Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ArmUI.ini


  • This topic is locked This topic is locked
11 replies to this topic

#1 how_word

how_word

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 13 May 2016 - 02:14 PM

I am worried because lately I have had a serious problems with high CPU Usage, which suddenly cured itself. As posted in another topic
100% CPU

I ran adwcleaner and Junkware Removal Tool and malwarbytes. MBAB found PUP.Optional.xRocketToolbar and I clicked to have it removed.

When I restarted my computer, I found several many odd items in my Temp folder.

AdobeARM
ArmUI.ini
libeay32.dll
sqlite3.dll
Several icons
Msvcr120.dll
/WPDNSE
/jrt (junkware removal tool)
/acro_rd_dir

I was alarmed when I googled "ArmUI" and found the TDSSKiller; which I ran (it found nothing).

upon restarting my computer I again had the ArmUI file in my Temp folder along with:
wmsetup.log
acro_rd_dir.

I deleted these.

Recently my computer was idle for some time and it again produced the ArmUI.ini file. Does this mean that my computer is infected?



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:05 PM

Posted 14 May 2016 - 07:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Wait for further instructions.

#3 how_word

how_word
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 14 May 2016 - 11:39 AM

Thankyou nasdaq,

 

I have the requested file and attachment, I changed personal titles (AAA for instance) and the SID unique identifiers.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:14-05-2016
Ran by JJJ (administrator) on MMM (14-05-2016 10:08:00)
Running from C:\Users\JJJ\Desktop\Cleaners
Loaded Profiles: JJJ & UpdatusUser (Available Profiles: JJJ & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\n360.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe
() C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\n360.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\Run: [DAEMON Tools Lite] => "C:\Users\JJJ\Desktop\DDD\DAEMON Tools Lite\DTLite.exe" -autorun
HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8418584 2015-07-17] (Piriform Ltd)
HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\MountPoints2: {52320d86-afb7-11df-a8d9-00262d20fabc} - G:\StormF1.exe
HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\MountPoints2: {ac515b5f-2030-11e5-92e1-da3612ac58ba} - H:\Windows\AutoRun.exe
HKU\S-1-5-21-527237640-484763769-1060284398-1003\...\RunOnce: [ScrSav] => C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()
HKU\S-1-5-21-527237640-484763769-1060284398-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\eMachines.scr [425984 2009-08-05] ()
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
GroupPolicyUsers\S-1-5-21-527237640-484763769-1060284398-1003\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{76C09F17-3DAB-4FF0-8A0B-AE83015E5F44}: [DhcpNameServer] 75.75.76.76 75.75.75.75

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com
SearchScopes: HKLM-x32 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-527237640-484763769-1060284398-1000 -> Comcast URL = hxxp://search.comcast.net/?cat=web&con=net&q={searchTerms}
SearchScopes: HKU\S-1-5-21-527237640-484763769-1060284398-1000 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-527237640-484763769-1060284398-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW_enUS394
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-28] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-28] (Oracle Corporation)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-05-21] (Hewlett-Packard Co.)
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2012-05-27] (RealPlayer)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-05-21] (Hewlett-Packard Co.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-527237640-484763769-1060284398-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File

FireFox:
========
FF ProfilePath: C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409
FF NewTab: file:///C:/Users/JJJ/Desktop/BBB/HHH/FFF/HHH.html
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF SearchEngineOrder.1: Google
FF SelectedSearchEngine: Google
FF Homepage: file:///C:/Users/JJJ/Desktop/Desktop/BBB/HHH/FFF/HHH.html
FF Keyword.URL: hxxp://www.google.com/search?q=
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-10] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-28] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-28] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-10] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409\searchplugins\google-.xml [2015-08-03]
FF Extension: New Tab Override (browser.newtab.url replacement) - C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409\Extensions\newtaboverride@agenedia.com.xpi [2015-12-21]
FF Extension: New Tab Homepage - C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi [2015-12-21]
FF Extension: gtranslate - C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409\Extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi [2016-05-02]
FF Extension: Adblock Plus - C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-15]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-05-03] [not signed]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2016-05-03] [not signed]
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon [2016-04-01]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-10-14] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: No Name - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2013-03-18] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
FF HKU\S-1-5-21-527237640-484763769-1060284398-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

