Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WerFault.exe mass pop-up error


  • This topic is locked This topic is locked
53 replies to this topic

#1 rookierook

rookierook

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 30 April 2016 - 02:07 PM

Hello. I am unsure if this issue of mine is either virus or OS related, so I apologize if I post in the wrong section. For the past three days, I've been getting an error message saying that WerFault.exe crashed. The error message keeps repeating itself and adding more and more within Task Manager, effectively freezing my laptop. I've included a photo of the error message taken with my smartphone (sorry for the size).

 

NbBNt76.jpg

Having read numerous articles on this and other places, I've tried the following:

- Ran Malwarebytes, ComboFix and ADWCleaner and removed all detected threats

- Ran CCleaner and Glary Utilities to remove all history and registry issues

- Disabled Windows Error Reporting (Services > Windows Error Reporting > Startup Type to Disabled)

- Uninstalled all versions of Flash and Java (I noticed later on that the error appears whenever I attempt to open a Youtube video in Palemoon)

For a time, I did not receive any more errors, but the same message pop-up again today when I attempt to open the Opera browser with the same message as above. I tried opening it again in Safe Mode and it works. I so far do not see the error whenever I open Google Chrome or Internet Explorer and managed to watch Youtube on those two browsers just fine. I've tried to use Windows Update, but for some reason it freezes my laptop.

Below is my HiJackThis log. Hopefully there's a clue on what's causing this and how it can be fixed. Again, I am unsure if this is virus/malware related or it's simply an issue with my OS (Windows 7). Any help is appreciated.

 

Additional Note that may or may not be relevant - I actually purchased my laptop just around January of this year used by another owner. However, I was unaware that the laptop came from China and thus it uses the Chinese version of Windows 7. Also, I am unable to determine the model of the laptop though it had an Asus logo in it.

 

-------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:27:14 PM, on 4/30/2016
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16561)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Pale Moon\palemoon.exe
E:\Programs\Glary Utilities 5\Integrator.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Gapen] regsvr32.exe "C:\Users\Daniel\AppData\Roaming\Kabiy\UetImxa.dll"
O4 - HKCU\..\Run: [WinResSync] C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\42bf2d42fbfebecc03de.rs"
O4 - HKUS\S-1-5-18\..\Run: [WinResSync] C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\65553_65553_3744_0_3a57c.rs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WinResSync] C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\65553_65553_3744_0_3a57c.rs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinResSync] C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\65553_65553_3744_0_3a57c.rs" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WinResSync] C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\65553_65553_3744_0_3a57c.rs" (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {1086BE51-00F5-4371-A449-9A2DECE1B138} (Store Class) - https://easyabc.95599.cn/b2c/netBank/zh_CN/NotCheckStatus/InfoSec/ABCCECom.cab
O16 - DPF: {1E525898-EE12-4002-9374-82D15147F762} (UpdateInstaller Class) - http://player.cntv.cn/flashplayer/config/plugins/wCNTVLive202.dll
O16 - DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} (Submit Class) - https://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
O16 - DPF: {B3D433B8-F0D2-4D58-9DC0-09C62B7B8EAD} (AxAssistComm Class) - https://pbank.95559.com.cn/personbank/cab/BocomAssistComm.cab
O16 - DPF: {C391E12A-EAF1-45F1-8425-6E513C0D553C} (BOCOM AxSubmitCtrl Class) - https://pbank.95559.com.cn/personbank/ocx/x6432.cab
O16 - DPF: {ECCBA953-80E5-11D3-9285-0080ADB811C5} (safeInput Class) - https://pay.95559.com.cn/netpay/ocx/safe.cab
O20 - AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - G:\HWCard7.0\firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - G:\HWCard7.0\firebird\bin\fbserver.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - E:\Programs\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7159 bytes
 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 30 April 2016 - 02:12 PM

Hi rookierook :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience. This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

In order to get started, I'll need you to follow the instructions in the preparation guide below, and provide me the copy/pasted content of the FRST.txt and Addition.txt logs please.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 30 April 2016 - 09:59 PM

Thank you for your response. As noted in the instructions here, I have the FRST list below and the Addition.txt file as an attachment (NOTE: Some of the folder/file names on both lists are in Chinese. Again, it is due that the laptop I bought was originally from China. You may want to open an appropriate tool to see the Chinese characters):

 

---------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-04-2016
Ran by Daniel (administrator) on DANIEL-PC (30-04-2016 22:47:33)
Running from E:\Downloads
Loaded Profiles: Daniel (Available Profiles: Daniel & UpdatusUser)
Platform: Windows 7 Ultimate (X64) Language: Chinese (Simplified, PRC)
Internet Explorer Version 9 (Default browser: "C:\Program Files (x86)\Pale Moon\palemoon.exe" -osint -url "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\alg.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Glarysoft Ltd) E:\Programs\Glary Utilities 5\Integrator.exe
(Moonchild Productions) C:\Program Files (x86)\Pale Moon\palemoon.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Jasc Software, Inc.) E:\Programs\Jasc Software Inc\Paint Shop Pro 9\Paint Shop Pro 9.exe
(Gretech Corp.) E:\Programs\GomPlayer\GOM.EXE
(Online Media Technologies Ltd.) E:\Programs\AVS4YOU\AVSVideoEditor\AVSVideoEditor.exe
(For Intel powered by System Requirements Lab) E:\Downloads\Intel Detection_2.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [115048 2011-09-16] (Renesas

