Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection - involves remote access, recorded tv, spybot and porn


  • This topic is locked This topic is locked
44 replies to this topic

#1 bleedle

bleedle

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 31 March 2016 - 04:13 PM

Hi BC - thanks for your help. For several weeks I've been in a losing battle with something enabling remote access to my laptop (which I bought refurbished from newegg back in Sept 2015.) A few folders have gone empty and a couple files have been saved over as blank, relevant to a topic I've been covering for 2 yrs as an indie journalist. Lately I get a lot of "access denied" messages to my own folders. Couple weeks ago I enabled "store and display recent opened items" in my start menu and watched a series of programs turn up one after the next without my help that enabled remote access to my laptop. There's notable activity that I can't explain with display switch properties, IIS, new folders, PnP, audio services, etc. I also see unexplained action in my "scanner" and "recorded tv" folders which are being updated and accessed everyday/several times a day which is always empty when I go to check it. Dates always seem suspected, "modified" and "access" dates are often found prior to "creation" dates. While searching for the .rdp being used to access my files, I found Windows Power Shell entries in my event viewer from 11/18/15 11:21:31am and 3/16/16 11:01:08pm. I suspect these occurred the same day. All begin with provider name "WSMAN", then switch to alias, environment, filesystem, function, etc through about 9 sequence numbers.
First set 11/18/15: host is "console host". host id is same throughout each set. 2nd set 3/16/16: host name changes from "console host" to "ADMUX", 11:01:08pm. again, host id is same throughout.  I also found rdpbus.inf, created "7/13/2009 at 4:45:34 pm" ,
C:\Windows\system32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3 [SourceDisksNames], 3426=windows cd, [SourceDisksFiles], rdpbus.sys = 3426, "copy files" and "redirect"... and a bunch of porn in a folder that seems to have been put there through use of my spybot s&d. This is a personal laptop, I do connect to the house pc via homegroup sometimes but do not have or want any network to be connecting to my laptop. It's just me, and I want to secure this machine. One other thing I guess in event viewer I've always noticed my machine isn't able to "obtain an ip address" and see timeouts to "isatap.belkin" and other variations turn up as warnings often - we have a verizon modem and a belkin router This is what I've found trying to figure this out on my own over many weeks, sorry it's piecey and screwy and doesn't make a lot of sense. My data is saved and I AM ready to wipe my whole system clean and reinstall windows from a trusted cd if that helps. Thanks again.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by Lee (administrator) on LEE-PC (31-03-2016 16:28:41)
Running from C:\Users\Lee\Desktop
Loaded Profiles: Lee (Available Profiles: Lee & Lee3 & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Microsoft Corporation) C:\Windows\System32\mqtgsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MsmqIntCert] => regsvr32 /s mqrt.dll
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7139256 2016-03-24] (AVAST Software)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-788557106-799132904-411562618-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-788557106-799132904-411562618-1000\...\MountPoints2: {c1187f71-686d-11e5-b8ff-a0b3cc238db0} - E:\TL-Bootstrap.exe
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-02-15] (AVAST Software)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop (2).ini [2010-11-20] ()
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop (2).ini [2010-11-20] ()
Startup: C:\Users\Lee3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop (2).ini [2010-11-20] ()
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-788557106-799132904-411562618-1000] => Proxy is enabled.
ProxyServer: [S-1-5-21-788557106-799132904-411562618-1000] => localhost:21320
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{0F187158-005D-405E-8A18-55C3979BAFDB}: [DhcpNameServer] 192.168.5.2
Tcpip\..\Interfaces\{41ABFA6A-5609-470E-BC86-A5A5977B6BD8}: [DhcpNameServer] 192.168.2.1
ManualProxies: 1localhost:21320

Internet Explorer:
==================
HKU\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-02-15] (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-02-15] (AVAST Software)
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab

