Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaned Infection, Now SFC fails due to corrupt system files


  • Please log in to reply
28 replies to this topic

#1 Sezneg

Sezneg

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 01 May 2016 - 09:01 PM

Hello,

 

I have been working to clean a computer, and seemed to have gotten it tamped down using the normal tools.  However, afterwards I decided to check the file system for any nasty bits left over and found several corrupt system files that cannot be automatically cleaned via the DISM tool.

 

Because the issue was definitely caused by an infection, I wanted to post here rather than the windows 10 support section.  I will be happy to run fresh logs using any tools you would recommend.

 

I have used a log generating tool to nail down which 3 files are at issue:

 

SFCFix version 3.0.0.0 by niemiro.
Start time: 2016-05-01 21:36:44.875
Microsoft Windows 10 Build 10586 - amd64
Not using a script file.
 
 
 
 
AutoAnalysis::
WARNING: Failed to get store name from identity name with return code 2 for component Microsoft-Windows-iSCSI_Initiator_UI and file iSCSI Initiator.lnk. File is reported as corrupt by SFC.
CORRUPT: iSCSI Initiator.lnk of component Microsoft-Windows-iSCSI_Initiator_UI.
 
WARNING: Failed to get store name from identity name with return code 2 for component Microsoft-Windows-Microsoft-Data-Access-Components-(MDAC)-ODBC-Administrator and file ODBC Data Sources (64-bit).lnk. File is reported as corrupt by SFC.
CORRUPT: ODBC Data Sources (64-bit).lnk of component Microsoft-Windows-Microsoft-Data-Access-Components-(MDAC)-ODBC-Administrator.
 
WARNING: Failed to get store name from identity name with return code 2 for component Microsoft-Windows-Microsoft-Data-Access-Components-(MDAC)-ODBC-Administrator and file ODBC Data Sources (32-bit).lnk. File is reported as corrupt by SFC.
CORRUPT: ODBC Data Sources (32-bit).lnk of component Microsoft-Windows-Microsoft-Data-Access-Components-(MDAC)-ODBC-Administrator.
 
 
 
 
SUMMARY: Some corruptions could not be fixed automatically. Seek advice from helper or sysnative.com.
   CBS & SFC total detected corruption count:     3
   CBS & SFC total unimportant corruption count:  0
   CBS & SFC total fixed corruption count:        0
   SURT total detected corruption count:          0
   SURT total unimportant corruption count:       0
   SURT total fixed corruption count:             0
AutoAnalysis:: directive completed successfully.
 
 
 
 
Successfully processed all directives.
SFCFix version 3.0.0.0 by niemiro has completed.
Currently storing 0 datablocks.
Finish time: 2016-05-01 21:42:23.685
----------------------EOF-----------------------


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 02 May 2016 - 08:02 AM

Hi Sezneg :)

If you need assistance using SFCFix, I suggest you to get help in the Windows Update section of Sysnative. Reason being that Sysnative is the home forum of SFCFix and its developer (niemiro), and the helpers there are trained in reading, analyzing and creating fixes from the logs it output. If you wish, feel free to post the URL of the thread you'll create on Sysnative here so I can go take a look at it.

Thank you!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 02 May 2016 - 09:06 AM

Hello Aura,

 

I may end up needing to go that route, but I'd like to be 100% sure this thing is clean of infection beforehand.  Another symptom is that microsoft edge does not function.  The app loads, but it does not actually load or render any web pages.  I suspect there may be a few more bits of the infection floating around.  Should we do some checking on that first?



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 02 May 2016 - 09:08 AM

We can, yes :) Let's get a basic overview of your system first.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Winsock Entries;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      OQmAcqS.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 02 May 2016 - 09:26 PM

Here's the log:
 
MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Matthew (administrator) on 02-05-2016 at 22:23:31
Running from "C:\Users\Matthew\Desktop"
Microsoft Windows 10 Pro  (X64)
Model: All Series Manufacturer: ASUS
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
Realtek PCIe GBE Family Controller = Ethernet (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global defaultcurhoplimit=64 icmpredirects=enabled taskoffload=disabled
set interface interface="Ethernet" forwarding=disabled advertise=disabled metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled ecncapability=ecndisabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Sezneg
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Belkin
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : BC-EE-7B-8D-AE-1E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6194:dd39:87d7:e7dc%2(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.2.7(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 2, 2016 9:48:28 AM
   Lease Expires . . . . . . . . . . : Friday, June 9, 2152 4:51:47 AM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 264040059
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-A3-FE-18-BC-EE-7B-8D-AE-1E
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Server:  
Address:  192.168.2.1
 