Electronics Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\Run: [ctfmon] => C:\Windows\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3907152 2016-01-20] (Tonec Inc.)
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\Run: [Gapen] => regsvr32.exe "C:\Users\Daniel\AppData\Roaming\Kabiy\UetImxa.dll"
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\Run: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect

\42bf2d42fbfebecc03de.rs"
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-18\...\Run: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\65553_65553_3744_0_3a57c.rs"
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\Windows\system32\regsvr32.exe /s "C:\Users\Daniel\AppData\Roaming\Microsoft\Protect\65553_65553_3744_0_3a57c.rs"
AppInit_DLLs: C:\Windows\System32\nvinitx.dll => C:\Windows\System32\nvinitx.dll [247144 2012-10-07] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [202600 2012-10-07] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll

[2015-08-14] (Tonec Inc.)
BootExecute: autocheck autochk *  

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{8426E4D9-5CB7-42BB-8CF8-82BEE13A7532}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{8EDEA753-F199-4896-92E8-4C57F88B1F21}: [DhcpNameServer] 172.20.10.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3083351398-712559288-1648508647-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-3083351398-712559288-1648508647-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/s?wd={searchTerms}&ie=

{inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2015-08-28]

(Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2015-08-28]

(Internet Download Manager, Tonec Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-25] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-25] (Oracle

Corporation)
DPF: HKLM-x32 {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} hxxps://site.cmbchina.com/download/CMBEdit.cab
DPF: HKLM-x32 {1086BE51-00F5-4371-A449-9A2DECE1B138} hxxps://easyabc.95599.cn/b2c/netBank/zh_CN/NotCheckStatus/InfoSec/ABCCECom.cab
DPF: HKLM-x32 {1E525898-EE12-4002-9374-82D15147F762} hxxp://player.cntv.cn/flashplayer/config/plugins/wCNTVLive202.dll
DPF: HKLM-x32 {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
DPF: HKLM-x32 {B3D433B8-F0D2-4D58-9DC0-09C62B7B8EAD} hxxps://pbank.95559.com.cn/personbank/cab/BocomAssistComm.cab
DPF: HKLM-x32 {C391E12A-EAF1-45F1-8425-6E513C0D553C} hxxps://pbank.95559.com.cn/personbank/ocx/x6432.cab
DPF: HKLM-x32 {ECCBA953-80E5-11D3-9285-0080ADB811C5} hxxps://pay.95559.com.cn/netpay/ocx/safe.cab

FireFox:
========
FF Plugin: @videolan.org/vlc,version=2.2.1 -> E:\Programs\VideoLAN\VLC\npvlc.dll [2015-04-16] (VideoLAN)
FF Plugin-x32: @alibaba.com/npwangwang;version=1.0 -> G:\软件安装\AliWangWang\8.00.34C\npwangwang.dll [No File]
FF Plugin-x32: @alipay.com/NPComBrg701,version=1.0.2011.701 -> C:\Windows\system32\itruscert\NPComBrg701.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-25] (Oracle Corporation)
FF Plugin-x32: @qq.com/QQPhotoDrawEx -> C:\Program Files (x86)\Tencent\Qzone\Ver_247.312\npQQPhotoDrawEx.dll [No File]
FF Plugin-x32: @qq.com/QzoneMusic -> C:\Program Files (x86)\Tencent\QZoneMusic\2014.1.21.12.49.33\npQzoneMusic.dll [No File]
FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [No File]
FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @xunlei.com/npaplayer -> C:\Users\Public\Thunder Network\APlayer\codecs\npaplayer.dll [2013-01-17] (ShenZhen Thunder Networking Technologies, LTD)
FF Plugin-x32: @xunlei.com/npxunlei;version=1.0.0.2 -> G:\软件安装\Thunder\Data\npxunlei1.0.0.2.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @alibaba.com/npAliSSOLogin;version=1.0 -> G:\软件安装\AliWangWang\8.00.41C\npAliSSOLogin.dll [No File]
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @alibaba.com/npwangwang;version=1.0 -> G:\软件安装\AliWangWang\8.00.41C\npwangwang.dll [No File]
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Daniel\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

[2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @talk.google.com/O1DPlugin -> C:\Users\Daniel\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08]

(Google)
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Daniel\AppData\Local\Google\Update

\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Daniel\AppData\Local\Google\Update

\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: @xunlei.com/npxunlei;version=1.0.0.2 -> G:\软件安装\Thunder\Data\npxunlei1.0.0.2.dll [No File]
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: youku.com/YoukuAgent -> C:\Program Files (x86)\YouKu\YoukuClient\npYoukuAgent.dll [No File]
FF Plugin HKU\S-1-5-21-3083351398-712559288-1648508647-1000: youku.com/YoukuAgent_x86_64 -> C:\Program Files (x86)\YouKu\YoukuClient\npYoukuAgent_x64.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Users\Daniel\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Daniel\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\Firefox\Extensions: [dict@www.youdao.com] - G:\软件安装\Youdao\Dict\stable\extensions\firefox => not found
FF HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - E:\Programs\Internet Download Manager

\idmmzcc2.xpi => not found
FF HKU\S-1-5-21-3083351398-712559288-1648508647-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Daniel\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\Daniel\AppData\Roaming\IDM\idmmzcc5 [2016-04-30] [not signed]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={DE8DB755-B8AA-4144-9495-13494FB61234}&mid=d303dc84ef5747d2bfe0d15f8893a7de-