FireFox:
========
FF ProfilePath: C:\Users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\kt8m2jtg.default
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://encrypted.google.com/
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Extension: QuickJS - C:\Users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\kt8m2jtg.default\extensions\{bb65e674-b194-4b6e-8033-5fa0afe3a198}.xpi [2015-10-21]
FF Extension: Lightbeam - C:\Users\Lee\AppData\Roaming\Mozilla\Firefox\Profiles\kt8m2jtg.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2016-03-29]
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-26] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-03-17]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-03-17]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://encrypted.google.com/search?hl=en&source=hp&q={searchTerms}
CHR Profile: C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-12-09]
CHR Extension: (Google Docs) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-12-09]
CHR Extension: (Google Drive) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Search) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-12-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-09]
CHR Extension: (Gmail) - C:\Users\Lee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-24]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-02-15]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AESTFilters; C:\Program Files\IDT\WDM\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [237096 2016-02-15] (AVAST Software)
R2 iprip; C:\Windows\System32\iprip.dll [35328 2009-07-13] (Microsoft Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MSMQTriggers; C:\Windows\system32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-20] (Microsoft Corporation)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [327680 2012-10-25] (IDT, Inc.) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-02-15] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-03-23] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-03-09] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-02-15] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-02-15] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-03-09] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [463744 2016-02-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [165344 2016-02-15] (AVAST Software)
S3 aswTap; C:\Windows\System32\DRIVERS\aswTap.sys [44640 2015-12-28] (The OpenVPN Project)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287016 2016-02-15] (AVAST Software)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S4 IObitUnlocker; C:\Program Files (x86)\IObit\IObit Unlocker\IObitUnlocker.sys [36568 2013-09-30] (IObit)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\drivers\TeeDriverx64.sys [99288 2013-11-13] (Intel Corporation)
S2 Par1284; C:\Program Files\FlexiSIGN-PRO 8.1v1\Program\Par1284.sys [53344 2006-10-16] (Warp Nine Engineering) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-31 16:28 - 2016-03-31 16:28 - 00011646 _____ C:\Users\Lee\Desktop\FRST.txt
2016-03-31 16:24 - 2016-03-31 16:28 - 00000000 ____D C:\FRST
2016-03-31 16:24 - 2016-03-31 16:24 - 02374144 _____ (Farbar) C:\Users\Lee\Desktop\FRST64.exe
2016-03-30 20:15 - 2016-03-30 20:15 - 00008609 _____ C:\Users\Lee\AppData\Local\recently-used.xbel
2016-03-29 22:51 - 2016-03-29 22:51 - 00001183 _____ C:\Users\Public\Desktop\IObit Unlocker.lnk
2016-03-29 22:51 - 2016-03-29 22:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Unlocker
2016-03-29 22:51 - 2016-03-29 22:51 - 00000000 ____D C:\ProgramData\IObit
2016-03-29 22:51 - 2016-03-29 22:51 - 00000000 ____D C:\Program Files (x86)\IObit
2016-03-28 20:38 - 2016-03-28 20:44 - 00000000 ____D C:\Users\Lee3\AppData\Local\Mozilla
2016-03-28 20:38 - 2016-03-28 20:38 - 00000000 ____D C:\Users\Lee3\AppData\Roaming\Mozilla
2016-03-28 20:32 - 2016-03-28 20:32 - 00122120 _____ C:\Users\Lee3\AppData\Local\GDIPFONTCACHEV1.DAT
2016-03-28 17:48 - 2016-03-28 17:48 - 00001462 _____ C:\Users\Lee\Desktop\forthedrive - Shortcut.lnk
2016-03-28 14:08 - 2016-03-28 14:08 - 00000000 ____H C:\Users\Lee3\Documents\Default.rdp
2016-03-28 13:58 - 2016-03-28 13:58 - 00000000 ____D C:\Users\Lee3\AppData\Roaming\AVAST Software
2016-03-28 13:57 - 2016-03-28 22:56 - 00000000 ____D C:\Users\Lee3\AppData\Local\Google
2016-03-28 13:57 - 2016-03-28 13:57 - 00002258 _____ C:\Users\Lee3\Desktop\Google Chrome.lnk
2016-03-28 13:57 - 2016-03-28 13:57 - 00001416 _____ C:\Users\Lee3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 _SHDL C:\Users\Lee3\My Documents
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 _SHDL C:\Users\Lee3\Documents\My Videos
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 _SHDL C:\Users\Lee3\Documents\My Pictures
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 _SHDL C:\Users\Lee3\Documents\My Music
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 ____D C:\Users\Lee3\AppData\Roaming\Adobe
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 ____D C:\Users\Lee3\AppData\Local\VirtualStore
2016-03-28 13:57 - 2016-03-28 13:57 - 00000000 ____D C:\Users\Lee3
2016-03-28 13:57 - 2015-10-01 14:56 - 00000000 ____D C:\Users\Lee3\AppData\Roaming\TuneUp Software
2016-03-28 13:57 - 2010-11-20 23:40 - 00000476 ___SH C:\Users\Lee3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop (2).ini
2016-03-28 13:57 - 2010-11-20 23:40 - 00000402 ___SH C:\Users\Lee3\Documents\desktop (2).ini
2016-03-28 13:57 - 2010-11-20 23:40 - 00000282 ___SH C:\Users\Lee3\Downloads\desktop (2).ini
2016-03-28 13:57 - 2010-11-20 23:40 - 00000282 ___SH C:\Users\Lee3\Desktop\desktop (2).ini
2016-03-28 13:57 - 2010-11-20 23:40 - 00000174 ___SH C:\Users\Lee3\AppData\Roaming\Microsoft\Windows\Start Menu\desktop (2).ini
2016-03-28 13:57 - 2010-11-20 22:51 - 00001449 _____ C:\Users\Lee3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (2).lnk
2016-03-28 13:57 - 2010-11-20 22:51 - 00001415 _____ C:\Users\Lee3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit) (2).lnk
2016-03-28 13:57 - 2010-11-20 22:50 - 00000020 ___SH C:\Users\Lee3\ntuser.ini
2016-03-23 12:13 - 2016-03-23 12:17 - 00003044 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1458749635
2016-03-23 12:13 - 2016-03-23 12:13 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-03-23 12:13 - 2016-03-23 12:13 - 00001044 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-03-23 12:13 - 2016-03-23 12:13 - 00001044 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-03-20 15:25 - 2016-03-20 15:25 - 00000000 ____D C:\Users\Public\Recorded TV
2016-03-20 14:45 - 2016-03-20 14:45 - 04889088 _____ (Microsoft Corporation) C:\Windows\system32\gppref.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 04342784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gppref.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 03787776 _____ (Microsoft Corporation) C:\Windows\system32\propshts.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 02548736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\propshts.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00901632 _____ (Microsoft Corporation) C:\Windows\system32\gpprefbr.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00627712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpprefbr.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00302080 _____ (Microsoft Corporation) C:\Windows\system32\gpregistrybrowser.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00236032 _____ (Microsoft Corporation) C:\Windows\system32\gpprefcn.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00225280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpregistrybrowser.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00166400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpprefcn.dll
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\zh-CHT
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\zh-CHS
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\tr
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\sv
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\ru
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\pt
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\pl
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\nl
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\ko
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\ja
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\it
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\hu
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\fr
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\es
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\de
2016-03-20 14:45 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\cs
2016-03-17 12:46 - 2016-03-29 00:46 - 00000000 __RHD C:\Users\Public\Libraries
2016-03-17 12:29 - 2016-03-17 12:44 - 00234514 _____ C:\Windows\ntbtlog.txt
2016-03-17 09:24 - 2012-06-01 01:39 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\wamregps.dll
2016-03-17 09:24 - 2012-06-01 01:36 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\iisRtl.dll