Name:    google.com
Addresses:  2607:f8b0:4002:c0c::64
 74.125.138.139
 74.125.138.113
 74.125.138.138
 74.125.138.101
 74.125.138.102
 74.125.138.100
 
 
Pinging google.com [173.194.219.101] with 32 bytes of data:
Reply from 173.194.219.101: bytes=32 time=20ms TTL=42
Reply from 173.194.219.101: bytes=32 time=29ms TTL=42
 
Ping statistics for 173.194.219.101:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 29ms, Average = 24ms
Server:  
Address:  192.168.2.1
 
Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
 2001:4998:44:204::a7
 2001:4998:58:c02::a9
 206.190.36.45
 98.138.253.109
 98.139.183.24
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=51ms TTL=43
Reply from 98.139.183.24: bytes=32 time=52ms TTL=43
 
Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 52ms, Average = 51ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  2...bc ee 7b 8d ae 1e ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.7     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.7    276
      192.168.2.7  255.255.255.255         On-link       192.168.2.7    276
    192.168.2.255  255.255.255.255         On-link       192.168.2.7    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.2.7    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.2.7    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  2    276 fe80::/64                On-link
  2    276 fe80::6194:dd39:87d7:e7dc/128
                                    On-link
  1    306 ff00::/8                 On-link
  2    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (05/02/2016 10:07:11 AM) (Source: Application Error) (User: )
Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.10586.218, time stamp: 0x56ff3b2e
Faulting module name: MicrosoftEdge.exe, version: 11.0.10586.218, time stamp: 0x56ff3b2e
Exception code: 0xc0000005
Fault offset: 0x00000000000cf1f3
Faulting process id: 0xe30
Faulting application start time: 0xMicrosoftEdge.exe0
Faulting application path: MicrosoftEdge.exe1
Faulting module path: MicrosoftEdge.exe2
Report Id: MicrosoftEdge.exe3
Faulting package full name: MicrosoftEdge.exe4
Faulting package-relative application ID: MicrosoftEdge.exe5
 
Error: (05/01/2016 09:42:01 PM) (Source: Perflib) (User: )
Description: .NETFrameworkC:\WINDOWS\system32\mscoree.dll8
 
Error: (05/01/2016 07:13:17 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:27 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: SEZNEG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (05/02/2016 10:23:22 PM) (Source: DCOM) (User: SEZNEG)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}SeznegMatthewS-1-5-21-1814717882-3326078079-3800742243-1001LocalHost (Using LRPC)Microsoft.Windows.FeatureOnDemand.InsiderHub_10.0.10586.0_neutral_neutral_cw5n1h2txyewyS-1-15-2-4016783169-893401051-2237370320-274899566-412088533-2398988950-2155762795
 
Error: (05/02/2016 10:12:45 AM) (Source: DCOM) (User: SEZNEG)
Description: {0002DF02-0000-0000-C000-000000000046}
 
Error: (05/02/2016 10:12:40 AM) (Source: Service Control Manager) (User: )
Description: The User Data Access_256be5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (05/02/2016 10:12:40 AM) (Source: Service Control Manager) (User: )
Description: The User Data Storage_256be5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (05/02/2016 10:12:40 AM) (Source: Service Control Manager) (User: )
Description: The Contact Data_256be5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (05/02/2016 10:12:40 AM) (Source: Service Control Manager) (User: )
Description: The Sync Host_256be5 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (05/02/2016 10:12:40 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (05/02/2016 10:08:28 AM) (Source: DCOM) (User: SEZNEG)
Description: application-specificLocalActivation{9E175B6D-F52A-11D8-B9A5-505054503030}{9E175B9C-F52A-11D8-B9A5-505054503030}SeznegMatthewS-1-5-21-1814717882-3326078079-3800742243-1001LocalHost (Using LRPC)Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbweS-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194
 
Error: (05/02/2016 10:08:27 AM) (Source: DCOM) (User: SEZNEG)
Description: application-specificLocalActivation{9E175B6D-F52A-11D8-B9A5-505054503030}{9E175B9C-F52A-11D8-B9A5-505054503030}SeznegMatthewS-1-5-21-1814717882-3326078079-3800742243-1001LocalHost (Using LRPC)Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbweS-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4256926629-1688279915-2739229046-3928706915
 