334cfd06ae2e133a9149e1973a155e37cb23a507&lang=en&ds=gm011&coid=avgtbdisgm&cmpid=&pr=sa&d=2014-03-31 22:22:16&v=18.0.5.292&pid=safeguard&sg=&sap=hp"
CHR Profile: C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-10]
CHR Extension: (Google Docs) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-10]
CHR Extension: (Google Drive) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-10]
CHR Extension: (YouTube) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-10]
CHR Extension: (Google Search) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-10]
CHR Extension: (Google Sheets) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-10]
CHR Extension: (Google Docs Offline) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-21]
CHR Extension: (AdBlock) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-04-16]
CHR Extension: (KingsRoad) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbcbablgmkkdnioiekpgjfacejkfomlg [2016-01-10]
CHR Extension: (IDM Integration Module) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2016-04-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-16]
CHR Extension: (Gmail) - C:\Users\Daniel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-10]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2015-08-28]
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2015-08-28]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S2 FirebirdGuardianDefaultInstance; G:\HWCard7.0\firebird\bin\fbguard.exe [81920 2008-04-22] (FirebirdSQL Project) [File not signed]
S3 FirebirdServerDefaultInstance; G:\HWCard7.0\firebird\bin\fbserver.exe [2015232 2008-04-22] (FirebirdSQL Project) [File not signed]
S3 FirebirdServerMAGIXInstance; E:\Programs\MAGIX\Common\Database\bin\fbserver.exe [1527900 2005-11-17] (MAGIX®) [File not signed]
S4 TBSecSvc; C:\Program Files (x86)\TaobaoProtect\TBSecSvc.exe [227296 2015-12-05] (Alibaba (China) Co., LTD. All rights reserved.)
S4 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [6942480 2016-03-02] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S3 ljzc; C:\Program Files (x86)\BaiduSd3.0\BaiduSd\3.0.0.4605\mwaehk.dll [X]
S3 mma; C:\Program Files (x86)\BaiduAn3.0\BaiduAn\3.0.0.3971\sotfr.dll [X]
S3 XLServicePlatform; C:\Program Files (x86)\Common Files\Thunder Network\ServicePlatform\XLSP.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BocomKeyFlt; C:\Windows\BocomKeyFlt.sys [47128 2013-08-26] (BANK OF COMMUNICATIONS)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [20160 2015-12-28] (Glarysoft Ltd)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-04-28] ()
S1 BdSandBox; system32\DRIVERS\BdSandBox.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S1 eamonm; system32\DRIVERS\eamonm.sys [X]
S1 ehdrv; system32\DRIVERS\ehdrv.sys [X]
S2 IRNPF; \??\C:\Program Files (x86)\YouKu\YoukuClient\youkuCache\npf.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-30 22:39 - 2016-04-30 22:47 - 00000000 ____D C:\FRST
2016-04-30 20:43 - 2016-04-30 21:06 - 00114176 _____ C:\Users\Daniel\Documents\coupondraft3a.pub
2016-04-30 20:26 - 2016-04-30 20:33 - 00105984 _____ C:\Users\Daniel\Documents\coupondraft3.pub
2016-04-30 20:17 - 2016-04-30 20:17 - 00106496 _____ C:\Users\Daniel\Documents\coupondraft2.pub
2016-04-30 19:17 - 2016-04-30 19:17 - 00233472 _____ C:\Users\Daniel\Documents\coupondraft1.pub
2016-04-30 17:40 - 2016-04-30 19:44 - 00089600 _____ C:\Users\Daniel\Documents\couponbase.pub
2016-04-30 17:10 - 2016-04-30 17:10 - 01158950 _____ C:\Users\Daniel\Documents\vikungfu.ogg
2016-04-30 16:45 - 2016-04-30 16:48 - 00000551 _____ C:\Users\Daniel\Desktop\temp2.txt
2016-04-30 16:21 - 2016-04-30 16:29 - 00000000 ____D C:\Windows\system32\MRT
2016-04-30 16:19 - 2016-04-30 16:19 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2016-04-30 14:44 - 2016-04-30 15:13 - 00001508 _____ C:\Users\Daniel\Desktop\werfault.txt
2016-04-30 12:50 - 2016-04-30 12:50 - 00000000 ____D C:\Windows\system32\SPReview
2016-04-30 12:49 - 2016-04-30 12:49 - 00000000 ____D C:\Windows\system32\EventProviders
2016-04-30 12:48 - 2016-04-30 12:48 - 00419980 _____ C:\Windows\system32\perfh011.dat
2016-04-30 12:48 - 2016-04-30 12:48 - 00123270 _____ C:\Windows\system32\perfc011.dat
2016-04-30 12:48 - 2016-04-30 12:45 - 00141988 _____ C:\Windows\system32\perfi011.dat
2016-04-30 12:48 - 2016-04-30 12:45 - 00031548 _____ C:\Windows\system32\perfd011.dat
2016-04-30 12:46 - 2016-04-30 18:59 - 00001584 _____ C:\Users\Daniel\Desktop\MG.txt
2016-04-30 12:46 - 2016-04-30 12:46 - 00000000 ____D C:\Windows\SysWOW64\ja
2016-04-30 12:46 - 2016-04-30 12:46 - 00000000 ____D C:\Windows\SysWOW64\0411
2016-04-30 12:46 - 2016-04-30 12:46 - 00000000 ____D C:\Windows\system32\ja
2016-04-30 12:39 - 2009-07-13 18:41 - 00287744 _____ (Microsoft Corporation) C:\Windows\system32\lzhfldr2.dll
2016-04-30 12:39 - 2009-07-13 18:16 - 00266240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lzhfldr2.dll