2016-03-17 09:24 - 2012-06-01 01:36 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\iisrstap.dll
2016-03-17 09:24 - 2012-06-01 01:35 - 00060928 _____ (Microsoft Corporation) C:\Windows\system32\ahadmin.dll
2016-03-17 09:24 - 2012-06-01 01:34 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\admwprox.dll
2016-03-17 09:24 - 2012-06-01 01:33 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\iisreset.exe
2016-03-17 09:24 - 2012-06-01 00:40 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wamregps.dll
2016-03-17 09:24 - 2012-06-01 00:37 - 00154624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iisRtl.dll
2016-03-17 09:24 - 2012-06-01 00:37 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iisrstap.dll
2016-03-17 09:24 - 2012-06-01 00:35 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\admwprox.dll
2016-03-17 09:24 - 2012-06-01 00:35 - 00026624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ahadmin.dll
2016-03-17 09:24 - 2012-06-01 00:34 - 00015360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iisreset.exe
2016-03-17 08:35 - 2010-11-20 08:26 - 01076736 _____ (Microsoft Corporation) C:\Windows\system32\GPOAdminCustom.dll
2016-03-17 08:35 - 2010-11-20 08:26 - 00479232 _____ (Microsoft Corporation) C:\Windows\system32\GPRSoP.dll
2016-03-17 08:35 - 2010-11-20 08:26 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\FCMgrDLL.dll
2016-03-17 08:35 - 2010-11-20 08:26 - 00096256 _____ (Microsoft Corporation) C:\Windows\system32\GPOAdminCommon.dll
2016-03-17 08:35 - 2010-11-20 08:26 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\iSNSMgrDLL.dll
2016-03-17 08:35 - 2010-11-20 08:26 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\iSCSIMgrDLL.dll
2016-03-17 08:35 - 2010-11-20 07:19 - 00743424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GPOAdminCustom.dll
2016-03-17 08:35 - 2010-11-20 07:19 - 00453120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GPRSoP.dll
2016-03-17 08:35 - 2010-11-20 07:19 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GPOAdminCommon.dll
2016-03-17 08:35 - 2010-11-04 21:11 - 00115778 _____ C:\Windows\system32\WSRM.msc
2016-03-17 08:35 - 2010-11-04 21:01 - 00033652 _____ C:\Windows\system32\StorExpl.msc
2016-03-17 08:35 - 2009-07-13 21:52 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\mtedit.exe
2016-03-17 08:35 - 2009-07-13 21:41 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\BdeAducExt.dll
2016-03-17 08:35 - 2009-06-10 17:28 - 00146080 _____ C:\Windows\SysWOW64\gptedit.msc
2016-03-17 08:35 - 2009-06-10 16:46 - 00146080 _____ C:\Windows\system32\gptedit.msc
2016-03-17 08:34 - 2010-11-20 08:44 - 00593920 _____ (Microsoft Corporation) C:\Windows\system32\StorExpl.dll
2016-03-17 08:34 - 2010-11-20 08:26 - 02300416 _____ (Microsoft Corporation) C:\Windows\system32\gpmgmt.dll
2016-03-17 08:34 - 2010-11-20 08:26 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\GPOAdmin.dll
2016-03-17 08:34 - 2010-11-20 08:26 - 00774656 _____ (Microsoft Corporation) C:\Windows\system32\gpme.dll
2016-03-17 08:34 - 2010-11-20 07:19 - 01664512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpmgmt.dll
2016-03-17 08:34 - 2010-11-20 07:19 - 01292800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GPOAdmin.dll
2016-03-17 08:34 - 2010-11-20 07:19 - 00728576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpme.dll
2016-03-17 08:34 - 2010-11-04 21:02 - 00146446 _____ C:\Windows\SysWOW64\gpmc.msc
2016-03-17 08:34 - 2010-11-04 21:02 - 00146446 _____ C:\Windows\system32\gpmc.msc
2016-03-17 08:34 - 2009-07-13 21:41 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\rsatclient.dll
2016-03-17 08:34 - 2009-06-10 17:28 - 00146712 _____ C:\Windows\SysWOW64\gpme.msc
2016-03-17 08:34 - 2009-06-10 16:46 - 00146712 _____ C:\Windows\system32\gpme.msc
2016-03-17 08:21 - 2016-03-17 08:50 - 00000000 ____D C:\Users\Lee\Desktop\New folder
2016-03-17 07:54 - 2016-03-17 07:54 - 00000000 ____D C:\Windows\system32\msmq
2016-03-17 07:35 - 2016-03-17 07:35 - 00003072 _____ C:\Windows\System32\Tasks\{E36EB39D-ECE4-4006-AE90-3BFD45D8A808}
2016-03-17 05:08 - 2016-02-15 18:45 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-03-16 23:01 - 2016-03-16 23:01 - 00000000 ____D C:\Users\Lee\AppData\Roaming\IsolatedStorage
2016-03-16 21:54 - 2016-03-20 14:45 - 00000000 ____D C:\Windows\system32\Windows System Resource Manager
2016-03-16 21:54 - 2016-03-20 14:45 - 00000000 ____D C:\inetpub
2016-03-16 21:54 - 2016-03-17 04:07 - 00000000 ____D C:\Windows\Cluster
2016-03-16 20:09 - 2016-03-16 20:33 - 251170997 _____ C:\Windows\system32\Windows6.1-KB958830-x64-RefreshPkg.msu
2016-03-15 11:13 - 2016-03-17 07:21 - 00000000 ____D C:\Users\Lee\Documents\Security
2016-03-14 22:48 - 2016-03-14 22:48 - 00630375 _____ C:\Users\My-LT\Documents\FallaciesPoster16x24.pdf
2016-03-14 04:30 - 2016-03-14 04:30 - 00003356 _____ C:\Users\My-LT\AppData\Local\recently-used.xbel
2016-03-14 01:15 - 2016-03-14 01:15 - 00000000 ____D C:\Users\My-LT\AppData\Local\webkit
2016-03-14 01:03 - 2016-03-14 01:03 - 00000000 ____D C:\Users\My-LT\.thumbnails
2016-03-14 01:01 - 2016-03-14 04:30 - 00000000 ____D C:\Users\My-LT\.gimp-2.8
2016-03-14 01:01 - 2016-03-14 01:01 - 00000000 ____D C:\Users\My-LT\AppData\Local\gegl-0.2
2016-03-14 01:01 - 2016-03-14 01:01 - 00000000 ____D C:\Users\My-LT\AppData\Local\fontconfig
2016-03-14 00:35 - 2016-03-14 00:35 - 00000000 ____D C:\Users\My-LT\AppData\Roaming\IDT
2016-03-13 20:00 - 2016-03-13 20:00 - 00000000 ____D C:\Users\My-LT\AppData\Roaming\Macromedia
2016-03-13 20:00 - 2016-03-13 20:00 - 00000000 ____D C:\Users\My-LT\AppData\Local\Macromedia
2016-03-13 17:35 - 2016-03-13 17:42 - 00000000 ____D C:\Users\My-LT\AppData\Local\Mozilla
2016-03-13 17:35 - 2016-03-13 17:36 - 00000000 ____D C:\Users\My-LT\AppData\Roaming\Mozilla
2016-03-13 16:09 - 2016-03-13 16:09 - 00122120 _____ C:\Users\My-LT\AppData\Local\GDIPFONTCACHEV1.DAT
2016-03-13 16:05 - 2016-03-15 03:23 - 00000000 ____D C:\Users\My-LT
2016-03-13 16:05 - 2016-03-13 16:05 - 00000000 ____D C:\Users\My-LT\AppData\Roaming\Adobe
2016-03-13 16:05 - 2016-03-13 16:05 - 00000000 ____D C:\Users\My-LT\AppData\Local\VirtualStore
2016-03-13 16:05 - 2016-03-13 16:05 - 00000000 ____D C:\Users\My-LT\AppData\Local\Google
2016-03-13 16:05 - 2015-10-01 14:56 - 00000000 ____D C:\Users\My-LT\AppData\Roaming\TuneUp Software
2016-03-09 16:17 - 2016-03-17 05:39 - 00000000 ___DC C:\Users\Lee\AppData\Local\MigWiz
2016-03-09 15:56 - 2016-03-09 15:56 - 00512201 _____ C:\Windows\system32\eventvw0309r.msc
2016-03-09 10:19 - 2016-02-12 14:52 - 03169792 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-03-09 10:19 - 2016-02-12 14:52 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-03-09 10:19 - 2016-02-12 14:52 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-03-09 10:19 - 2016-02-12 14:44 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2016-03-09 10:19 - 2016-02-12 14:39 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2016-03-09 10:19 - 2016-02-12 14:22 - 02610688 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-03-09 10:19 - 2016-02-12 14:19 - 00709120 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-03-09 10:19 - 2016-02-12 14:18 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-03-09 10:19 - 2016-02-12 14:18 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-03-09 10:19 - 2016-02-12 14:18 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-03-09 10:19 - 2016-02-12 14:18 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-03-09 10:19 - 2016-02-12 14:18 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2016-03-09 10:19 - 2016-02-12 14:06 - 00573440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-03-09 10:19 - 2016-02-12 14:05 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2016-03-09 10:19 - 2016-02-12 14:05 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2016-03-09 10:19 - 2016-02-12 14:05 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2016-03-09 10:19 - 2016-02-09 02:53 - 00387792 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-03-09 10:19 - 2016-02-09 02:10 - 00341200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-03-09 10:19 - 2016-02-08 17:05 - 20352512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-03-09 10:19 - 2016-02-08 16:51 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-03-09 10:19 - 2016-02-08 16:39 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-03-09 10:19 - 2016-02-08 16:39 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-03-09 10:19 - 2016-02-08 16:38 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-03-09 10:19 - 2016-02-08 16:38 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-03-09 10:19 - 2016-02-08 16:37 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-03-09 10:19 - 2016-02-08 16:34 - 02280448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-03-09 10:19 - 2016-02-08 16:32 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-03-09 10:19 - 2016-02-08 16:31 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-03-09 10:19 - 2016-02-08 16:30 