Error: (05/02/2016 09:48:29 AM) (Source: Service Control Manager) (User: )
Description: The Niidla service failed to start due to the following error: 
%%2
 
 
Microsoft Office Sessions:
=========================
Error: (05/02/2016 10:07:11 AM) (Source: Application Error)(User: )
Description: MicrosoftEdge.exe11.0.10586.21856ff3b2eMicrosoftEdge.exe11.0.10586.21856ff3b2ec000000500000000000cf1f3e3001d1a47b6959d453C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exeC:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe82555947-3859-4508-96a8-5d3b55fe29a9Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbweMicrosoftEdge
 
Error: (05/01/2016 09:42:01 PM) (Source: Perflib)(User: )
Description: .NETFrameworkC:\WINDOWS\system32\mscoree.dll8
 
Error: (05/01/2016 07:13:17 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI-2144927149
 
Error: (05/01/2016 07:09:27 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge-2144927149
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.WindowsStore_8wekyb3d8bbwe!App-2144927149
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.WindowsStore_8wekyb3d8bbwe!App-2144927149
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.WindowsStore_8wekyb3d8bbwe!App-2144927149
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.WindowsStore_8wekyb3d8bbwe!App-2144927149
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: microsoft.windowscommunicationsapps_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1-2144927149
 
Error: (05/01/2016 07:09:10 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: SEZNEG)
Description: Microsoft.WindowsStore_8wekyb3d8bbwe!App-2144927149
 
 
CodeIntegrity Errors:
===================================
  Date: 2016-05-02 10:08:27.682
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume1\Program Files\TortoiseSVN\bin\TortoiseStub.dll that did not meet the Store signing level requirements.
 