2016-04-30 12:15 - 2016-04-02 13:48 - 00038120 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-04-30 12:15 - 2016-04-02 13:45 - 01387008 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-04-30 12:15 - 2016-04-02 13:45 - 00698368 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-04-30 12:15 - 2016-04-02 13:45 - 00499712 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-04-30 12:15 - 2016-04-02 13:45 - 00279552 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-04-30 12:15 - 2016-04-02 13:45 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-04-30 12:15 - 2016-04-02 13:37 - 01169408 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-04-30 12:15 - 2016-03-23 10:03 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-04-30 12:01 - 2016-04-30 12:05 - 00292532 _____ C:\Windows\ntbtlog.txt
2016-04-29 14:01 - 2016-04-29 23:03 - 00000000 ____D C:\Users\Daniel\AppData\Local\CrashDumps
2016-04-29 12:03 - 2016-04-29 13:24 - 00963915 _____ C:\Users\Daniel\Documents\gumballgerman.vep
2016-04-28 22:11 - 2016-04-28 22:11 - 00000000 __SHD C:\found.000
2016-04-28 19:55 - 2016-04-28 19:55 - 00118048 _____ C:\Windows\system32\BootDefrag.exe
2016-04-28 14:57 - 2016-04-28 15:18 - 00000000 ____D C:\ProgramData\RogueKiller
2016-04-28 14:57 - 2016-04-28 14:57 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-04-28 13:47 - 2016-04-28 13:48 - 03134544 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-28 11:53 - 2016-04-28 11:53 - 00155216 _____ C:\Users\Daniel\AppData\Local\GDIPFONTCACHEV1.DAT
2016-04-28 10:10 - 2016-04-28 10:10 - 00026016 _____ C:\ComboFix.txt
2016-04-28 09:55 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2016-04-28 09:55 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2016-04-28 09:55 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-04-28 09:55 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-04-28 09:55 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-04-28 09:55 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2016-04-28 09:55 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2016-04-28 09:55 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2016-04-28 02:24 - 2016-04-28 10:10 - 00000000 ____D C:\Qoobox
2016-04-28 02:23 - 2016-04-28 10:08 - 00000000 ____D C:\Windows\erdnt
2016-04-27 23:53 - 2016-04-27 23:53 - 00000000 ____D C:\Users\Daniel\AppData\Local\ESET
2016-04-27 23:31 - 2016-04-27 23:33 - 00000000 ____D C:\AdwCleaner
2016-04-27 22:17 - 2016-04-28 09:55 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Kabiy
2016-04-27 15:30 - 2016-04-27 15:31 - 04610719 _____ C:\Users\Daniel\Documents\fnt.ogg
2016-04-27 13:09 - 2016-04-27 15:30 - 00006158 _____ C:\Users\Daniel\Desktop\fnt.txt
2016-04-26 19:02 - 2016-04-26 19:02 - 00198948 _____ C:\Users\Daniel\Documents\audacity3.ogg
2016-04-26 18:58 - 2016-04-26 18:58 - 00751196 _____ C:\Users\Daniel\Documents\audacity2.ogg
2016-04-26 17:36 - 2016-04-26 17:36 - 02133628 _____ C:\Users\Daniel\Documents\record1.ogg
2016-04-26 17:33 - 2016-04-26 17:33 - 00015686 _____ C:\Users\Daniel\Documents\record.aup
2016-04-26 17:33 - 2016-04-26 17:33 - 00000000 ____D C:\Users\Daniel\Documents\record_data
2016-04-26 17:15 - 2016-04-26 17:15 - 00325566 _____ C:\Users\Daniel\Documents\audacity1.ogg
2016-04-26 13:25 - 2016-04-26 18:21 - 00004509 _____ C:\Users\Daniel\AppData\Roaming\CamStudio.cfg
2016-04-26 13:25 - 2016-04-26 18:21 - 00000408 _____ C:\Users\Daniel\AppData\Roaming\CamShapes.ini
2016-04-26 13:25 - 2016-04-26 18:21 - 00000408 _____ C:\Users\Daniel\AppData\Roaming\CamLayout.ini
2016-04-26 13:25 - 2016-04-26 18:21 - 00000096 _____ C:\Users\Daniel\AppData\Roaming\Camdata.ini
2016-04-26 13:23 - 2016-04-26 13:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CamStudio 2.7
2016-04-26 13:23 - 2016-04-26 13:23 - 00000000 ____D C:\Program Files\CamStudio 2.7
2016-04-26 12:09 - 2016-04-26 19:02 - 00003203 _____ C:\Users\Daniel\Desktop\record.txt
2016-04-25 18:56 - 2016-04-25 18:56 - 03409896 _____ C:\Users\Daniel\Documents\sleep.ogg
2016-04-25 13:53 - 2016-04-25 13:53 - 00001077 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BrainWave Generator.lnk
2016-04-25 13:53 - 2016-04-25 13:53 - 00000000 ____D C:\Program Files (x86)\BrainWave Generator
2016-04-25 13:53 - 1997-11-19 15:49 - 00303616 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2016-04-25 12:37 - 2016-04-25 18:40 - 00003284 _____ C:\Users\Daniel\Desktop\Ajin.txt
2016-04-25 02:09 - 2016-04-29 11:16 - 00000000 ____D C:\Users\Daniel\AppData\LocalLow\uTorrent
2016-04-24 12:21 - 2016-04-24 12:21 - 00406300 _____ C:\Users\Daniel\Documents\gates of hell chrish haigh.ogg
2016-04-22 15:08 - 2016-04-22 15:08 - 05201711 _____ C:\Users\Daniel\Documents\test player_2.ogg
2016-04-22 14:11 - 2016-04-22 14:11 - 00004617 _____ C:\Users\Daniel\Documents\nick.aup
2016-04-22 14:11 - 2016-04-22 14:11 - 00000000 ____D C:\Users\Daniel\Documents\nick_data
2016-04-22 10:59 - 2016-04-22 10:59 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\baidu
2016-04-21 22:14 - 2016-04-21 22:14 - 00003840 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1461291285
2016-04-21 22:14 - 2016-04-21 22:14 - 00001135 _____ C:\Users\Public\Desktop\Opera.lnk