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-03-09 10:19 - 2016-02-08 16:28 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-03-09 10:19 - 2016-02-08 16:28 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-03-09 10:19 - 2016-02-08 16:28 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-03-09 10:19 - 2016-02-08 16:20 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-03-09 10:19 - 2016-02-08 16:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-03-09 10:19 - 2016-02-08 16:15 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-03-09 10:19 - 2016-02-08 16:13 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-03-09 10:19 - 2016-02-08 16:12 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-03-09 10:19 - 2016-02-08 16:11 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-03-09 10:19 - 2016-02-08 16:10 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-03-09 10:19 - 2016-02-08 16:10 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-03-09 10:19 - 2016-02-08 16:05 - 25816576 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-03-09 10:19 - 2016-02-08 16:03 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-03-09 10:19 - 2016-02-08 16:02 - 13012480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-03-09 10:19 - 2016-02-08 16:02 - 00687104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-03-09 10:19 - 2016-02-08 16:01 - 02050560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-03-09 10:19 - 2016-02-08 16:01 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-03-09 10:19 - 2016-02-08 15:43 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-03-09 10:19 - 2016-02-08 15:39 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-03-09 10:19 - 2016-02-08 15:38 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-03-09 10:19 - 2016-02-08 14:41 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-03-09 10:19 - 2016-02-08 14:41 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-03-09 10:19 - 2016-02-08 14:27 - 02887680 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-03-09 10:19 - 2016-02-08 14:27 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-03-09 10:19 - 2016-02-08 14:26 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-03-09 10:19 - 2016-02-08 14:26 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-03-09 10:19 - 2016-02-08 14:26 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-03-09 10:19 - 2016-02-08 14:26 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-03-09 10:19 - 2016-02-08 14:19 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-03-09 10:19 - 2016-02-08 14:18 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-03-09 10:19 - 2016-02-08 14:16 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-03-09 10:19 - 2016-02-08 14:15 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-03-09 10:19 - 2016-02-08 14:14 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-03-09 10:19 - 2016-02-08 14:14 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-03-09 10:19 - 2016-02-08 14:13 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-03-09 10:19 - 2016-02-08 14:13 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-03-09 10:19 - 2016-02-08 14:06 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-03-09 10:19 - 2016-02-08 14:03 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-03-09 10:19 - 2016-02-08 13:55 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-03-09 10:19 - 2016-02-08 13:54 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-03-09 10:19 - 2016-02-08 13:52 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-03-09 10:19 - 2016-02-08 13:51 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-03-09 10:19 - 2016-02-08 13:49 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-03-09 10:19 - 2016-02-08 13:47 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-03-09 10:19 - 2016-02-08 13:37 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-03-09 10:19 - 2016-02-08 13:35 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-03-09 10:19 - 2016-02-08 13:34 - 00798720 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-03-09 10:19 - 2016-02-08 13:33 - 14613504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-03-09 10:19 - 2016-02-08 13:33 - 02123264 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-03-09 10:19 - 2016-02-08 13:33 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-03-09 10:19 - 2016-02-08 13:19 - 02597376 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-03-09 10:19 - 2016-02-08 13:07 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-03-09 10:19 - 2016-02-08 12:55 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-03-09 10:19 - 2016-02-04 13:52 - 03211264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-03-09 10:19 - 2016-02-03 14:58 - 00862208 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-03-09 10:19 - 2016-02-03 14:52 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2016-03-09 10:19 - 2016-02-03 14:49 - 00572416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2016-03-09 10:19 - 2016-02-03 14:43 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\asycfilt.dll
2016-03-09 10:19 - 2016-02-03 14:07 - 00091648 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBSTOR.SYS
2016-03-09 10:15 - 2016-02-11 14:56 - 05572032 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-03-09 10:15 - 2016-02-11 14:56 - 00154560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-03-09 10:15 - 2016-02-11 14:56 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-03-09 10:15 - 2016-02-11 14:52 - 01733592 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-03-09 10:15 - 2016-02-11 14:49 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-03-09 10:15 - 2016-02-11 14:48 - 01214464 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-03-09 10:15 - 2016-02-11 14:48 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-03-09 10:15 - 2016-02-11 14:48 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-03-09 10:15 - 2016-02-11 14:48 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-03-09 10:15 - 2016-02-11 14:48 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-03-09 10:15 - 2016-02-11 14:47 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-03-09 10:15 - 2016-02-11 14:45 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-03-09 10:15 - 2016-02-11 14:45 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-03-09 10:15 - 2016-02-11 14:45 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-03-09 10:15 - 2016-02-11 14:45 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-03-09 10:15 - 2016-02-11 14:44 - 03994560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-03-09 10:15 - 2016-02-11 14:44 - 03938240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-03-09 10:15 - 2016-02-11 14:44 - 01461248 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-03-09 10:15 - 2016-02-11 14:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-03-09 10:15 - 2016-02-11 14:44 - 00730112 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-03-09 10:15 - 2016-02-11 14:44 - 00422400 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-03-09 10:15 - 2016-02-11 14:42 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-03-09 10:15 - 2016-02-11 14:42 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-03-09 10:15 - 2016-02-11 14:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 01314328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00880128 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:41 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 00665088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-03-09 10:15 - 2016-02-11 14:38 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-03-09 10:15 - 2016-02-11 14:37 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-03-09 10:15 - 2016-02-11 14:37 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-03-09 10:15 - 2016-02-11 14:37 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-03-09 10:15 - 2016-02-11 14:35 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-03-09 10:15 - 2016-02-11 14:35 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-03-09 10:15 - 2016-02-11 14:35 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-03-09 10:15 - 2016-02-11 14:34 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-03-09 10:15 - 2016-02-11 14:33 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-03-09 10:15 - 2016-02-11 14:31 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00642560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 14:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 13:48 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-03-09 10:15 - 2016-02-11 13:43 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-03-09 10:15 - 2016-02-11 13:41 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-03-09 10:15 - 2016-02-11 13:40 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-03-09 10:15 - 2016-02-11 13:34 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-03-09 10:15 - 2016-02-11 13:34 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-03-09 10:15 - 2016-02-11 13:33 