21:26 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\uTorrent
2016-02-05 21:15 - 2015-09-27 21:14 - 00000000 ____D C:\ProgramData\Apple
2016-02-05 19:41 - 2015-05-07 20:04 - 00002268 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-02-05 19:20 - 2015-10-30 09:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-02-05 18:44 - 2015-07-31 14:33 - 00002373 _____ C:\Users\Edvinas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-02-03 20:50 - 2015-09-27 21:15 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Apple Computer
2016-01-31 22:11 - 2015-12-06 16:23 - 00000000 ____D C:\Users\Edvinas
2016-01-31 21:16 - 2015-05-07 20:54 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\vlc
2016-01-30 16:58 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\rescache
2016-01-30 16:36 - 2015-05-07 20:04 - 00003998 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-01-30 16:36 - 2015-05-07 20:04 - 00003766 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-01-30 11:52 - 2015-12-06 16:23 - 01018186 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2016-01-30 10:23 - 2015-07-31 14:30 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ___SD C:\WINDOWS\system32\F12
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ___RD C:\WINDOWS\PurchaseDialog
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\system32\oobe
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-01-29 22:07 - 2015-10-30 09:24 - 00000000 ____D C:\WINDOWS\bcastdvr
2016-01-29 16:48 - 2015-10-30 09:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-01-27 19:56 - 2015-12-06 16:22 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-01-27 19:56 - 2015-05-07 20:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2016-01-27 19:55 - 2015-12-06 16:22 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-01-27 19:25 - 2015-05-07 20:25 - 00000000 ____D C:\Users\Edvinas\AppData\Local\NVIDIA
2016-01-25 19:34 - 2015-11-22 11:07 - 12474312 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvlddmkm.sys
2016-01-24 13:39 - 2015-12-21 19:14 - 00000000 ____D C:\Users\Edvinas\Desktop\Hearthstone
2016-01-23 18:17 - 2015-05-09 17:56 - 00000000 ____D C:\Users\Edvinas\AppData\Local\Steam
2016-01-23 05:31 - 2015-11-22 11:07 - 24941112 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglv32.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 19778944 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvwgf2umx.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 17174032 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvwgf2um.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 17116616 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvd3dumx.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 14114944 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvd3dum.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 03648552 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvapi64.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 03230824 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvapi.dll
2016-01-23 05:31 - 2015-11-22 11:07 - 00035832 _____ C:\WINDOWS\system32\nvinfo.pb
2016-01-23 03:01 - 2015-12-21 21:06 - 00530368 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshext.dll
2016-01-23 03:01 - 2015-12-21 21:06 - 00083512 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshextr.dll
2016-01-23 03:01 - 2015-12-06 16:22 - 06366656 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcpl.dll
2016-01-23 03:01 - 2015-12-06 16:22 - 02992064 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc64.dll
2016-01-23 03:01 - 2015-12-06 16:22 - 02563128 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvcr.dll
2016-01-23 03:01 - 2015-12-06 16:22 - 01263040 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvvsvc.exe
2016-01-23 03:01 - 2015-12-06 16:22 - 00393784 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmctray.dll
2016-01-23 03:01 - 2015-12-06 16:22 - 00069568 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvshext.dll
2016-01-22 04:06 - 2015-12-06 16:22 - 06125650 _____ C:\WINDOWS\system32\nvcoproc.bin
2016-01-20 19:48 - 2015-10-09 19:53 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Awesomium
2016-01-20 19:43 - 2015-12-21 19:23 - 00000000 ____D C:\LineageII Classic EU
2016-01-20 17:19 - 2015-07-12 19:56 - 00003532 _____ C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachineDaily
2016-01-20 17:19 - 2015-05-14 17:56 - 00003396 _____ C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachine
2016-01-20 17:19 - 2015-05-14 17:56 - 00000000 ____D C:\Program Files (x86)\Gyazo
2016-01-16 18:11 - 2015-05-17 08:28 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-01-16 18:08 - 2015-05-17 08:28 - 143671360 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-01-15 19:13 - 2015-10-31 20:09 - 00000000 ____D C:\Users\Edvinas\Documents\My Games
2016-01-13 20:54 - 2015-05-13 17:20 - 00003972 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2016-01-13 20:54 - 2015-05-13 17:20 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-13 17:10 - 2015-05-07 20:29 - 00000000 ____D C:\ProgramData\Skype
2016-01-12 06:41 - 2015-05-07 20:24 - 01542600 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2016-01-12 06:41 - 2015-05-07 20:24 - 01316184 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2016-01-12 06:40 - 2015-12-02 21:10 - 00112032 _____ C:\WINDOWS\system32\NvRtmpStreamer64.dll
2016-01-12 06:40 - 2015-05-07 20:24 - 01860120 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspcap64.dll
2016-01-12 06:40 - 2015-05-07 20:24 - 01756608 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
 