2016-04-21 22:14 - 2016-04-21 22:14 - 00001135 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-04-21 22:14 - 2016-04-21 22:14 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Opera Software
2016-04-21 22:14 - 2016-04-21 22:14 - 00000000 ____D C:\Users\Daniel\AppData\Local\Opera Software
2016-04-21 22:13 - 2016-04-28 13:53 - 00000000 ____D C:\Program Files (x86)\Opera
2016-04-21 21:31 - 2016-04-22 19:49 - 00000289 _____ C:\Users\Daniel\Desktop\temp111.txt
2016-04-21 20:09 - 2016-04-21 20:09 - 00000530 _____ C:\Users\Daniel\Desktop\TRAFON.txt
2016-04-21 18:31 - 2016-04-21 18:31 - 00390853 _____ C:\Users\Daniel\Documents\TRAFON.ogg
2016-04-21 16:19 - 2016-04-21 16:19 - 02681718 _____ C:\Users\Daniel\Documents\kingdom.ogg
2016-04-21 15:47 - 2016-04-22 02:00 - 00003587 _____ C:\Users\Daniel\Desktop\kingdom.txt
2016-04-20 21:57 - 2016-04-21 16:41 - 00004197 _____ C:\Users\Daniel\Desktop\gemsaegi.txt
2016-04-19 22:59 - 2016-04-19 22:59 - 00180513 _____ C:\Users\Daniel\Desktop\HMFoMT Gifts.txt
2016-04-19 17:07 - 2016-04-19 17:07 - 21107200 _____ C:\Users\Daniel\Documents\1292236640658-dumpfm-years-explode1.avi
2016-04-19 17:07 - 2016-04-19 17:07 - 00003864 _____ C:\Users\Daniel\Documents\1292236640658-dumpfm-years-explode1_avi.AVD
2016-04-19 16:16 - 2016-04-19 16:16 - 02513144 _____ C:\Users\Daniel\Documents\kabaneri.ogg
2016-04-19 14:11 - 2016-04-19 20:21 - 00003421 _____ C:\Users\Daniel\Desktop\kabaneri.txt
2016-04-16 23:52 - 2016-04-16 23:52 - 00000342 _____ C:\Users\Daniel\Desktop\temp1.txt
2016-04-16 20:32 - 2016-04-16 20:32 - 00286052 _____ C:\Users\Daniel\Documents\op_pokemon.ogg
2016-04-16 20:13 - 2016-04-16 20:13 - 00915110 _____ C:\Users\Daniel\Documents\op_scoob.ogg
2016-04-16 20:06 - 2016-04-16 20:06 - 00543248 _____ C:\Users\Daniel\Documents\op_bamanpiderman.ogg
2016-04-16 20:00 - 2016-04-16 20:00 - 00879240 _____ C:\Users\Daniel\Documents\op_batgirl.ogg
2016-04-16 19:56 - 2016-04-16 19:56 - 00810835 _____ C:\Users\Daniel\Documents\op_gits.ogg
2016-04-16 19:49 - 2016-04-16 19:49 - 01000224 _____ C:\Users\Daniel\Documents\op_godzilla.ogg
2016-04-16 19:40 - 2016-04-16 19:40 - 00131862 _____ C:\Users\Daniel\Documents\op1.ogg
2016-04-15 18:50 - 2016-04-15 18:51 - 00000000 ____D C:\ProgramData\COMODO
2016-04-15 18:50 - 2016-04-15 18:50 - 00000000 ____D C:\Program Files\COMODO
2016-04-15 18:49 - 2016-04-15 18:52 - 00000000 ____D C:\Program Files (x86)\Kingo ROOT
2016-04-15 18:49 - 2016-04-15 18:49 - 00001031 _____ C:\Users\Public\Desktop\Kingo ROOT.lnk
2016-04-15 18:49 - 2016-04-15 18:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kingo ROOT
2016-04-14 17:01 - 2016-04-14 17:01 - 00001203 _____ C:\Users\Daniel\Desktop\StepMania.lnk
2016-04-12 22:53 - 2016-04-13 09:30 - 00000000 ____D C:\Program Files (x86)\Pale Moon
2016-04-12 17:10 - 2016-04-12 17:10 - 00016559 _____ C:\Users\Daniel\Documents\gacha2.aup
2016-04-12 17:10 - 2016-04-12 17:10 - 00000000 ____D C:\Users\Daniel\Documents\gacha2_data
2016-04-12 02:06 - 2016-04-12 02:06 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_WinUsb_01007.Wdf
2016-04-12 02:02 - 2013-05-02 00:23 - 01490656 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01007.dll
2016-04-12 02:02 - 2013-05-02 00:23 - 00708168 _____ (Microsoft Corporation) C:\Windows\system32\WinUSBCoInstaller.dll
2016-04-12 02:02 - 2013-05-02 00:23 - 00203672 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudmdm.sys
2016-04-12 02:02 - 2013-05-02 00:23 - 00103064 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudbus.sys
2016-04-12 02:01 - 2016-04-12 02:01 - 00000000 ____D C:\Program Files\SAMSUNG
2016-04-12 02:00 - 2016-04-12 02:00 - 00000000 ____D C:\ProgramData\Samsung
2016-04-12 01:59 - 2016-04-12 01:59 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Kingosoft
2016-04-12 01:59 - 2016-04-12 01:59 - 00000000 ____D C:\Users\Daniel\AppData\Local\Kingosoft
2016-04-09 19:22 - 2016-04-09 19:22 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\StepMania 5
2016-04-09 19:20 - 2016-04-09 19:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StepMania 5.0.10
2016-04-08 20:43 - 2016-04-08 20:43 - 00037907 _____ C:\Users\Daniel\Documents\sugar.aup
2016-04-08 20:43 - 2016-04-08 20:43 - 00000000 ____D C:\Users\Daniel\Documents\sugar_data
2016-04-06 12:13 - 2016-04-06 12:13 - 00000794 _____ C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2016-04-06 12:13 - 2016-04-06 12:13 - 00000746 _____ C:\Users\Daniel\Desktop\Start Tor Browser.lnk
2016-04-06 12:10 - 2016-04-06 12:10 - 00000000 ____D C:\Users\Daniel\Desktop\Tor Browser
2016-04-01 20:07 - 2016-04-30 22:13 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3083351398-712559288-1648508647-1000UA.job
2016-04-01 20:07 - 2016-04-30 20:12 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3083351398-712559288-1648508647-1000Core.job
2016-04-01 20:07 - 2016-04-01 20:07 - 00003888 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3083351398-712559288-1648508647-1000UA
2016-04-01 20:07 - 2016-04-01 20:07 - 00003492 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3083351398-712559288-1648508647-1000Core