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-03-09 10:15 - 2016-02-11 13:32 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-03-09 10:15 - 2016-02-11 13:32 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-03-09 10:15 - 2016-02-11 13:32 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-03-09 10:15 - 2016-02-11 13:32 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-03-09 10:15 - 2016-02-11 13:32 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-03-09 10:15 - 2016-02-11 13:32 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-03-09 10:15 - 2016-02-11 13:31 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-03-09 10:15 - 2016-02-11 13:30 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 13:30 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 13:30 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-03-09 10:15 - 2016-02-11 13:30 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-03-09 10:15 - 2016-02-09 05:57 - 14634496 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2016-03-09 10:15 - 2016-02-09 05:57 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2016-03-09 10:15 - 2016-02-09 05:56 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2016-03-09 10:15 - 2016-02-09 05:56 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2016-03-09 10:15 - 2016-02-09 05:55 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\seclogon.dll
2016-03-09 10:15 - 2016-02-09 05:54 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2016-03-09 10:15 - 2016-02-09 05:51 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2016-03-09 10:15 - 2016-02-09 05:51 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2016-03-09 10:15 - 2016-02-09 05:13 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2016-03-09 10:15 - 2016-02-09 05:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2016-03-09 10:15 - 2016-02-09 05:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2016-03-09 10:15 - 2016-02-05 14:54 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2016-03-09 10:15 - 2016-02-05 14:54 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2016-03-09 10:15 - 2016-02-05 14:53 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-03-09 10:15 - 2016-02-05 14:53 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2016-03-09 10:15 - 2016-02-05 14:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2016-03-09 10:15 - 2016-02-05 14:44 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2016-03-09 10:15 - 2016-02-05 14:42 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2016-03-09 10:15 - 2016-02-05 13:48 - 00372736 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-03-09 10:15 - 2016-02-05 13:43 - 00299520 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-03-09 10:15 - 2016-02-05 13:43 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-03-09 10:15 - 2016-02-04 21:19 - 00381440 _____ (Microsoft Corporation) C:\Windows\system32\mfds.dll
2016-03-09 10:15 - 2016-02-04 14:41 - 00296448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfds.dll
2016-03-08 23:36 - 2016-03-26 10:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-03-07 10:58 - 2016-03-07 10:58 - 00000000 ____D C:\Users\Lee\Documents\ProcAlyzer Dumps
2016-03-05 23:58 - 2009-06-10 17:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20160305-225809.backup
2016-03-05 22:21 - 2016-03-05 22:21 - 00001394 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-03-05 22:21 - 2016-03-05 22:21 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2016-03-05 22:21 - 2016-03-05 22:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-03-05 22:20 - 2016-03-17 04:07 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-03-05 22:20 - 2016-03-05 22:40 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-03-05 22:20 - 2013-09-20 11:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-31 16:27 - 2009-07-14 00:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-31 16:27 - 2009-07-14 00:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-31 15:56 - 2015-09-24 20:04 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-31 15:24 - 2009-07-14 01:13 - 00920724 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-31 15:24 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-03-31 14:25 - 2015-09-24 20:04 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-03-31 14:25 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-30 22:08 - 2015-09-25 20:06 - 00000000 ____D C:\Users\Lee\.gimp-2.8
2016-03-30 20:15 - 2015-09-25 20:07 - 00000000 ____D C:\Users\Lee\AppData\Local\gtk-2.0
2016-03-30 20:02 - 2015-09-24 20:07 - 00002202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-29 23:17 - 2016-01-05 00:32 - 00000000 ____D C:\Users\Lee\webdownloads
2016-03-29 05:57 - 2015-11-29 20:05 - 00007623 _____ C:\Users\Lee\AppData\Local\Resmon.ResmonCfg
2016-03-28 14:18 - 2015-09-24 20:01 - 00000000 ____D C:\Users\Lee\AppData\Local\VirtualStore
2016-03-27 02:20 - 2015-12-10 23:48 - 00000000 ____D C:\Users\Lee\AppData\Local\ElevatedDiagnostics
2016-03-26 19:20 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2016-03-26 17:34 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\inetsrv
2016-03-26 13:43 - 2010-11-21 03:06 - 00000000 ____D C:\Windows\system32\0409
2016-03-26 13:43 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
2016-03-26 11:28 - 2015-10-21 10:57 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-03-26 11:28 - 2015-10-21 10:57 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-03-25 13:12 - 2015-12-28 01:50 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-03-23 12:13 - 2015-12-28 00:58 - 00000000 ____D C:\Program Files\AVAST Software
2016-03-23 12:13 - 2015-12-28 00:43 - 00000000 ____D C:\ProgramData\AVAST Software
2016-03-21 11:21 - 2015-09-24 20:01 - 00000000 ____D C:\Users\Lee
2016-03-19 12:52 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicyUsers
2016-03-19 05:15 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2016-03-19 05:15 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-03-19 02:10 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-03-18 09:06 - 2015-10-23 23:40 - 00000000 ____D C:\Users\Administrator
2016-03-17 07:57 - 2016-01-21 12:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2016-03-17 07:55 - 2015-10-21 11:52 - 00843552 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-03-17 07:26 - 2015-09-24 21:01 - 00000000 ____D C:\Users\Lee\AppData\Roaming\Skype
2016-03-17 07:21 - 2015-12-04 21:56 - 00000000 ____D C:\Users\Lee\Documents\Scanned Documents
2016-03-17 06:34 - 2014-11-25 12:56 - 00000000 ___HD C:\RPKTools
2016-03-17 06:14 - 2015-12-27 15:32 - 00000000 ___RD C:\Users\Lee\Documents\Notes
2016-03-17 06:13 - 2015-12-08 17:51 - 00000000 ____D C:\Users\Emma
2016-03-17 06:13 - 2015-12-06 14:29 - 00000000 ____D C:\Users\Guest
2016-03-17 06:13 - 2015-11-28 20:48 - 00000000 ____D C:\Temp
2016-03-17 06:12 - 2016-02-07 07:20 - 00000000 ____D C:\Users\Lee\Desktop\mommypics
2016-03-17 06:12 - 2016-02-07 00:06 - 00000000 ____D C:\Users\Lee\Desktop\funnypics
2016-03-17 06:12 - 2016-02-07 00:01 - 00000000 ____D C:\Users\Lee\Desktop\Gloria's 1st
2016-03-17 06:12 - 2016-02-06 23:52 - 00000000 ____D C:\Users\Lee\Desktop\mlmconnections
2016-03-17 06:12 - 2016-02-06 23:48 - 00000000 ____D C:\Users\Lee\Desktop\ncdfundraiser
2016-03-17 04:07 - 2016-01-21 12:58 - 00000000 ____D C:\Program Files (x86)\ERUNT
2016-03-17 04:07 - 2015-12-28 01:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-03-17 04:07 - 2015-12-28 01:50 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-03-17 04:07 - 2015-12-24 15:47 - 00000000 ____D C:\Windows\system32\Macromed
2016-03-17 04:07 - 2015-09-24 21:01 - 00000000 ____D C:\ProgramData\Skype
2016-03-17 04:07 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-03-17 04:07 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\Setup
2016-03-17 04:07 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\Msdtc
2016-03-17 04:07 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\security
2016-03-17 04:07 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2016-03-17 04:06 - 2015-12-08 04:44 - 00000000 ___RD C:\1data
2016-03-17 04:06 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-03-15 02:23 - 2016-02-11 07:29 - 00000000 ____D C:\Windows\System32\Tasks\Event Viewer Tasks
2016-03-09 15:01 - 2009-07-14 00:45 - 00415856 _____ C:\Windows\system32\FNTCACHE.DAT
2016-03-09 15:00 - 2015-10-19 22:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-03-09 12:18 - 2015-09-27 15:33 - 00000000 ____D C:\Windows\system32\MRT
2016-03-09 12:15 - 2015-09-27 15:33 - 143659408 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-03-09 12:05 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\LiveKernelReports
2016-03-09 10:01 - 2015-12-28 01:50 - 01070904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-03-09 10:01 - 2015-12-28 01:50 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-03-05 22:40 - 2015-12-28 01:50 - 00000000 ____D C:\Program Files\Common Files\AV
2016-03-03 09:41 - 2016-01-21 20:29 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