Chrome:
=======
CHR Profile: C:\Users\JJJ\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\JJJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2011-03-10]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-16]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-16]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx <not found>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [625184 2009-04-19] ()
R2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-22] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-05-22] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\N360.exe [289080 2016-02-26] (Symantec Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [207904 2009-04-19] ()
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 sprtsvc_ddoctorv2; C:\Program Files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe [202560 2008-04-24] (SupportSoft, Inc.)
S2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\BASHDefs\20160502.001\BHDrvx64.sys [1766640 2016-03-09] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1606000.08E\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-10-31] (DT Soft Ltd)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-05-04] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156912 2016-05-04] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\IPSDefs\20160510.005\IDSvia64.sys [876248 2016-05-12] (Symantec Corporation)
S3 massfilter_hs; C:\windows\system32\drivers\massfilter_hs.sys [20232 2012-06-20] (HandSet Incorporated)
R3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20160513.036\ENG64.SYS [138488 2016-04-14] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20160513.036\EX64.SYS [2148080 2016-04-14] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1606000.08E\SRTSP64.SYS [928504 2016-02-23] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1606000.08E\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-23] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-02] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1606000.08E\Ironx64.SYS [295664 2016-02-23] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1606000.08E\SYMNETS.SYS [577768 2016-02-23] (Symantec Corporation)
S3 wanatw; system32\DRIVERS\wanatw64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-14 10:06 - 2016-05-14 10:08 - 00000000 ____D C:\FRST
2016-05-13 04:05 - 2016-05-13 04:05 - 00000020 ___SH C:\Users\TEMP.MMM.002\ntuser.ini
2016-05-13 04:05 - 2016-05-13 04:05 - 00000000 _SHDL C:\Users\TEMP.MMM.002\My Documents
2016-05-13 04:05 - 2016-05-13 04:05 - 00000000 _SHDL C:\Users\TEMP.MMM.002\Documents\My Videos
2016-05-13 04:05 - 2016-05-13 04:05 - 00000000 _SHDL C:\Users\TEMP.MMM.002\Documents\My Pictures
2016-05-13 04:05 - 2016-05-13 04:05 - 00000000 _SHDL C:\Users\TEMP.MMM.002\Documents\My Music
2016-05-13 04:05 - 2016-05-13 04:05 - 00000000 ____D C:\Users\TEMP.MMM.002
2016-05-13 04:05 - 2010-08-25 05:04 - 00000000 ____D C:\Users\TEMP.MMM.002\AppData\Local\Microsoft Help
2016-05-13 04:05 - 2009-07-14 02:44 - 00000000 ____D C:\Users\TEMP.MMM.002\AppData\Roaming\Media Center Programs
2016-05-12 11:04 - 2016-04-09 01:57 - 00405504 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2016-05-12 11:04 - 2016-04-09 01:54 - 00312832 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2016-05-12 11:03 - 2016-04-23 12:08 - 00394960 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2016-05-12 11:03 - 2016-04-23 11:24 - 00346312 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2016-05-12 11:03 - 2016-04-23 00:25 - 25816064 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2016-05-12 11:03 - 2016-04-23 00:16 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2016-05-12 11:03 - 2016-04-23 00:16 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2016-05-12 11:03 - 2016-04-23 00:01 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2016-05-12 11:03 - 2016-04-23 00:00 - 02893312 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2016-05-12 11:03 - 2016-04-23 00:00 - 00571904 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2016-05-12 11:03 - 2016-04-23 00:00 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2016-05-12 11:03 - 2016-04-23 00:00 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2016-05-12 11:03 - 2016-04-23 00:00 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2016-05-12 11:03 - 2016-04-22 23:52 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2016-05-12 11:03 - 2016-04-22 23:51 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2016-05-12 11:03 - 2016-04-22 23:48 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2016-05-12 11:03 - 2016-04-22 23:47 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2016-05-12 11:03 - 2016-04-22 23:47 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2016-05-12 11:03 - 2016-04-22 23:47 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2016-05-12 11:03 - 2016-04-22 23:47 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2016-05-12 11:03 - 2016-04-22 23:46 - 06052352 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2016-05-12 11:03 - 2016-04-22 23:40 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2016-05-12 11:03 - 2016-04-22 23:36 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2016-05-12 11:03 - 2016-04-22 23:29 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2016-05-12 11:03 - 2016-04-22 23:27 - 00107520 _____ (Microsoft Corporation) C:\windows\system32\inseng.dll