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-30 22:48 - 2016-01-10 19:37 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-30 22:43 - 2009-07-14 00:45 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-30 22:43 - 2009-07-14 00:45 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-30 20:07 - 2016-01-04 21:44 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\TeamViewer
2016-04-30 17:25 - 2015-12-25 23:13 - 00000000 ____D C:\Users\Daniel\Documents\My PSP Files
2016-04-30 17:10 - 2015-12-28 18:06 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Audacity
2016-04-30 16:39 - 2015-12-28 18:27 - 00000312 _____ C:\Windows\Tasks\GlaryInitialize 5.job
2016-04-30 16:38 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-30 16:37 - 2015-12-25 23:17 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\DMCache
2016-04-30 16:37 - 2015-12-24 15:22 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-04-30 16:37 - 2015-12-24 15:22 - 00000000 ____D C:\Windows\system32\appraiser
2016-04-30 16:21 - 2013-11-15 10:03 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-30 16:20 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-04-30 12:48 - 2009-07-14 06:32 - 00387152 _____ C:\Windows\system32\prfh0804.dat
2016-04-30 12:48 - 2009-07-14 06:32 - 00120762 _____ C:\Windows\system32\prfc0804.dat
2016-04-30 12:46 - 2009-07-14 06:44 - 00000000 ____D C:\Program Files\Windows Journal
2016-04-30 12:46 - 2009-07-14 06:32 - 00000000 ____D C:\Windows\SysWOW64\XPSViewer
2016-04-30 12:46 - 2009-07-14 06:32 - 00000000 ____D C:\Windows\SysWOW64\winrm
2016-04-30 12:46 - 2009-07-14 06:32 - 00000000 ____D C:\Windows\SysWOW64\sysprep
2016-04-30 12:46 - 2009-07-14 06:32 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2016-04-30 12:46 - 2009-07-14 06:31 - 00000000 ____D C:\Windows\SysWOW64\WCN
2016-04-30 12:46 - 2009-07-14 06:31 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2016-04-30 12:46 - 2009-07-14 06:31 - 00000000 ____D C:\Windows\system32\winrm
2016-04-30 12:46 - 2009-07-14 06:31 - 00000000 ____D C:\Windows\system32\WCN
2016-04-30 12:46 - 2009-07-14 06:31 - 00000000 ____D C:\Windows\system32\slmgr
2016-04-30 12:46 - 2009-07-14 01:37 - 00000000 ____D C:\Windows\DigitalLocker
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\system32\WinBioPlugIns
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Defender
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\DVD Maker
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-04-30 12:46 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\com
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\sysprep
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\Setup
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\oobe
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\MUI
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\migwiz
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\Dism
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\servicing
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\IME
2016-04-30 12:46 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\System
2016-04-30 12:45 - 2009-07-14 06:31 - 00000000 ____D C:\Windows\system32\Printing_Admin_Scripts
2016-04-30 12:45 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\com
2016-04-30 02:27 - 2015-12-27 13:14 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\uTorrent
2016-04-29 18:30 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2016-04-29 13:02 - 2016-02-10 00:42 - 00000000 ___SD C:\Users\Daniel\AppData\LocalLow\Temp
2016-04-28 21:03 - 2009-07-14 01:13 - 01285724 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-28 20:56 - 2016-01-20 19:52 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\IDM
2016-04-28 15:51 - 2016-01-10 19:40 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-28 15:51 - 2016-01-10 19:40 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-28 15:22 - 2015-04-21 00:24 - 00000000 ____D C:\Users\Daniel\AppData\Local\Adobe
2016-04-28 10:07 - 2009-07-13 22:34 - 00000260 _____ C:\Windows\system.ini
2016-04-28 02:53 - 2015-12-28 18:46 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-27 23:35 - 2013-08-23 00:56 - 00000000 ____D C:\Windows\Minidump
2016-04-27 01:26 - 2016-03-13 01:09 - 00000000 ____D C:\video_output
2016-04-26 18:22 - 2016-03-13 01:08 - 00005632 _____ C:\Users\Daniel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-04-26 00:09 - 2016-02-22 19:17 - 00000088 _____ C:\Windows\SysWOW64\ada5a0709b157f49c2ee0e36fc3c42bb-x86.cache-2
2016-04-25 17:21 - 2015-12-29 00:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-04-25 17:21 - 2015-12-29 00:26 - 00000000 ____D C:\ProgramData\Oracle
2016-04-25 17:21 - 2015-12-29 00:26 - 00000000 ____D C:\Program Files (x86)\Java
2016-04-25 17:20 - 2015-12-29 00:27 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-04-25 17:20 - 2015-12-29 00:27 - 00000000 ____D C:\Users\Daniel\.oracle_jre_usage
2016-04-25 16:01 - 2016-01-01 02:39 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Skype
2016-04-21 21:41 - 2015-12-27 19:03 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\vlc
2016-04-21 15:05 - 2013-08-22 23:28 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-18 12:32 - 2016-03-27 11:23 - 00000148 _____ C:\Users\Daniel\Desktop\cc.txt
2016-04-16 20:35 - 2016-03-08 18:31 - 00352651 _____ C:\Users\Daniel\Documents\mpxclose.ogg
2016-04-16 18:35 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-04-15 19:21 - 2015-04-21 00:26 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-04-15 19:20 - 2015-04-21 00:26 - 00000000 ____D C:\ProgramData\Adobe
2016-04-15 19:20 - 2013-08-24 23:54 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\Adobe
2016-04-12 01:59 - 2013-09-22 09:25 - 00000000 ____D C:\Users\Daniel\.android
2016-04-05 16:32 - 2016-01-01 02:42 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-04-01 20:08 - 2015-12-29 01:12 - 00000000 ____D C:\Users\Daniel\AppData\Local\Google
2016-04-01 15:36 - 2016-03-13 19:46 - 00000000 ____D C:\Users\Daniel\AppData\Local\Teeching Feeling
2016-03-31 16:47 - 2015-12-28 18:45 - 00000744 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-31 16:47 - 2015-12-28 18:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-31 16:31 - 2016-01-07 22:52 - 00000000 ____D C:\Users\Daniel\AppData\Roaming\MPC-HC