  Date: 2016-05-01 22:57:13.103
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:57:13.040
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:57:13.035
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:57:13.012
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:57:13.005
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:57:12.998
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:56:13.086
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:56:13.021
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-01 22:56:13.016
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\winhttp.dll because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
7-Zip 9.20 (HKLM-x32\...\{23170F69-40C1-2701-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Akamai NetSession Interface (HKCU\...\Akamai) (Version:  - Akamai Technologies, Inc)
Arc (HKLM-x32\...\{CED8E25B-122A-4E80-B612-7F99B93284B3}) (Version: 1.0.0.9668 - Perfect World Entertainment)
Bandicam (HKLM-x32\...\Bandicam) (Version: 2.2.2.790 - Bandisoft.com)
Bandisoft MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version:  - Bandisoft.com)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bethesda.net Launcher (HKLM-x32\...\{3448917E-E4FE-4E30-9502-9FD52EABB6F5}_is1) (Version: 1.0 - Bethesda Softworks)
BitRaider Streaming Client (HKLM-x32\...\BitRaider Streaming Client) (Version: 1.3.3.4098 - BitRaider, LLC)
BitRaider Web Client (HKLM-x32\...\BitRaider Web Client) (Version: 1.1.9.9 - BitRaider, LLC)
BOSS (HKLM-x32\...\BOSS) (Version: 2.1.1 - BOSS Development Team)
BOSS Userlist Manager (HKLM-x32\...\{BCBC36F3-B413-4E0E-9EC4-CA8A5584808B}) (Version: 6.7 - Surazal)
Canon MX340 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX340_series) (Version:  - )
Counter-Strike: Global Offensive (HKLM-x32\...\Steam App 730) (Version:  - Valve)
Counter-Strike: Source (HKLM-x32\...\Steam App 240) (Version:  - Valve)
Creation Kit (HKLM-x32\...\Steam App 202480) (Version:  - bgs.bethsoft.com)
Deus Ex: Human Revolution - Director's Cut (HKLM-x32\...\Steam App 238010) (Version:  - Eidos Montreal)
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
Dungeons & Dragons Online (HKLM-x32\...\Dungeons & Dragons Online) (Version:  - Turbine, Inc)
Endless Legend (HKLM-x32\...\Steam App 289130) (Version:  - AMPLITUDE Studios)
Endless Space (HKLM-x32\...\Steam App 208140) (Version:  - AMPLITUDE Studios)
EVGA Precision X 4.2.1 (HKLM-x32\...\PrecisionX) (Version: 4.2.1 - EVGA Corporation)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
Fallout4Checklist (HKLM-x32\...\{35E79C06-F6CE-4385-B4B7-508D20DB286A}) (Version: 1.0.0 - Fallout4Checklist)
GIMP 2.8.16 (HKLM\...\GIMP-2_is1) (Version: 2.8.16 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.94 - Google Inc.)
Google Drive (HKLM-x32\...\{D7269C20-B3CE-4CD0-8E88-3D307D3BD41A}) (Version: 1.29.2074.1528 - Google, Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Guild Wars 2 (HKLM-x32\...\Guild Wars 2) (Version:  - NCsoft Corporation, Ltd.)
Happy Cloud Client (HKCU\...\HappyCloud) (Version: 4.28 - Happy Cloud, Inc.)
HiAlgo BOOST 5.0 (HKCU\...\HiAlgoBOOST) (Version: 5.0 - HiAlgo Inc.)
Intel® Driver Update Utility 2.0 (HKLM-x32\...\{59DB38EB-F864-4E10-841D-38CFBCF864B0}) (Version: 2.0.0.29 - Intel) Hidden
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
LOOT version 0.8.1 (HKLM-x32\...\{BF634210-A0D4-443F-A657-0DCE38040374}_is1) (Version: 0.8.1 - LOOT Team)
Magister Modmod for FfH2 April 16 2016 (HKLM-x32\...\{71C68BFF-4F7F-4A95-927D-C32B6A4EDE07}_is1) (Version:  - )
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Master of Mana 2.11 (HKLM-x32\...\{CB5CB8BF-D93F-4CCD-9D87-29368010DB2A}_is1) (Version:  - )
MechWarrior Online (HKLM-x32\...\{1A14AC87-9585-4AC5-BA5D-0A3A4C6AF7D4}) (Version: 1.6.1.0 - Piranha Games Inc.) Hidden
MechWarrior Online (HKLM-x32\...\{9f17023b-d04f-432b-b08a-3bb4c3a7ed3c}) (Version: 1.6.0.0 - Piranha Games Inc.)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
mIRC (HKLM-x32\...\mIRC) (Version: 7.44 - mIRC Co. Ltd.)
MWO Public Test (HKLM-x32\...\{292A297A-CF39-497C-B5EE-48A2B1C8C483}) (Version: 1.5.0.0 - Piranha Games Inc.) Hidden
MWO Public Test (HKLM-x32\...\{4ee8dd3b-b1b6-4974-a271-d9423b69af3c}) (Version: 1.5.0.0 - Piranha Games Inc.)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.60.14 - Black Tree Gaming)