==================== Files in the root of some directories =======

2015-10-21 11:55 - 2015-10-21 20:08 - 0006144 _____ () C:\Users\Lee\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-03-30 20:15 - 2016-03-30 20:15 - 0008609 _____ () C:\Users\Lee\AppData\Local\recently-used.xbel
2015-11-29 20:05 - 2016-03-29 05:57 - 0007623 _____ () C:\Users\Lee\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-29 07:12

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 31 March 2016 - 04:18 PM

...and while trying to post this I got a "the connection was reset" error.

though visiting the forum here it seems to have posted just fine. I'll let that be that for now and patiently await your response.

 

Thanks again.



#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 31 March 2016 - 04:54 PM

Hello bleedle, and   :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Follow this topic. If you click on this, another page will open. Please choose Instantly for notification and then clicking on Follow this topic you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts.  :heart: Please be courteous and appreciative for the assistance provided!

 

  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

 

When you ran FRST, there should have been two files created: FRST.txt & Addition.txt.  Could you copy and paste the Addition.txt file here for me to look over?


Best Regards,
oneof4.


#4 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 01 April 2016 - 07:21 AM

Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Lee (2016-03-31 16:29:01)
Running from C:\Users\Lee\Desktop
Windows 7 Professional Service Pack 1 (X64) (2015-09-25 00:01:14)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-788557106-799132904-411562618-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-788557106-799132904-411562618-501 - Limited - Disabled)
Lee (S-1-5-21-788557106-799132904-411562618-1000 - Administrator - Enabled) => C:\Users\Lee
Lee3 (S-1-5-21-788557106-799132904-411562618-1007 - Limited - Enabled) => C:\Users\Lee3

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.1.2253 - AVAST Software)
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version:  - Lars Hederer)
FlexiSIGN-PRO 8.1v1 (HKLM-x32\...\{DE904758-4539-4EE7-8F09-6EC07F6AC383}) (Version: 1.00.0000 - Scanvec Amiable)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.110 - Google Inc.)
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6433.0 - IDT)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.1 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
IObit Unlocker (HKLM-x32\...\IObit Unlocker_is1) (Version: 1.1 - IObit)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Mozilla Firefox 45.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.1 (x86 en-US)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.0.5906 - Mozilla)
SafeZone Stable 1.48.2066.95 (x32 Version: 1.48.2066.95 - Avast Software) Hidden
Skype™ 7.18 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.18.112 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1CC025E7-A941-4B12-A044-357F3E21020F} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-03-06] (AVAST Software)
Task: {45BAED64-50A3-4E83-B581-A4E6D9D0B949} - System32\Tasks\0615piUpdateInfo => C:\ProgramData\Avg_Update_0615pi\0615pi_AVG-Secure-Search-Update.exe [2015-09-17] ()
Task: {69F72DA9-3A05-45F0-8448-63AD1E9EA2E7} - System32\Tasks\{E36EB39D-ECE4-4006-AE90-3BFD45D8A808} => pcalua.exe -a "C:\Program Files (x86)\ERUNT\unins000.exe"
Task: {75D11CA0-EAF2-4D15-844F-2E98A0ABAC2C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-24] (Google Inc.)
Task: {7B071D89-AB97-421E-9042-BE7B8ECAB2C3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {CED4184B-3DD7-419F-874D-93D0034FE1C6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-24] (Google Inc.)
Task: {D31F201D-F302-489B-9A04-73F1ADEAE886} - System32\Tasks\SafeZone scheduled Autoupdate 1458749635 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-03-08] (Avast Software)
Task: {E2364DB2-5961-4A5F-B8FC-FB1FEC80D262} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-02-15] (AVAST Software)
Task: {EA2B76F1-33B2-4272-8B97-F6D22EC5DE48} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {F86222C9-3421-4A16-9101-DFD942EEEB16} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\0615piUpdateInfo.job => C:\ProgramData\Avg_Update_0615pi\0615pi_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-02-15 18:45 - 2016-02-15 18:45 - 00113496 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-02-15 18:45 - 2016-02-15 18:45 - 00133768 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-03-30 14:24 - 2016-03-30 14:24 - 02846208 _____ () C:\Program Files\AVAST Software\Avast\defs\16033003\algo.dll
2016-02-15 18:45 - 2016-02-15 18:45 - 00480760 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-03-31 14:26 - 2016-03-31 14:26 - 02846208 _____ () C:\Program Files\AVAST Software\Avast\defs\16033101\algo.dll
2016-02-15 18:45 - 2016-02-15 18:45 - 00307808 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
2016-03-05 22:20 - 2014-05-13 13:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-03-05 22:20 - 2014-05-13 13:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-03-05 22:20 - 2014-05-13 13:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-03-05 22:20 - 2012-08-23 11:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-03-05 22:20 - 2012-04-03 18:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2015-12-28 01:50 - 2015-12-28 01:50 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7872 more sites.

IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-788557106-799132904-411562618-1000\...\123simsen.com -> www.123simsen.com

There are 7872 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2016-03-05 23:58 - 00451004 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15472 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-788557106-799132904-411562618-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Lee\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: HotKeysCmds => "C:\Windows\system32\hkcmd.exe"
MSCONFIG\startupreg: IgfxTray => "C:\Windows\system32\igfxtray.exe"
MSCONFIG\startupreg: Persistence => "C:\Windows\system32\igfxpers.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{E4A82FB1-47CC-4637-9639-404D39990E4E}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{CD145B7E-DDBF-4731-843A-87BFC1E05AFD}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{44259BBC-58ED-4F69-856E-4D3F14B069A0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{C1EA8FFF-E8FE-4E44-8CCF-287B038233EC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3F79B3F7-B496-4F39-BC6A-D02BF5AFCE49}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2985504F-CE04-4ADC-9A67-CF27456B9FF5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{83CBE9DE-6C3B-4198-96E2-2EA9ECFE0804}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{C574B1EB-98F7-4178-BD42-83B3B909BBD2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{29F6A264-C9EE-432B-AF84-AFDF8819EB80}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{F8667606-282F-44CE-BF1A-4FAC16DF80E6}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{6C8CB25C-3F9D-46A3-BBE8-052229800853}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{65CF42D6-8AD2-47AE-94AE-A072B803337A}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{0F46E996-896E-4BF1-A8FA-8C0E57888B88}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{3502D4F1-69A3-47BD-9268-FEFA1F5C950E}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [UDP Query User{BFEC1A68-FB12-48E4-84D1-A26953652B5B}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [MSMQ-In-TCP] => (Allow) %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-Out-TCP] => (Allow) %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-In-UDP] => (Allow) %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-Out-UDP] => (Allow) %systemroot%\system32\mqsvc.exe
FirewallRules: [SNMP-In-UDP] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-Out-UDP] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-In-UDP-NoScope] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-Out-UDP-NoScope] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [{B990C82D-90CE-4985-89B5-E1D82D31CB85}] => (Block) LPort=139
FirewallRules: [{CAA56584-47EE-40CF-B9F1-E8950C758FF1}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

19-03-2016 17:55:37 Windows Modules Installer
20-03-2016 14:45:20 Windows Modules Installer
22-03-2016 10:53:18 Windows Update
25-03-2016 13:30:07 Windows Update
26-03-2016 11:27:33 Removed Microsoft Silverlight
26-03-2016 12:21:22 Windows Modules Installer
28-03-2016 13:48:38 freshstndoldwindows
29-03-2016 07:11:07 Windows Update

==================== Faulty Device Manager Devices =============

Name: avast! SecureLine TAP Adapter v3
Description: avast! SecureLine TAP Adapter v3
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TAP-Windows Provider V9
Service: aswTap
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/31/2016 02:25:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2016 01:47:51 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/29/2016 03:28:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDFSSvc.exe, version: 2.4.40.217, time stamp: 0x535a5114
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x00000000
Fault offset: 0x00000000
Faulting process id: 0x9f8
Faulting application start time: 0xSDFSSvc.exe0
Faulting application path: SDFSSvc.exe1
Faulting module path: SDFSSvc.exe2
Report Id: SDFSSvc.exe3

Error: (03/28/2016 08:21:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 01:57:58 PM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (3372) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (03/28/2016 01:57:49 PM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (3708) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (03/28/2016 01:57:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 11:59:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 04:38:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/26/2016 05:34:41 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (03/31/2016 02:25:43 PM) (Source: WMPNetworkSvc) (EventID: 14349) (User: )
Description: 0x800700b7

Error: (03/31/2016 02:25:43 PM) (Source: WMPNetworkSvc) (EventID: 14353) (User: )
Description: 00x800700b7http://+:10243/WMPNSSv4/2811996591/

Error: (03/31/2016 02:25:43 PM) (Source: WMPNetworkSvc) (EventID: 14349) (User: )
Description: 0x800700b7

Error: (03/31/2016 02:25:43 PM) (Source: WMPNetworkSvc) (EventID: 14353) (User: )
Description: 00x800700b7http://+:10243/WMPNSSv4/2811996591/

Error: (03/31/2016 02:25:39 PM) (Source: SNMP) (EventID: 1500) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

Error: (03/31/2016 02:25:39 PM) (Source: SNMP) (EventID: 1500) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

Error: (03/31/2016 02:25:39 PM) (Source: SNMP) (EventID: 1500) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error: (03/31/2016 02:25:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Par1284 service failed to start due to the following error:
%%1275