==================== Files in the root of some directories =======

2015-12-29 01:11 - 2015-12-29 01:11 - 50063360 _____ () C:\Program Files (x86)\GUTE8CB.tmp
2016-04-26 13:25 - 2016-04-26 18:21 - 0000096 _____ () C:\Users\Daniel\AppData\Roaming\Camdata.ini
2016-04-26 13:25 - 2016-04-26 18:21 - 0000408 _____ () C:\Users\Daniel\AppData\Roaming\CamLayout.ini
2016-04-26 13:25 - 2016-04-26 18:21 - 0000408 _____ () C:\Users\Daniel\AppData\Roaming\CamShapes.ini
2016-04-26 13:25 - 2016-04-26 18:21 - 0004509 _____ () C:\Users\Daniel\AppData\Roaming\CamStudio.cfg
2010-06-21 03:00 - 2014-12-04 07:41 - 0000915 _____ () C:\Users\Daniel\AppData\Roaming\coreavc.ini
2014-10-12 13:25 - 2014-10-12 13:25 - 0012962 _____ () C:\Users\Daniel\AppData\Roaming\Microsoft Excel 97-2003.CAL
2014-09-18 08:10 - 2014-11-26 21:31 - 0000622 _____ () C:\Users\Daniel\AppData\Roaming\Word2Pdf_temp.html
2014-10-12 13:30 - 2014-10-12 13:30 - 0012952 _____ () C:\Users\Daniel\AppData\Roaming\逗号分隔的值(Windows).CAL
2016-03-13 01:08 - 2016-04-26 18:22 - 0005632 _____ () C:\Users\Daniel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-03-14 20:40 - 2016-03-14 20:40 - 0000839 _____ () C:\Users\Daniel\AppData\Local\recently-used.xbel
2016-01-03 20:32 - 2016-01-03 20:32 - 0007609 _____ () C:\Users\Daniel\AppData\Local\Resmon.ResmonCfg
2015-12-27 14:40 - 2015-12-27 14:40 - 0000078 _____ () C:\ProgramData\lmab.log

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-29 18:21

==================== End of FRST.txt ============================


Edited by rookierook, 30 April 2016 - 10:03 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 30 April 2016 - 10:12 PM

I do not see the Addition.txt attached. You can copy/paste directly in the thread if you wish.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 30 April 2016 - 11:20 PM

For some reason, whenever I try to post the list from Addition.txt, I get the message "You do not have permission for that action". Am I doing something wrong?