2016-05-12 11:03 - 2016-04-22 23:25 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2016-05-12 11:03 - 2016-04-22 23:24 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2016-05-12 11:03 - 2016-04-22 23:21 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2016-05-12 11:03 - 2016-04-22 23:20 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2016-05-12 11:03 - 2016-04-22 23:20 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2016-05-12 11:03 - 2016-04-22 23:11 - 20350464 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2016-05-12 11:03 - 2016-04-22 23:09 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2016-05-12 11:03 - 2016-04-22 23:08 - 00497152 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2016-05-12 11:03 - 2016-04-22 23:08 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2016-05-12 11:03 - 2016-04-22 23:08 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2016-05-12 11:03 - 2016-04-22 23:07 - 00725504 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2016-05-12 11:03 - 2016-04-22 23:07 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2016-05-12 11:03 - 2016-04-22 23:07 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2016-05-12 11:03 - 2016-04-22 23:06 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2016-05-12 11:03 - 2016-04-22 23:06 - 00806400 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2016-05-12 11:03 - 2016-04-22 23:05 - 02131968 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2016-05-12 11:03 - 2016-04-22 23:04 - 02285568 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2016-05-12 11:03 - 2016-04-22 23:02 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2016-05-12 11:03 - 2016-04-22 23:01 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2016-05-12 11:03 - 2016-04-22 23:00 - 15415808 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2016-05-12 11:03 - 2016-04-22 22:59 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2016-05-12 11:03 - 2016-04-22 22:58 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2016-05-12 11:03 - 2016-04-22 22:58 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2016-05-12 11:03 - 2016-04-22 22:58 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2016-05-12 11:03 - 2016-04-22 22:51 - 02596864 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2016-05-12 11:03 - 2016-04-22 22:50 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2016-05-12 11:03 - 2016-04-22 22:45 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-05-12 11:03 - 2016-04-22 22:44 - 00091136 _____ (Microsoft Corporation) C:\windows\SysWOW64\inseng.dll
2016-05-12 11:03 - 2016-04-22 22:43 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2016-05-12 11:03 - 2016-04-22 22:41 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2016-05-12 11:03 - 2016-04-22 22:40 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2016-05-12 11:03 - 2016-04-22 22:39 - 01547776 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2016-05-12 11:03 - 2016-04-22 22:39 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2016-05-12 11:03 - 2016-04-22 22:36 - 04611072 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2016-05-12 11:03 - 2016-04-22 22:33 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2016-05-12 11:03 - 2016-04-22 22:31 - 00693248 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2016-05-12 11:03 - 2016-04-22 22:30 - 02056192 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2016-05-12 11:03 - 2016-04-22 22:30 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2016-05-12 11:03 - 2016-04-22 22:28 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2016-05-12 11:03 - 2016-04-22 22:26 - 13811200 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2016-05-12 11:03 - 2016-04-22 22:12 - 02121216 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2016-05-12 11:03 - 2016-04-22 22:09 - 01312256 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2016-05-12 11:03 - 2016-04-22 22:07 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2016-05-12 11:03 - 2016-03-09 13:54 - 00275456 _____ (Microsoft Corporation) C:\windows\system32\InkEd.dll
2016-05-12 11:03 - 2016-03-09 13:34 - 00216064 _____ (Microsoft Corporation) C:\windows\SysWOW64\InkEd.dll
2016-05-12 11:02 - 2016-04-14 08:49 - 00603648 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3d10level9.dll
2016-05-12 11:02 - 2016-04-14 08:21 - 00647680 _____ (Microsoft Corporation) C:\windows\system32\d3d10level9.dll
2016-05-12 11:02 - 2016-04-09 02:01 - 00986344 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2016-05-12 11:02 - 2016-04-09 02:01 - 00264936 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms1.sys
2016-05-12 11:02 - 2016-04-09 01:58 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2016-05-12 11:02 - 2016-04-09 01:57 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\cdd.dll
2016-05-12 11:02 - 2016-04-09 01:54 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2016-05-12 11:02 - 2016-04-09 00:49 - 03217408 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2016-05-12 11:02 - 2016-04-06 10:27 - 00024576 _____ (Microsoft Corporation) C:\windows\system32\jnwmon.dll
2016-05-12 11:00 - 2016-04-09 02:02 - 00631176 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2016-05-12 11:00 - 2016-04-09 02:01 - 05546216 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2016-05-12 11:00 - 2016-04-09 02:01 - 00706280 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2016-05-12 11:00 - 2016-04-09 02:01 - 00154344 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2016-05-12 11:00 - 2016-04-09 02:01 - 00095464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2016-05-12 11:00 - 2016-04-09 01:59 - 03998952 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2016-05-12 11:00 - 2016-04-09 01:59 - 03943144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2016-05-12 11:00 - 2016-04-09 01:59 - 01732864 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 01212928 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00344064 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00215552 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00190464 _____ (Microsoft Corporation) C:\windows\system32\rpchttp.