==================== Files in the root of some directories =======
 
2015-10-03 07:11 - 2015-10-03 07:11 - 0000000 _____ () C:\Program Files\Microsoft Security Client
2015-12-06 16:22 - 2015-12-06 16:22 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\Edvinas\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-01-30 16:48
 
==================== End of FRST.txt ============================

Attached Files


Edited by nonstopaz, 08 February 2016 - 10:44 AM.


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 08 February 2016 - 04:51 PM

Hello nonstopaz and Welcome to the BleepingComputer. :welcome:
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

 

Scan with Zemana AntiMalware Free:

  • Turn off the real time scanner of any existing antivirus and firewall programs while performing scan
  • Please download and install Zemana AntiMalware Free
  • Double-click software shortcut on the desktop and follow the prompts to install the program.
  • If an update is available, click the Update now button.
  • At the end Click Settings > Advanced > ''I have read the warning an wish to proceed anyway'' Click
  • Auto Launch > Untick the box next
  • Include All Browser Extensions > Tick the box next
  • Smart scan settings to replace as deep scan
  • Close all open files, folders and browsers
  • Click scan now and a threat Scan will begin.
  • When the scan is complete, Press report and send me report.

Note: I created this new guide. Hopefully the language a mistake is not .

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 09 February 2016 - 11:28 AM

Accidentally cleaned the stuff it found for me. Basically it was all Chrome extensions and some Innova file which i don't think is infected.
 
Zemana AntiMalware 2.19.2.852 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016.2.9
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i5-4570 CPU @ 3.20GHz
BIOS Mode              : Legacy
CUID                   : 00C0E1DB863807439FC2CE
Scan Type              : Deep Scan
Duration               : 4m 14s
Scanned Objects        : 161703
Detected Objects       : 16
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Yes
Include All Extensions : Yes
Scan Documents         : No
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
Chrome Homepage
Status             : Scanned
Object             : http://www.15min.lt/
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Traces             :
                Browser Setting - Chrome Homepage
 
Gmail
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\pjkljhegncpnkpknbcohdijeoejaedia
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Gmail
 
Chrome Web Store Payments
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\nmmhkkegccagdldgiimedpiccmgmieda
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Chrome Web Store Payments
 
Grass
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\mmiboiefncpfjihjdedpaoammipkilla
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Grass
 
Google Mail Checker
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\mihcahmgecmbnbcchbopgniflfhgnkff
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Google Mail Checker
 
AdBlock
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\gighmmpiobklfepjocnamgkkbiglidom
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - AdBlock
 
Google Sheets
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\felcaaldnbdncclmgdcncolpebgiejap
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Google Sheets
 
Lounge Assistant
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\enjonnlehciedbcidabdglnnihcncbml
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Lounge Assistant
 
Multiple Account Checker for Gmail™
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\dnimhgelcnggigekhdjlifjpndgmnglm
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Multiple Account Checker for Gmail™
 
Google Search
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\coobgpohoikkiipiblmjeljniedjpjpf
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Google Search
 
Steam inventory helper
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\cmeakgjggjdlcpncigglobpjbkabhmjl
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Steam inventory helper
 
YouTube
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - YouTube
 
Google Drive
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\apdfllckaahabafndbhieahigkjlhalf
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Google Drive
 
Google Docs
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\aohghmighlieiainnegkcijnfilokake
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - Google Docs
 