#6 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 30 April 2016 - 11:24 PM

I've attached the Addition.txt file again so it should work this time. Otherwise, I've also uploaded the file to my Google Drive account with the link below.

 

https://drive.google.com/open?id=0B26yWeynXuFGMWp2TFJPaWlOSGM

Attached Files



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 01 May 2016 - 11:10 AM

Thank you for waiting :)

Before I start the clean-up, I would like to address the following point:

Additional Note that may or may not be relevant - I actually purchased my laptop just around January of this year used by another owner. However, I was unaware that the laptop came from China and thus it uses the Chinese version of Windows 7. Also, I am unable to determine the model of the laptop though it had an Asus logo in it.


When you bought the laptop, did you Factory Reset it, or did the previous owner Factory Reset it before handing it over to you? I'm asking that because there seems to be a lot of remnants from past installations on the system, and I'm not sure you were the one that installed these programs. Whenever you buy a used laptop and/or computer, your first step should be to reset it to its default settings. I don't mind going ahead with the clean-up, however, I would like you to give this solution some thought. Since we'll never know what this laptop was used for in the past (what was installed as well), it's impossible to guarantee that it'll be totally safe to use, even after the clean-up.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 01 May 2016 - 01:04 PM

No, I did not reset it to the factory settings for the simple reason that the OS is in Chinese, therefore much of the interface, files, and folders are also in Chinese. It actually took me days of Trial and Error to find the Language Settings and set some (but not all) of the interface to English. So yes, there are remnants of files and other things from the previous owner, but because I don't read Chinese, I am unsure if any of them are critical to Windows, so I simply leave them alone.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 02 May 2016 - 08:56 AM

Alright in that case, we'll continue with the clean-up. What we're going to do is that we'll clean your system as much as possible, and from there, we'll tackle your language issue (by installing the English language pack). Once done, you'll be free to continue using your system as it is, or Factory Reset it. This being said, let's get started :)

warning.gifP2P Program Warning!
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

warning.gifPotentially Unwanted Programs Warning!

I noticed that you have Potentially Unwanted Programs (PUPs) installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • AVS Registry Cleaner 3.0.2.271;
If you have an issue when uninstalling a program, please let me know.

warning.gifOutdated Programs Warning!

I noticed that you have outdated vulnerable programs installed on your system. I'll ask you to uninstall them since keeping outdated software installed on a system puts it more at risk of being infected. Otherwise, you can update them right now, and make sure that their outdated version is uninstalled after. We will reinstall these programs at the end of the clean-up if you decide to uninstall them now, and need them after.
  • Adobe AIR
  • Java 8 Update 91
  • HijackThis
If you have an issue when uninstalling a program, please let me know.

Now, you said that you ran Malwarebytes, ComboFix and AdwCleaner on your system, is that right? Do you still have the logs they created? If so, can you copy/paste them here? If you don't know where they are, let me know and I'll guide you.

We'll also run a first fix with FRST. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Attach that log in your next reply;


Your next reply(ies) should include:
  • Copy/pasted content of the Malwarebytes, AdwCleaner and ComboFix logs (if you have them);
  • Attached FRST fixlog;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 02 May 2016 - 06:10 PM

I have uninstalled the following (with the exception of uTorrent):

 

- AVS Registry Cleaner

- Adobe AIR

- HiJackThis

- Java 8 Update 91

 

I've also attached the log files for ComboFix and two for ADWCleaner (labeled 'C1' and 'S1') prior to starting this thread. Unfortunately, there are no logs at all for Malwarebytes despite me using only the default settings. If you like, I will do another scan to create a new log, though the scan process takes about 4-6 hours. So likely I won't be able to put it up until the next day or two. Otherwise, I will go ahead and do the instructions for FRST and upload the result in my next post.

Attached Files



#11 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 03 May 2016 - 03:50 PM

I've chosen to go ahead and follow the instructions for the FRST program and attached the fixlog



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 03 May 2016 - 04:19 PM

I do not see a fixlog attached in your previous post (or in the one before that). Can you try to attach it again please? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 04 May 2016 - 12:43 AM

Here is the file again. And just in case, here is the link on Google Drive as well:

https://drive.google.com/open?id=0B26yWeynXuFGY3pVQTdTN2xuYms

Attached Files



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 04 May 2016 - 07:31 AM

Thank you for the logs :)

The second time worked (the fixlog.txt is indeed attached). The trick is to reply to a thread using the full editor (by clicking on the More Reply Options), and from there, when you attach a file, click on the Preview Post button (just on the right of Add Reply). This will show you your post as if you were posting it, and you'll see if the file is attached or not :)

Now I would like to verify a few folders on your system to see if they are indeed present or not. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;


Your next reply should include:
  • Copy/pasted content of the FRST fixlog;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 PM

Posted 04 May 2016 - 02:38 PM

Here is the latest fixlog file as requested.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users