Error: (03/31/2016 02:25:30 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Program Files\FlexiSIGN-PRO 8.1v1\Program\Par1284.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (03/30/2016 01:48:49 AM) (Source: WMPNetworkSvc) (EventID: 14349) (User: )
Description: 0x800700b7


CodeIntegrity:
===================================
  Date: 2016-03-31 16:28:37.223
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:27:05.632
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:26:44.880
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:26:41.138
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:26:40.001
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:26:39.282
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:24:41.216
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:24:40.080
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:22:48.139
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-31 16:21:46.489
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2520M CPU @ 2.50GHz
Percentage of memory in use: 34%
Total physical RAM: 6078.36 MB
Available physical RAM: 3964.45 MB
Total Virtual: 12154.92 MB
Available Virtual: 9875.93 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:234.45 GB) (Free:180.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 238.5 GB) (Disk ID: 5B9A9805)
Partition 1: (Active) - (Size=4 GB) - (Type=27)
Partition 2: (Not Active) - (Size=234.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#5 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 01 April 2016 - 08:19 AM

Looking at this statement:

 

and a bunch of porn in a folder that seems to have been put there through use of my spybot s&d

Was this quarantined by Spybot?


Best Regards,
oneof4.


#6 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 01 April 2016 - 08:40 AM

I really don't know...

I installed spybot after I started having problems. ran the scans a couple of times and used the "immunize" option which affected like 30,000 files.

Spybot found a few threats each time but nothing major. I believe the porn was found in a driver related folder... I went looking at things that were turning up warnings in my event viewer to try to figure out what was going on, but I really didn't know what I was looking at. I'm not a big fan of porn so all of the porn on my computer is unintentional - I've never looked for porn on this machine myself.

 

Spybot never directly mentioned porn files to me, if that's what you're asking. Nothing it showed me as a threat to take action on was in regards to porn so far as I can remember.


Edited by bleedle, 01 April 2016 - 09:06 AM.


#7 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 01 April 2016 - 12:18 PM

Hey, :)

 

 

Download attached fixlist.txt file and save it to the Desktop.

 


NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Attached Files


Best Regards,
oneof4.


#8 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 01 April 2016 - 12:44 PM

**I did reboot the system as instructed at the end. I'm trying to stay calm and only give you what you ask for but I'm really excited and thankful for all your help. I'll pour the kudos on at the end.**

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Lee (2016-04-01 13:37:32) Run:1
Running from C:\Users\Lee\Desktop
Loaded Profiles: Lee (Available Profiles: Lee & Lee3 & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

CloseProcesses:




GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
Task: {45BAED64-50A3-4E83-B581-A4E6D9D0B949} - System32\Tasks\0615piUpdateInfo => C:\ProgramData\Avg_Update_0615pi\0615pi_AVG-Secure-Search-Update.exe [2015-09-17] ()
Task: C:\Windows\Tasks\0615piUpdateInfo.job => C:\ProgramData\Avg_Update_0615pi\0615pi_AVG-Secure-Search-Update.exe

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{45BAED64-50A3-4E83-B581-A4E6D9D0B949}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{45BAED64-50A3-4E83-B581-A4E6D9D0B949}" => key removed successfully
C:\Windows\System32\Tasks\0615piUpdateInfo => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0615piUpdateInfo" => key removed successfully
C:\Windows\Tasks\0615piUpdateInfo.job => moved successfully


The system needed a reboot.

==== End of Fixlog 13:37:42 ====



#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 01 April 2016 - 02:34 PM

Okay, let's get a look at some other things:
 
 
Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

==========
 
 
 Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

 

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Best Regards,
oneof4.


#10 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 01 April 2016 - 03:08 PM

****results from mini tool box were saved as "mtb.txt", not "result.txt", I'll assume you want mtb.txt:***

 

 

Farbar Service Scanner Version: 27-01-2016
Ran by Lee (administrator) on 01-04-2016 at 15:59:26
Running from "C:\Users\Lee\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
IE proxy is enabled.
ProxyServer: localhost:21320


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

 

 

 

 

 

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Lee (administrator) on 01-04-2016 at 16:03:18
Running from "C:\Users\Lee\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: HP ProBook 6460b Manufacturer: Hewlett-Packard
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: localhost:21320

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15472 entries.

========================= IP Configuration: ================================

Intel® Centrino® Advanced-N 6205 = Wireless Network Connection 2 (Connected)
avast! SecureLine TAP Adapter v3 = Local Area Connection 2 (Hardware not present)
Intel® 82579V Gigabit Network Connection = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Lee-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Belkin

Wireless LAN adapter Wireless Network Connection 2:

   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6205
   Physical Address. . . . . . . . . : 8C-70-5A-D4-30-38
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e5c1:8226:75cf:1b07%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, April 01, 2016 1:39:40 PM
   Lease Expires . . . . . . . . . . : Monday, May 08, 2152 10:31:40 PM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 227307610
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-92-51-3C-A0-B3-CC-23-8D-B0
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 8C-70-5A-D4-30-39
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : MAR02.pri
   Description . . . . . . . . . . . : Intel® 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : A0-B3-CC-23-8D-B0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.Belkin:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.MAR02.pri:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{37BC6EB9-4B24-4F4F-B7FB-2DA7AF404D3B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5cf2:8c15:84a:2a53:3f57:fdfc(Preferred)
   Link-local IPv6 Address . . . . . : fe80::84a:2a53:3f57:fdfc%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  UnKnown
Address:  192.168.2.1

Name:    google.com
Addresses:  2607:f8b0:4004:809::200e
      172.217.1.206


Pinging google.com [172.217.1.206] with 32 bytes of data:
Reply from 172.217.1.206: bytes=32 time=24ms TTL=57
Reply from 172.217.1.206: bytes=32 time=25ms TTL=57

Ping statistics for 172.217.1.206:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 25ms, Average = 24ms
Server:  UnKnown
Address:  192.168.2.1

Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
      2001:4998:58:c02::a9
      2001:4998:44:204::a7
      206.190.36.45
      98.138.253.109
      98.139.183.24


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=91ms TTL=53
Reply from 206.190.36.45: bytes=32 time=256ms TTL=53

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 91ms, Maximum = 256ms, Average = 173ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 13...8c 70 5a d4 30 38 ......Intel® Centrino® Advanced-N 6205
 14...8c 70 5a d4 30 39 ......Microsoft Virtual WiFi Miniport Adapter
 11...a0 b3 cc 23 8d b0 ......Intel® 82579V Gigabit Network Connection
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.3     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.3    281
      192.168.2.3  255.255.255.255         On-link       192.168.2.3    281
    192.168.2.255  255.255.255.255         On-link       192.168.2.3    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.2.3    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.2.3    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 12     58 2001::/32                On-link
 12    306 2001:0:5cf2:8c15:84a:2a53:3f57:fdfc/128
                                    On-link
 13    281 fe80::/64                On-link
 12    306 fe80::/64                On-link
 12    306 fe80::84a:2a53:3f57:fdfc/128
                                    On-link
 13    281 fe80::e5c1:8226:75cf:1b07/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    306 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 12 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 13 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/01/2016 01:39:44 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/31/2016 02:25:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2016 01:47:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/29/2016 03:28:45 AM) (Source: Application Error) (User: )
Description: Faulting application name: SDFSSvc.exe, version: 2.4.40.217, time stamp: 0x535a5114
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x00000000
Fault offset: 0x00000000
Faulting process id: 0x9f8
Faulting application start time: 0xSDFSSvc.exe0
Faulting application path: SDFSSvc.exe1
Faulting module path: SDFSSvc.exe2
Report Id: SDFSSvc.exe3

Error: (03/28/2016 08:21:15 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 01:57:58 PM) (Source: ESENT) (User: )
Description: WinMail (3372) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (03/28/2016 01:57:49 PM) (Source: ESENT) (User: )
Description: WinMail (3708) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (03/28/2016 01:57:46 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 11:59:41 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 04:38:48 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/01/2016 02:55:15 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.