BetterTTV
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\ajopnjidmegmdimjlfnijceegpefgped
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Browser Extension
Cleaning Action    : Repair
Traces             :
                Browser Extension - BetterTTV
 
Innova Co S.A.R.L. HTTPS Signing Certification Authority
Status             : Scanned
Object             : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8FBAC7D06B5024D354E01BFFE322036C126A39D4\Blob
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Root CA
Cleaning Action    : Delete
Traces             :
                Registry Entry - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8FBAC7D06B5024D354E01BFFE322036C126A39D4\Blob = 190000000100000010000000F14AF6E69826F29AB64907F143767A89140000000100000014000000F009C2BC4EB175368C348E5F58A81CB6394799040300000001000000140000008FBAC7D06B5024D354E01BFFE322036C126A39D40F0000000100000014000000E682BD111C8152746B1AB7E18457C44F98D7C9302000000001000000DD030000308203D9308202C1A003020102020900B4770A62FA2D608D300D06092A864886F70D0101050500308182310B3009060355040613024C553113301106035504070C0A4C7578656D626F757267311B3019060355040A0C12496E6E6F766120436F20532E412E522E4C2E3141303F06035504030C38496E6E6F766120436F20532E412E522E4C2E204854545053205369676E696E672043657274696669636174696F6E20417574686F72697479301E170D3132313131343131323533335A170D3332313130393131323533335A308182310B3009060355040613024C553113301106035504070C0A4C7578656D626F757267311B3019060355040A0C12496E6E6F766120436F20532E412E522E4C2E3141303F06035504030C38496E6E6F766120436F20532E412E522E4C2E204854545053205369676E696E672043657274696669636174696F6E20417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100BAB3A88672141EA7E457751FE701F785E83D91D5EE34C8ACBD26BBBD23AEFC65EFD2010D77487D9CA35FF947598EDA4C3CC29F179CCEE257AB8492BA8B6D9FBFB4C447EDD7EF8E289DB0B3D7E40F1E120EC24003165C62013F1B1D3B98F8562CF960546D067786AD0913E19F99DA9244D76D03BA9F5EB8F03493C66D64DC983D4DAE70605C1E4D0D2B3C6DD9796DD1D25941630A4E8922234D118B1502F5433A4883CEFAEB4EB194C7D42A56A0879880BEEECBF8AE5038506B668D8DBB2866C4869031DE75981721BE0C23EBAE0A2277DFF2ABAAD1249A5EC59FF2E6BD1555F1F96862317EF8DE04120ACD01C5F76042D1FCB19CE6ABFF93A15033AF6072BFA70203010001A350304E301D0603551D0E04160414F009C2BC4EB175368C348E5F58A81CB639479904301F0603551D23041830168014F009C2BC4EB175368C348E5F58A81CB639479904300C0603551D13040530030101FF300D06092A864886F70D01010505000382010100A528CDB3F9A81654331BC99D5BBF60D247460CF6AAE02A8466FD21F9375FA98F125A002456704817224CC6EB791AD68481A0A731F582824A75271EE63F56041ECCBE345230CEF25387C205F144AE06912B373BB4C8F69A7196EE1D57790946D4258F68F1780EF2AC97C2E14AB671201FD692301AEF1F3235010739698DCDCB46EEF9002C20AD45DAFA09E12FCFBC16B1F95EEE37DE4A87B571B1D67B8EC77D763DE57D57CAA66A4A46B8F21E45A60072ACFA7C2DF1F6529FE19C84D08875E823C0724CAFA2B0A990DCC142F5FC94744D5B34EB39012CE96472DF42F464B4D3061879DBB3E89B5F95331CFCFD97FAA21168FEEF5D9BFCA50B5B86F619C2AB76E6
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 16
Reported as safe      : 0
Failed                : 0


#4 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 09 February 2016 - 03:03 PM

Hi nonstopaz,

After scanning Is there a problem?
==========================================

Please uninstall:

Awesomium
C:\Program Files (x86)\Gyazo

===================================================
Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   3.62KB   2 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on DELETE
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:
Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Have a nice day.


Edited by olgun52, 09 February 2016 - 03:04 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 09 February 2016 - 03:29 PM

Hi,

 

Virus still opens tabs after Zemana scan.