NVIDIA 3D Vision Controller Driver 352.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 352.65 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 362.00 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 362.00 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.11.2.55 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.11.2.55 - NVIDIA Corporation)
NVIDIA Graphics Driver 362.00 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 362.00 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.4 - NVIDIA Corporation)
NVIDIA Miracast Virtual Audio 347.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Miracast.VirtualAudio) (Version: 347.88 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Origin (HKLM-x32\...\Origin) (Version: 9.4.22.2815 - Electronic Arts, Inc.)
Path of Exile - The Awakening Closed Beta (HKLM-x32\...\{08614ECB-C254-422C-AB67-C51E98CD1F78}) (Version: 2.0.0.41339 - Grinding Gear Games)
Path of Exile (HKLM-x32\...\{90A4562F-D4A1-4B65-906D-41F236CF6902}) (Version: 1.3.0.38761 - Grinding Gear Games)
Razer Synapse (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.18.21.28549 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
Shadowrun: Hong Kong (HKLM-x32\...\Steam App 346940) (Version:  - Harebrained Schemes)
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 7.1.0280 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.11.2.55 - NVIDIA Corporation) Hidden
Sid Meier's Civilization 4 - Beyond the Sword (HKLM-x32\...\{32E4F0D2-C135-475E-A841-1D59A0D22989}) (Version: 3.19 - Firaxis Games)
Sid Meier's Civilization 4 Complete (HKLM-x32\...\{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}) (Version: 1.74 - Firaxis Games)
Sid Meier's Civilization IV Colonization (HKLM-x32\...\{EF36A836-BF89-4A4F-B079-057B0C68C1E0}) (Version: 1.00 - Firaxis Games)
Sid Meier's Civilization V (HKLM-x32\...\Steam App 8930) (Version:  - 2K Games, Inc.)
Skype™ 6.20 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
Smart Technology Programming Software 7.0.27.13 (HKLM\...\{BD90BC1C-115D-47E1-B85C-07AE182C3AB8}) (Version: 7.0.27.13 - Mad Catz)
Star Wars The Old Republic (HKLM-x32\...\swtor_swtor) (Version: 8.0.0.17 - Bioware/EA)
Star Wars: The Old Republic (HKLM-x32\...\{3B11D799-48E0-48ED-BFD7-EA655676D8BB}) (Version: 1.00 - Electronic Arts, Inc.)
STO Combat Meter (HKCU\...\e540e1f6294bec51) (Version: 1.0.0.105 - STO Combat Meter)
STO Keybinds (HKCU\...\73217bad652635ca) (Version: 1.0.0.120 - Federation Emergency Services)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.18.2 - TeamSpeak Systems GmbH)
The Elder Scrolls Online (HKLM-x32\...\The Elder Scrolls Online) (Version: 1.0.0.0 - Zenimax Online Studios)
The Lord of the Rings Online™ v1301.0055.0535.4025 (HKLM-x32\...\12bbe590-c890-11d9-9669-0800200c9a66_is1) (Version: 1301.0055.0535.4025 - Turbine, Inc.)
The Lord of the Rings Online™: Bullroarer v1400.0055.1429.1379 (HKLM-x32\...\e01f4d10-f2d0-11dd-ba2f-0800200c9a66_is1) (Version: 1400.0055.1429.1379 - Turbine, Inc.)
TortoiseSVN 1.9.4.27285 (64 bit) (HKLM\...\{62C19AB2-8485-4E18-A9D3-EFA612B8AE74}) (Version: 1.9.27285 - TortoiseSVN)
Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 3.8.7 - Tweaking.com)
Ultima Online: Mondain's Legacy (HKLM-x32\...\{DF7B213D-2065-41ED-BB51-7A3EED31EA7B}) (Version: 1.00.0000 - EA Games)
Vampire: The Masquerade - Bloodlines (HKLM-x32\...\Steam App 2600) (Version:  - Troika Games)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WhoCrashed 5.00 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
WinRAR 5.31 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
Wise Registry Cleaner 8.12 (HKLM-x32\...\Wise Registry Cleaner_is1) (Version: 8.12 - WiseCleaner.com, Inc.)
Wrye Bash (HKLM-x32\...\Wrye Bash) (Version: 0.3.0.6 - Wrye & Wrye Bash Development Team)
XCom Long War EW Mod version Beta 15d2 (HKLM-x32\...\{860C3266-65B9-4BF2-937A-1778483046B5}_is1) (Version: Beta 15d2 - JohnnyLump)
XCOM: Enemy Unknown (HKLM-x32\...\Steam App 200510) (Version:  - Firaxis Games)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 13%
Total physical RAM: 16322.39 MB
Available physical RAM: 14086.9 MB
Total Virtual: 18754.39 MB
Available Virtual: 16337.44 MB
 