Error: (04/01/2016 01:40:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7

Error: (04/01/2016 01:40:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7http://+:10243/WMPNSSv4/2811996591/

Error: (04/01/2016 01:40:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x800700b7

Error: (04/01/2016 01:40:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 00x800700b7http://+:10243/WMPNSSv4/2811996591/

Error: (04/01/2016 01:39:46 PM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

Error: (04/01/2016 01:39:46 PM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

Error: (04/01/2016 01:39:46 PM) (Source: SNMP) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error: (04/01/2016 01:39:40 PM) (Source: Service Control Manager) (User: )
Description: The Par1284 service failed to start due to the following error:
%%1275

Error: (04/01/2016 01:39:40 PM) (Source: Application Popup) (User: )
Description: \??\C:\Program Files\FlexiSIGN-PRO 8.1v1\Program\Par1284.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


Microsoft Office Sessions:
=========================
Error: (04/01/2016 01:39:44 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/31/2016 02:25:39 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/30/2016 01:47:51 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/29/2016 03:28:45 AM) (Source: Application Error)(User: )
Description: SDFSSvc.exe2.4.40.217535a5114unknown0.0.0.00000000000000000000000009f801d18950e58330caC:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exeunknownde9a2c46-f57f-11e5-baed-a0b3cc238db0

Error: (03/28/2016 08:21:15 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 01:57:58 PM) (Source: ESENT)(User: )
Description: WinMail3372WindowsMail0:

Error: (03/28/2016 01:57:49 PM) (Source: ESENT)(User: )
Description: WinMail3708WindowsMail0:

Error: (03/28/2016 01:57:46 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 11:59:41 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/28/2016 04:38:48 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2016-04-01 16:02:26.895
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 16:02:26.084
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:58:46.884
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:58:43.215
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:57:43.369
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:52:36.376
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:47:57.055
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:47:52.337
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:47:51.285
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-01 15:44:35.257
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.1.2253 - AVAST Software)
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version:  - Lars Hederer)
FlexiSIGN-PRO 8.1v1 (HKLM-x32\...\{DE904758-4539-4EE7-8F09-6EC07F6AC383}) (Version: 1.00.0000 - Scanvec Amiable)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.110 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.5 - Google Inc.) Hidden
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6433.0 - IDT)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.1 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
IObit Unlocker (HKLM-x32\...\IObit Unlocker_is1) (Version: 1.1 - IObit)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Mozilla Firefox 45.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.1 (x86 en-US)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.0.5906 - Mozilla)
SafeZone Stable 1.48.2066.95 (HKLM-x32\...\SafeZone 1.48.2066.95) (Version: 1.48.2066.95 - Avast Software) Hidden
Skype™ 7.18 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.18.112 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)

========================= Devices: ================================

Name: avast! SecureLine TAP Adapter v3
Description: avast! SecureLine TAP Adapter v3
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: TAP-Windows Provider V9
Service: aswTap
Device ID: ROOT\NET\0000
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 27%
Total physical RAM: 6078.36 MB
Available physical RAM: 4414.76 MB
Total Virtual: 12154.92 MB
Available Virtual: 10344.87 MB

========================= Partitions: =====================================

1 Drive c: (Windows) (Fixed) (Total:234.45 GB) (Free:179.54 GB) NTFS

========================= Users: ========================================

User accounts for \\LEE-PC

Administrator            Guest                    Lee                      
Lee3                     

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================

20-03-2016 18:45:20 Windows Modules Installer
22-03-2016 14:53:18 Windows Update
25-03-2016 17:30:07 Windows Update
26-03-2016 15:27:33 Removed Microsoft Silverlight
26-03-2016 16:21:22 Windows Modules Installer
28-03-2016 17:48:38 freshstndoldwindows
29-03-2016 11:11:07 Windows Update
01-04-2016 13:38:22 Windows Update
01-04-2016 17:37:33 Restore Point Created by FRST

**** End of log ****
 



#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 01 April 2016 - 03:30 PM

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", click the "Report" button to show the log, and then close the program. <--Don't fix anything!
    • Copy and paste the report that opens into your next reply.
      • The log can also be found in the following location: C:\ProgramData\RogueKiller\Logs\RKreport_SCN_mmddyyyy_hhmmss.log
      • >>For XP users, you must first show hidden files/folders, then the log location is here: C:\Documents and Settings\All Users\Application data\RogueKiller\Logs\RKreport_SCN_mmddyyyy_hhmmss.log

Best Regards,
oneof4.


#12 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 01 April 2016 - 05:52 PM

RogueKiller V12.1.0.0 [Mar 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lee [Administrator]
Started from : C:\Users\Lee\Desktop\RogueKiller.exe
Mode : Scan -- Date : 04/01/2016 18:45:01

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 1localhost:21320  -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 1localhost:21320  -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 1localhost:21320  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] kt8m2jtg.default : user_pref("browser.startup.homepage", "https://encrypted.google.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD8SBAT256G1122 ATA Device +++++
--- User ---
[MBR] 6b593950765609898b7a36caaa8ee459
[BSP] b41f3a4532acdb750023ead1e8a35f96 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 4119 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 8437760 | Size: 240077 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 



#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 01 April 2016 - 09:31 PM

Okay, let's allow Rogue Killer to remove what it found:

 

 

==============================

  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", this time click the Delete button.
  • When the Status box shows "Deleting Finished", click the "Report" button to show the log.
  • Copy and paste the report that opens into your next reply.
    • The log can also be found in the following location: C:\ProgramData\RogueKiller\Logs\RKreport_DEL_mmddyyyy_hhmmss.log
    • >>For XP users, you must first show hidden files/folders, then the log location is here: C:\Documents and Settings\All Users\Application data\RogueKiller\Logs\RKreport_DEL_mmddyyyy_hhmmss.log

<script src="safari-extension://com.ebay.safari.myebaymanager-QYHMMGCMJR/5e94cb55/background/helpers/prefilterHelper.js" type="text/javascript"> </script>


Best Regards,
oneof4.


#14 bleedle

bleedle
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:10 PM

Posted 02 April 2016 - 12:40 AM

***fyi I will be out of town for most of the day tomorrow. I'll check this early morning, then when I return late evening. Thanks again!***

 

 

RogueKiller V12.1.0.0 [Mar 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lee [Administrator]
Started from : C:\Users\Lee\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/02/2016 01:38:17

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 1localhost:21320  -> Deleted
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 1localhost:21320  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 1localhost:21320  -> Deleted
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Replaced (1)
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-788557106-799132904-411562618-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 2  -> Replaced (1)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] kt8m2jtg.default : user_pref("browser.startup.homepage", "https://encrypted.google.com/"); -> Replaced (about:home)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD8SBAT256G1122 ATA Device +++++
--- User ---
[MBR] 6b593950765609898b7a36caaa8ee459
[BSP] b41f3a4532acdb750023ead1e8a35f96 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 4119 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 8437760 | Size: 240077 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 



#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:10 PM

Posted 03 April 2016 - 02:14 PM

Give me an update on how your system is behaving at this point.


Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users