I deleted Awesomium (not sure what this is) and Gyazo (trusted soft for capturing and uploading pictures)

 

Step 1:

Here is my fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
Ran by Edvinas (2016-02-09 22:20:16) Run:1
Running from C:\Users\Edvinas\Desktop
Loaded Profiles: Edvinas (Available Profiles: Edvinas & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
Task: {05B69290-4EDC-46C7-854A-03AA6A879576} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {16605888-B5C6-43D6-8595-39922A32584D} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {1990F120-17D3-4B03-87B3-862C9C7E1FB3} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {58FD1A24-1058-4842-8EDF-5808DBC209E1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {5F14570A-5D47-4196-A6F8-85C1E04CD3A3} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {7C283744-1769-4F20-B03C-6A17F0B798DA} - System32\Tasks\GyazoUpdateTaskMachineDaily => C:\Program Files (x86)\Gyazo\GyazoUpdate.exe [2016-01-19] ()
Task: {860D9BCD-BF10-4E20-8D0F-7434A96A28AC} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {8C838B91-981E-4A71-A859-372A2DCD8939} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A5A8A51F-40C6-4C89-9581-A6F76B74247A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {B570F042-0047-4081-8940-EAB4F4E0BC1C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D426F89F-7BE0-4076-9C4D-A1F4CD09F4B0} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {E5D50A76-8215-4883-94BE-6AD76AAEF61E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [3586848 2016-01-19] (Nota Inc.)
SearchScopes: HKU\S-1-5-21-1732074429-4140833615-1459944318-1000 -> DefaultScope {8C3078A0-9AAB-4371-85D1-656CA8E46EE8} URL = 
Edge HomeButtonPage: HKU\S-1-5-21-1732074429-4140833615-1459944318-1000 -> hxxp://www.15min.lt/
CHR HomePage: Default -> hxxp://www.15min.lt/
CHR Extension: (Multiple Account Checker for Gmail™) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnimhgelcnggigekhdjlifjpndgmnglm [2015-05-07]
CHR Extension: (Grass) - C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmiboiefncpfjihjdedpaoammipkilla [2016-02-06]
U3 idsvc; no ImagePath
2016-01-30 11:53 - 2016-01-30 12:36 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\VMware
2016-01-30 11:50 - 2016-01-30 12:37 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Andy
2016-01-27 21:32 - 2016-02-06 18:52 - 00000000 ____D C:\Users\Edvinas\AppData\Local\CrashDumps
2016-02-08 17:25 - 2015-07-25 19:23 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Skype
2016-02-07 22:31 - 2015-05-07 21:09 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\foobar2000
2016-02-05 22:48 - 2015-08-25 16:50 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\TS3Client
2016-02-05 22:48 - 2015-05-10 21:26 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\uTorrent
2016-02-03 20:50 - 2015-09-27 21:15 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Apple Computer
2016-01-31 21:16 - 2015-05-07 20:54 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\vlc
2016-01-20 19:48 - 2015-10-09 19:53 - 00000000 ____D C:\Users\Edvinas\AppData\Roaming\Awesomium
2016-01-20 17:19 - 2015-07-12 19:56 - 00003532 _____ C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachineDaily
2016-01-20 17:19 - 2015-05-14 17:56 - 00003396 _____ C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachine
2016-01-20 17:19 - 2015-05-14 17:56 - 00000000 ____D C:\Program Files (x86)\Gyazo
2015-12-06 16:22 - 2015-12-06 16:22 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\Edvinas\AppData\Local\Temp\dllnt_dump.dll
EmptyTemp:
end
*****************
 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{05B69290-4EDC-46C7-854A-03AA6A879576}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05B69290-4EDC-46C7-854A-03AA6A879576}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{16605888-B5C6-43D6-8595-39922A32584D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{16605888-B5C6-43D6-8595-39922A32584D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1990F120-17D3-4B03-87B3-862C9C7E1FB3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1990F120-17D3-4B03-87B3-862C9C7E1FB3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{58FD1A24-1058-4842-8EDF-5808DBC209E1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58FD1A24-1058-4842-8EDF-5808DBC209E1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5F14570A-5D47-4196-A6F8-85C1E04CD3A3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F14570A-5D47-4196-A6F8-85C1E04CD3A3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C283744-1769-4F20-B03C-6A17F0B798DA} => key not found. 
C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachineDaily => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GyazoUpdateTaskMachineDaily => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{860D9BCD-BF10-4E20-8D0F-7434A96A28AC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{860D9BCD-BF10-4E20-8D0F-7434A96A28AC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8C838B91-981E-4A71-A859-372A2DCD8939}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C838B91-981E-4A71-A859-372A2DCD8939}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A5A8A51F-40C6-4C89-9581-A6F76B74247A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A5A8A51F-40C6-4C89-9581-A6F76B74247A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B570F042-0047-4081-8940-EAB4F4E0BC1C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B570F042-0047-4081-8940-EAB4F4E0BC1C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D426F89F-7BE0-4076-9C4D-A1F4CD09F4B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D426F89F-7BE0-4076-9C4D-A1F4CD09F4B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E5D50A76-8215-4883-94BE-6AD76AAEF61E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E5D50A76-8215-4883-94BE-6AD76AAEF61E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Gyazo => value not found.
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-1732074429-4140833615-1459944318-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\\HomeButtonPage => value removed successfully
Chrome HomePage => removed successfully
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnimhgelcnggigekhdjlifjpndgmnglm => moved successfully
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmiboiefncpfjihjdedpaoammipkilla => moved successfully
idsvc => service removed successfully
C:\Users\Edvinas\AppData\Roaming\VMware => moved successfully
C:\Users\Edvinas\AppData\Roaming\Andy => moved successfully
C:\Users\Edvinas\AppData\Local\CrashDumps => moved successfully
 