========================= Partitions: =====================================
 
1 Drive a: (Storage) (Fixed) (Total:698.51 GB) (Free:377.97 GB) NTFS
2 Drive c: (New Volume) (Fixed) (Total:223.13 GB) (Free:33.08 GB) NTFS
3 Drive d: (ESD-ISO) (CDROM) (Total:3.37 GB) (Free:0 GB) UDF
 
========================= Users: ========================================
 
User accounts for \\SEZNEG
 
Administrator            DefaultAccount           Guest                    
Matthew                  
 
 
**** End of log ****


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 03 May 2016 - 05:18 AM

warning.gifRegistry Cleaners Warning!
Registry Cleaners are known to be harmful to the system and should not be used for any reason there is. It's a known fact that using these programs can easily break a Windows installation, to the point where a complete reinstallation might be needed. Here's a few myths about using these programs, and why they are just plainly false.
  • "Using a Registry Cleaner will improve a system's performance" - False. The Windows Registry is a big database which contains information on everything present on the system, from the boot settings to how your programs looks when you open them. There's so many entries in it that cleaning even thousands of them isn't enough to boost a system performance. Also, there's no studies, tests, benchmarks, etc. which shows that using Registry Cleaners actually improve a system speed;
  • "Using a Registry Cleaner will fix all your errors" - False. Using a Registry Cleaner won't fix any problems at all. In fact, it have more chances to create them if anything. There's no program that can fix every problems in a simple click, and there probably never will. If you have an error, it's better to troubleshoot that error in particuliar by finding what's causing it and fixing it than using a software that might give you more errors;
  • "If you don't use a Registry Cleaner, you'll leave a door open for malware" - False. It is rare that malware will actually hijack orpheans keys and keypairs in the Registry to create persistence or install themself. They'll usually create their own keys/keypairs since they have been instructed (coded) to do so, and the creator cannot expect every system he'll infect to have leftover keys. Also, pretty much only Reg Loading Points in the Registry would be of any interest for a malware to hijack, and these are usually occupied already, or quickly deleted when empty;
  • Registry Cleaners aren't Registry Defraggers - These are two different kind of software who have two distinct function each.
  • On a last note, there's a lot of Registry Cleaners out here that won't create a back-up of your Registry before applying the changes they make. Which means that if you use them and clean entries that prevents Windows to reboot after, locking you out of your computer, you won't be able to restore a precedent Registry back-up via the Recovery PE. This means that if you can't fix the boot issue after that, you'll most likely be forced to reinstall Windows;
Registry Cleaners were used back in the days by developers who were using a OLE-schema for their applications. They used these to clean the Registry after uninstalling their programs, just in case there was traces of it left behind that could affect a reinstallation. These were back in the Windows 95 and Windows 98 days and this practice isn't in effect anymore. Therefore, there's no reason for you to use such programs and quite a few to avoid them instead.

Here's more articles on Registry Cleaners that are worth a read if you want to learn more about them and why you shouldn't use them.This being said, I would uninstall Wise Registry Cleaner.

Now, let's do a quick sweep using JRT, AdwCleaner and Malwarebytes to see if they detect anything.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 03 May 2016 - 09:51 PM

Here are the logs.  It does look like some part of the problem is hanging about.  The MWB scan as of 2 days ago was clean, so something is still unloading payload.

 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Pro x64 
Ran by Matthew (Administrator) on Tue 05/03/2016 at 22:21:03.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 10 
 
Successfully deleted: C:\ProgramData\19a87fa1ec024bbcbb41931263354405 (Folder) 
Successfully deleted: C:\ProgramData\28341ff220e0446c9fff27c4493d622e (Folder) 
Successfully deleted: C:\ProgramData\thunder network (Folder) 
Successfully deleted: C:\Users\Matthew\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage (File) 
Successfully deleted: C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage (File) 
Successfully deleted: C:\Users\Matthew\Appdata\LocalLow\company (Folder) 
Successfully deleted: C:\Users\Public\thunder network (Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3DFF5417-DD34-4574-9543-B39C282D0DAF} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3DFF5417-DD34-4574-9543-B39C282D0DAF} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 05/03/2016 at 22:22:14.33
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
ADW:
 
# AdwCleaner v5.115 - Logfile created 03/05/2016 at 22:26:16
# Updated 01/05/2016 by Xplode
# Database : 2016-05-01.2 [Server]
# Operating system : Windows 10 Pro  (X64)
# Username : Matthew - SEZNEG
# Running from : C:\Users\Matthew\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [8179 bytes] - [01/05/2016 17:48:11]
C:\AdwCleaner\AdwCleaner[C2].txt - [984 bytes] - [03/05/2016 22:26:16]
C:\AdwCleaner\AdwCleaner[S1].txt - [8213 bytes] - [01/05/2016 17:47:42]
C:\AdwCleaner\AdwCleaner[S2].txt - [1107 bytes] - [03/05/2016 22:24:37]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1202 bytes] ##########
 
ADW:
 
# AdwCleaner v5.115 - Logfile created 03/05/2016 at 22:26:16
# Updated 01/05/2016 by Xplode
# Database : 2016-05-01.2 [Server]
# Operating system : Windows 10 Pro  (X64)
# Username : Matthew - SEZNEG
# Running from : C:\Users\Matthew\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [8179 bytes] - [01/05/2016 17:48:11]
C:\AdwCleaner\AdwCleaner[C2].txt - [984 bytes] - [03/05/2016 22:26:16]
C:\AdwCleaner\AdwCleaner[S1].txt - [8213 bytes] - [01/05/2016 17:47:42]
C:\AdwCleaner\AdwCleaner[S2].txt - [1107 bytes] - [03/05/2016 22:24:37]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1202 bytes] ##########
 