"C:\Users\Edvinas\AppData\Roaming\Skype" folder move:
 
Could not move "C:\Users\Edvinas\AppData\Roaming\Skype" => Scheduled to move on reboot.
 
C:\Users\Edvinas\AppData\Roaming\foobar2000 => moved successfully
C:\Users\Edvinas\AppData\Roaming\TS3Client => moved successfully
C:\Users\Edvinas\AppData\Roaming\uTorrent => moved successfully
C:\Users\Edvinas\AppData\Roaming\Apple Computer => moved successfully
C:\Users\Edvinas\AppData\Roaming\vlc => moved successfully
"C:\Users\Edvinas\AppData\Roaming\Awesomium" => not found.
"C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachineDaily" => not found.
"C:\WINDOWS\System32\Tasks\GyazoUpdateTaskMachine" => not found.
"C:\Program Files (x86)\Gyazo" => not found.
C:\ProgramData\DP45977C.lfl => moved successfully
C:\Users\Edvinas\AppData\Local\Temp\dllnt_dump.dll => moved successfully
EmptyTemp: => 464.3 MB temporary data Removed.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-02-09 22:21:25)
 
C:\Users\Edvinas\AppData\Roaming\Skype => Is moved successfully
 
==== End of Fixlog 22:21:25 ====
 
Step 2:
 
# AdwCleaner v5.033 - Logfile created 09/02/2016 at 22:29:30
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Windows 10 Pro  (x64)
# Username : Edvinas - EDVINAS-PC
# Running from : C:\Users\Edvinas\Desktop\adwcleaner_5.033.exe
# Option : Scan
 
***** [ Services ] *****
 
***** [ Folders ] *****
 
Folder Found : C:\_acestream_cache_
Folder Found : C:\Users\Edvinas\AppData\LocalLow\.acestream
Folder Found : C:\Users\Edvinas\AppData\Roaming\.acestream
Folder Found : C:\Users\Edvinas\AppData\Roaming\acestream
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Classes\acestream
Key Found : HKLM\SOFTWARE\Classes\AndyAPK
Key Found : HKLM\SOFTWARE\Classes\AndyApp
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [920 bytes] ##########
 
Step 3:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 10 Pro x64 
Ran by Edvinas (Administrator) on 2016.02.09 at 22:32:45,10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 4 
 
Successfully deleted: C:\Users\Edvinas\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\Edvinas\Appdata\LocalLow\.acestream (Folder) 
Successfully deleted: C:\Users\Edvinas\AppData\Roaming\.acestream (Folder) 
Successfully deleted: C:\Users\Edvinas\AppData\Roaming\acestream (Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016.02.09 at 22:33:19,54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Step 4:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2016.02.09
Scan Time: 22:35
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.02.09.04
Rootkit Database: v2016.02.08.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Edvinas
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403439
Time Elapsed: 2 min, 48 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Edited by nonstopaz, 09 February 2016 - 03:40 PM.


#6 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 09 February 2016 - 04:05 PM

Are  there still oziris and buy-targeted-traffic adware(Krom) ?
 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 10 February 2016 - 11:41 AM

Are  there still oziris and buy-targeted-traffic adware(Krom) ?
 

Yes, still there :/



#8 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 10 February 2016 - 12:48 PM

I understand,

 

Step1:

Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Step 2:

  • Temporarily disable your Antivirus protection - if you don't know how to do that, please consult the article below.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Please download ZOEK and save it to your desktop (preferred version is the *.exe one - upper left corner).

http://hijackthis.nl/smeenk/

  • Attached to this message you will find a file called zoekscript

txt.gif  zoekscript.txt   188bytes   19 downloads

  • Download it too and save to your desktop - _it needs to be in the same location as the ZOEK tool
  • Drag zoekscript file and drop it onto ZOEK icon - this should launch the program:
  • The scan may take a while and may need a reboot.
  • Upon completion a file zoek-results should appear.
  • Attach it for my review.

Step 3:

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

===================================================================================

if it still exists this problem, please do the following

 

Check for arguments added by oziris and buy-targeted-traffic adware in Chrome browser shortcuts or links to webpages:

oziris and buy-targeted-traffic adware might also hijack your web browser shortcuts to force-load its home page. This causes the oziris and buy-targeted-traffic adware`s web page to open up when you launch a hijacked shortcut.

The argument that oziris and buy-targeted-traffic adware uses to hijack shortcuts should look like (or is similar) to the one below:

http://2080.hit.buy-targeted-traffic.com/?utm_source=b&utm_medium=mlv&from=mlv&uid=&ts=

You can remove it manually by editing the shortcut`s target line.

4. Delete any folders or files related to oziris and buy-targeted-traffic adware by checking the following locations:

%ProgramFiles%

%AppData%

%ProgramData%

%LocalAppData%
==========================================

or
 

Please check all browsers for oziris and buy-targeted-traffic adware ;

Right click on the browser’s shortcut, then click Properties.

NOTE: We are showing Google Chrome, but the method is the same for Chrome, Firefox, Internet Explorer, Safari, and Microsoft Edge.

 

Ashampoo_Snap_2016.01.26_03h35m35s_001__

 

Once you’ve reached Properties —–> Shortcut (on the band at the top), then in the Target type field, Remove everythıng after.exe.

 

33adocy.jpg

And Apply > OK Enter. Restart browswer.

 

Hold the Start Key and R together. Write appwiz.cpl in the field, then click OK.

 

You are now in the Control Panel. Search around for oziris and buy-targeted-traffic adware and suspicious-looking programs. Uninstall it/them.

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 12 February 2016 - 10:34 AM

Hello

 

Step 1:

 

~ ZHPCleaner v2016.2.11.24 by Nicolas Coolman (2016/02/11)
~ Run by Edvinas (Administrator)  (12/02/2016 17:34:13)
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\Edvinas\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Edvinas\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 10 Pro, 64-bit  (Build 10586)
 
 
---\\  Services (0)
~ No malicious or unnecessary items found.
 
 
---\\  Browser internet (1)
DELETED data: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride [Bad : *.l]  =>Hijacker.Proxy
 
 
---\\  Hosts file (1)
~ The hosts file is legitimate (21)
 
 
---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.
 
 
---\\  Explorer ( File, Folder) (5)
MOVED folder: C:\ProgramData\Microsoft Toolkit  =>HackTool.AutoKMS
MOVED folder: C:\WINDOWS\Installer\MSI34EC.tmp-  =>Empty
MOVED folder: C:\WINDOWS\Installer\MSI373E.tmp-  =>Empty
MOVED folder: C:\WINDOWS\Installer\MSI575F.tmp-  =>Empty
MOVED folder: C:\WINDOWS\Installer\MSI582A.tmp-  =>Empty
 
 
---\\  Registry ( Key, Value, Data) (0)
~ No malicious or unnecessary items found.
 