MWB:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/3/2016
Scan Time: 10:33 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.05.04.01
Rootkit Database: v2016.04.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Matthew
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 348050
Time Elapsed: 5 min, 17 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 2
PUP.Optional.Tuto4PC, HKLM\SOFTWARE\MICROSOFT\TRACING\otutnetwork_RASAPI32, Quarantined, [9d44e7eab8e178be69ff3c8155af6a96], 
PUP.Optional.Tuto4PC, HKLM\SOFTWARE\MICROSOFT\TRACING\otutnetwork_RASMANCS, Quarantined, [09d8e8e999004ceaacbc3d802cd8fd03], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 04 May 2016 - 05:19 AM

Thanks for the logs :) Let's see if EEK detects anything.

0Wrv6UC.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 04 May 2016 - 09:09 AM

Here's the log:

 

Emsisoft Emergency Kit - Version 11.0
Quarantine log
 
Date Source Event Detection
5/4/2016 10:06:10 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4} Moved to quarantine Application.AdInstall (A)
5/4/2016 10:06:10 AM C:\Program Files\Gifbuqmhymall\Gogmaopp.dll Moved to quarantine Gen:Variant.Razy.45753 (B
5/4/2016 10:06:10 AM C:\Program Files\Gifbuqmhymall\Pubfeg.dll Moved to quarantine Gen:Variant.Symmi.63169 (B
5/4/2016 10:06:10 AM C:\Program Files\Gifbuqmhymall\Rulco.dll Moved to quarantine Gen:Variant.Razy.44449 (B
5/4/2016 10:06:10 AM C:\Program Files\Gifbuqmhymall\Upydega.dll Moved to quarantine Gen:Variant.Symmi.63231 (B
5/4/2016 10:06:10 AM C:\Program Files\Gifbuqmhymall\Xedcawk.exe Moved to quarantine Gen:Variant.Graftor.282297 (B
5/4/2016 10:06:10 AM C:\Users\Matthew\AppData\Roaming\Bildiil\Seags.dll Moved to quarantine Trojan.GenericKD.3195544 (B
5/4/2016 10:06:09 AM C:\Users\Matthew\AppData\Roaming\Bildiil\Yekisl.dll Moved to quarantine Gen:Variant.Razy.36212 (B
5/4/2016 10:06:09 AM C:\Users\Matthew\AppData\Roaming\Bildiil\Seags.exe Moved to quarantine Trojan.GenericKD.3195553 (B
5/4/2016 10:06:09 AM C:\Users\Matthew\AppData\Roaming\Bildiil\Yekisl.exe Moved to quarantine Gen:Variant.Razy.29941 (B
5/4/2016 10:06:09 AM C:\Users\Matthew\AppData\Roaming\Josuwusmih\Coswetfyai.exe Moved to quarantine Gen:Variant.Razy.43389 (B
5/4/2016 10:06:09 AM C:\Users\Matthew\AppData\Roaming\Josuwusmih\Coswetfyai.dll Moved to quarantine Gen:Variant.Razy.36212 (B


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 04 May 2016 - 08:03 PM

Good :) Let's run a last scan with ESET Online Scanner to make sure that there isn't any remnants.

cvMlKv6.pngESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.
  • Download and execute ESET Online Scanner (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
  • Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :
    • Enable detection of potentially unwanted applications;
    • Scan archives;
    • Scan for potentially unsafe applications;
    • Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;
  • After you're done checking these options, click on "Start" and ESET Online Scanner will download it's virus signature database before starting the scan;
  • Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
  • After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
  • Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
  • Once you're done, click on the Back button, then click on the Finish button;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 May 2016 - 01:47 AM

I should note that window's defender had a few "threat detected" moments during this scan.