 
---\\  Summary of the elements found (2)
 
 
---\\  Other deletions. (20)
~ Registry Keys Tracing deleted (20)
~ Remove the old reports ZHPCleaner. (0)
 
 
---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Mozilla Firefox)
~ Browser not found (Opera Software)
 
 
---\\ Statistics
~ Items scanned : 258
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 6
 
 
~ End of clean in 00h00mn02s
===================
ZHPCleaner-[R]-12022016-17_34_15.txt
ZHPCleaner-[S]-12022016-17_33_09.txt
 
 
Step 2 :
 

 
Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Edvinas on 2016.02.12 at 17:37:05,59.
Microsoft Windows 10 Pro 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Edvinas\Desktop\zoek.exe
Script used: C:\Users\Edvinas\Desktop\zoekscript.txt
 
==== System Restore Info ======================
 
2016.02.12 17:37:23 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\COMMON~1\Apple deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\DefaultAppPool\AppData\LocalLow deleted successfully
C:\Users\Edvinas\AppData\Local\ActiveSync deleted successfully
C:\Users\Edvinas\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Edvinas\AppData\Local\EmieSiteList deleted successfully
C:\Users\Edvinas\AppData\Local\EmieUserList deleted successfully
C:\Users\Edvinas\AppData\Local\PeerDistRepub deleted successfully
C:\Users\Edvinas\AppData\Local\Rockstar Games deleted successfully
C:\Users\Edvinas\AppData\Local\Skype deleted successfully
C:\Users\Edvinas\AppData\Local\VirtualStore deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1732074429-4140833615-1459944318-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BFF1FF83-D72B-46DC-AC26-DEE8D1BD8B3F} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\Users\Edvinas\AppData\Roaming\discord deleted
C:\Users\Edvinas\.android deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\WINDOWS\Syswow64\GroupPolicy\gpt.ini deleted
 
==== Chromium Look ======================
 
BTTV - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped
SIH - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmeakgjggjdlcpncigglobpjbkabhmjl
Dark Vibe - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkckeanhmkjaechlhllmapjaaglgpcbj
Lounge Assistant - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\enjonnlehciedbcidabdglnnihcncbml
AdBlock - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISCT Tray deleted successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default.migrated\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Default User\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\42X1FSRN will be deleted at reboot
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\4ZYG0X3T will be deleted at reboot
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\6WOHMQFD will be deleted at reboot
C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\CZGX3WD0 will be deleted at reboot
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Edvinas\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=366 folders=17 354161638 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Edvinas\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\42X1FSRN" not found
"C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\4ZYG0X3T" not found
"C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\6WOHMQFD" not found
"C:\Users\Edvinas\AppData\Local\Microsoft\Windows\INetCache\IE\CZGX3WD0" not found
 
==== EOF on 2016.02.12 at 17:46:36,62 ======================
 
Step 3:
 
ESET found nothing, but i can't find the logfile.
 
Step 4:
 
There is nothing in shortcuts and Control Panel.
The virus still opens automatically in Chrome :(

Edited by nonstopaz, 12 February 2016 - 12:01 PM.


#10 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 12 February 2016 - 05:53 PM

Eset Log file:C:\Program Files\ESET\EsetOnlineScanner\log.txt.
============================================================
1- Please check ==>> Delete your cache, history, and other browser data. Here.
2- Reset Chrome browser settings. Here
 
Please now again and if it still exists;
 
 Uninstall Chrome:

  • Delete your cache, history. Here.
  • If you have bookmarks, let's save them by exporting them - Export Bookmarks
  • Then I need you to go Google Sync and sign into your account
  • Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
  •  Now we need to uninstall chrome.
  • Close all Chrome windows and tabs.
  • Go to the Start menu > Control Panel.
  • Click Uninstall a Program or Programmes and Features
  • Double-click Google Chrome.
  • Click Uninstall from the confirmation dialogue. Select the "Also delete your browsing data" tick box.
  • Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
  • Import your bookmarks back into Chrome
  • Sign back in to your Chrome browser so that your bookmarks sync with your online account.

How is now ?


Edited by olgun52, 12 February 2016 - 05:57 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 13 February 2016 - 03:55 AM

Reseting sync and reinstalling chrome did not help :( still it pops up

Only format disk will save me from this? 

 

ESET: 

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=2395359f76d1374d89ad03b96b801272
# end=init
# utc_time=2016-02-12 03:49:10
# local_time=2016-02-12 05:49:10 (+0200, FLE Standard Time)
# country="Lithuania"
# osver=6.2.9200 NT 
Update Init
Update Download
Update Finalize
Updated modules version: 28102
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=2395359f76d1374d89ad03b96b801272
# end=updated
# utc_time=2016-02-12 03:53:36
# local_time=2016-02-12 05:53:36 (+0200, FLE Standard Time)
# country="Lithuania"
# osver=6.2.9200 NT 
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=2395359f76d1374d89ad03b96b801272
# engine=28102
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2016-02-12 04:44:42
# local_time=2016-02-12 06:44:42 (+0200, FLE Standard Time)
# country="Lithuania"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 3482 9109625 0 0
# scanned=211443
# found=0
# cleaned=0
# scan_time=3065
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=2395359f76d1374d89ad03b96b801272
# end=init
# utc_time=2016-02-12 05:00:13
# local_time=2016-02-12 07:00:13 (+0200, FLE Standard Time)
# country="Lithuania"
# osver=6.2.9200 NT 
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=2395359f76d1374d89ad03b96b801272
# end=init
# utc_time=2016-02-12 05:09:38
# local_time=2016-02-12 07:09:38 (+0200, FLE Standard Time)
# country="Lithuania"
# osver=6.2.9200 NT 


#12 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 13 February 2016 - 10:39 AM

Reseting sync and reinstalling chrome did not help :( still it pops up

Only format disk will save me from this?

No,no. No need to worry in my opinion,

 

Scan with ZOEK

 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click on icon and select  Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
ielook;
firefoxlook;
chromelook;
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
 
Post its content into your next reply.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 13 February 2016 - 12:04 PM

 
Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Edvinas on 2016.02.13 at 18:58:03,92.
Microsoft Windows 10 Pro 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Edvinas\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2016-02-12-154636.log 7500 bytes
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [2016.02.13 14:23]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [2016.02.13 14:23]
 
==== Chromium Look ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[2016.02.13 14:23]
 
Google Slides - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek
Google Docs - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
Google Drive - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
YouTube - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
Google Search - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
Google Sheets - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap
Google Docs Offline - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi
AdBlock - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Avast Online Security - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Chrome Web Store Payments - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Checker Plus for Gmail™ - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\oeopbcgkkoapgobdbedcemjljbihmemj
Gmail - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
Abstract-Blue - Edvinas\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnacehkknmafkjgkikclamogikoiaaa
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=366 folders=17 354161638 bytes)
 
==== EOF on 2016.02.13 at 18:58:56,46 ======================


#14 olgun52

olgun52

  • Malware Response Team
  • 3,787 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 14 February 2016 - 10:12 PM

it looks clean. :o   I see still some extensions. Please remove  one by one and you do test.

 

Run HitmanPro:

Please download HitmanPro 32-Bit version // 64-Bit version.

  • Launch the program by double clicking on the Hitmanicon_zpsda033e21.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
  • Click on the next button. You must agree with the terms of EULA.
  • Check the box beside "No, I only want to perform a one-time scan to check this computer".
  • Click on the next button.
  • The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
  • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!
  • Click on the next button.
  • Click on the "Export scan results to XML file".
  • Save that file to your desktop and zip and attach it in your next reply.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 nonstopaz

nonstopaz
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 15 February 2016 - 12:47 AM

I will do the scan in the evening when i get home.

I redownloaded all extensions because I like them and they never caused any problem.

The virus came with DoulCi Activator, which i downloaded on February 3rd.

I have tried HitmanPro the first day i saw the adware, but it had found nothing.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users