 

C:\Program Files\Gifbuqmhymall\Gogmaopp64.dll a variant of Win64/Toolbar.Perion.H potentially unwanted application cleaned by deleting
C:\Program Files\Gifbuqmhymall\Upydega64.dll a variant of Win64/Toolbar.Perion.L potentially unwanted application cleaned by deleting
C:\Users\Matthew\AppData\Roaming\Josuwusmih\Kabogaigr.dll a variant of Win64/TrojanDropper.Addrop.B trojan cleaned by deleting
C:\Users\Matthew\AppData\Roaming\Josuwusmih\Kabogaigr.exe a variant of Win64/TrojanDropper.Addrop.B trojan cleaned by deleting
C:\Users\Matthew\AppData\Roaming\uTorrent\updates\3.4.0_30635.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\321YV50Y\Setup-102744125-102744125[1].exe a variant of Win32/DownloadAdmin.Q potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\321YV50Y\smp2[1].exe a variant of Win32/SpeedBit.AI potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\H759P6C1\YmMmf[1] multiple threats cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\VI032UH1\62793.WindApp.MON001.no[1].exe Win32/BubbleDock.C potentially unwanted application deleted
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\VI032UH1\63100.Bubble_Dock.BBD023.no[1].exe Win32/BubbleDock.C potentially unwanted application deleted
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\YCYW61SG\64999.Selection_Tools.ALT001[1].exe Win32/BubbleDock.C potentially unwanted application deleted
C:\Windows.old\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache\IE\YCYW61SG\e8zDF[1] multiple threats cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\91E0.tmp.exe a variant of Win32/InstallCore.AGX potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\A294.tmp.exe a variant of Win32/InstallCore.AGX potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\BD2.tmp.exe a variant of Win32/InstallCore.AGX potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\compete.exe a variant of Win32/Compete.C potentially unwanted application deleted
C:\Windows.old\Users\Matthew\AppData\Local\Temp\D8ED.tmp.exe a variant of Win32/InstallCore.AGX potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\nsfE4F2.tmp a variant of Win32/Adware.ConvertAd.ADW application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\nsp545B.tmp multiple threats cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\nsq681E.tmp multiple threats cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\nsr129B.tmp multiple threats cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\per320C.tmp Win32/SpeedBit.AK potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\San3209.tmp a variant of Win32/SpeedBit.AI potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\V8TEIKD49S.exe a variant of Win64/BubbleSound.A potentially unwanted application deleted
C:\Windows.old\Users\Matthew\AppData\Local\Temp\44649703\ic-0.6ed06668ea89a8.exe Win32/BubbleDock.A potentially unwanted application deleted
C:\Windows.old\Users\Matthew\AppData\Local\Temp\44649703\ic-0.a50edcc1e4e32.exe Win32/Adware.ConvertAd.AHN application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\44649703\ic-0.ebf4496b9a8bb8.exe a variant of Win32/MPCCleaner.A potentially unwanted application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b\Extracted\adv_35.exe Win32/Toolbar.Conduit.R potentially unwanted application cleaned by deleting
C:\Windows.old\WINDOWS\Temp\bobca\Eobaeg.din a variant of Win32/Adware.PennyBee.AH application cleaned by deleting
C:\Windows.old\Users\Matthew\AppData\Local\Temp\nsi19E9.tmp a variant of Win32/Compete.A potentially unwanted application deleted
 


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 05 May 2016 - 05:21 AM

Do you see the following folders? You might have to enable Show hidden files, folders and drives and uncheck Hide protected operating system files (recommended) in the Folder Options in order to see them.
C:\Program Files\Gifbuqmhymall
C:\Users\Matthew\AppData\Roaming\Bildiil
C:\Users\Matthew\AppData\Roaming\Josuwusmih
If so, delete them. After that, please run TFC.

3DPGbxe.pngTemp File Cleaner (TFC)
  • Download Temp File Cleaner (TFC) and move it to your Desktop;
  • Right-click on TFC.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Simply click on Start to launch the clean-up and wait until it completes;
    s5yB2E8.png
  • Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic;
  • There's no log to give for this tool;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 May 2016 - 09:31 AM

I have succesfully run this tool.

 

Upon startup, the machine is loading a blank text file named "Error.txt" and also what appears to be a fake windows update alert that is full screen windowed with no taskbar icon, "windows update cannot continue because your software is expired or corrupt" in a really poorly mocked up low res window.



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 05 May 2016 - 09:33 AM

Let's see what is launching this window. Follow the instructions below please.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Sezneg

Sezneg
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 05 May 2016 - 08:34 PM

Here you go:

 

https://drive.google.com/file/d/0BymIBLEuwDYudkpNSC1iWmhGNWc/view?usp=sharing






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users