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\setbcdlocale.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00028672 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2016-05-12 11:00 - 2016-04-09 01:58 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 01464320 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 01314112 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 01163264 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00880640 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00730624 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00419840 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00316416 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00312320 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00059904 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00034816 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:57 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00666112 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00644096 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00553472 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00275456 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00260608 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00251392 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00223232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00171520 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpchttp.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00050688 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 01:54 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 00:52 - 00148480 _____ (Microsoft Corporation) C:\windows\system32\appidpolicyconverter.exe
2016-05-12 11:00 - 2016-04-09 00:52 - 00062464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\appid.sys
2016-05-12 11:00 - 2016-04-09 00:52 - 00017920 _____ (Microsoft Corporation) C:\windows\system32\appidcertstorecheck.exe
2016-05-12 11:00 - 2016-04-09 00:51 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2016-05-12 11:00 - 2016-04-09 00:48 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2016-05-12 11:00 - 2016-04-09 00:47 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2016-05-12 11:00 - 2016-04-09 00:44 - 00291328 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2016-05-12 11:00 - 2016-04-09 00:44 - 00159744 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2016-05-12 11:00 - 2016-04-09 00:44 - 00129536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2016-05-12 11:00 - 2016-04-09 00:43 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2016-05-12 11:00 - 2016-04-09 00:43 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2016-05-12 11:00 - 2016-04-09 00:42 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2016-05-12 11:00 - 2016-04-09 00:38 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2016-05-12 11:00 - 2016-04-09 00:38 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2016-05-12 11:00 - 2016-04-09 00:38 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2016-05-12 11:00 - 2016-04-09 00:38 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2016-05-12 11:00 - 2016-04-09 00:37 - 00036352 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptbase.dll
2016-05-12 11:00 - 2016-04-09 00:37 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 00:37 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 00:37 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-05-12 11:00 - 2016-04-09 00:37 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-05-12 10:58 - 2016-04-08 23:20 - 01230848 _____ (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
2016-05-12 10:58 - 2016-04-08 22:52 - 01424896 _____ (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
2016-05-11 13:35 - 2016-05-11 13:39 - 00195308 _____ C:\TDSSKiller.3.1.0.9_11.05.2016_13.35.04_log.txt
2016-05-10 18:06 - 2016-05-10 18:45 - 00000000 ____D C:\Users\JJJ\Desktop\DDD
2016-05-03 18:10 - 2016-05-05 09:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-14 01:06 - 2016-03-06 13:53 - 01885696 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2016-04-14 01:06 - 2016-03-06 13:53 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\msxml3r.dll
2016-04-14 01:06 - 2016-03-06 13:38 - 01240576 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2016-04-14 01:06 - 2016-03-06 13:38 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3r.dll
2016-04-14 01:05 - 2016-04-04 13:14 - 00038120 _____ (Microsoft Corporation) C:\windows\system32\CompatTelRunner.exe
2016-04-14 01:05 - 2016-04-04 13:02 - 01169408 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2016-04-14 01:05 - 2016-04-02 08:08 - 01386496 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2016-04-14 01:05 - 2016-03-23 09:02 - 00215040 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2016-04-14 01:05 - 2016-03-17 13:04 - 00698368 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2016-04-14 01:05 - 2016-03-17 13:04 - 00499200 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2016-04-14 01:05 - 2016-03-17 13:04 - 00279040 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2016-04-14 01:05 - 2016-03-17 13:04 - 00076800 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2016-04-14 01:05 - 2016-03-16 13:50 - 00156672 _____ (Microsoft Corporation) C:\windows\system32\mtxoci.dll
2016-04-14 01:05 - 2016-03-16 13:28 - 00176128 _____ (Microsoft Corporation) C:\windows\SysWOW64\msorcl32.dll
2016-04-14 01:05 - 2016-03-16 13:28 - 00111616 _____ (Microsoft Corporation) C:\windows\SysWOW64\mtxoci.dll
2016-04-14 01:05 - 2016-02-05 13:56 - 00020480 _____ (Microsoft Corporation) C:\windows\system32\tbs.dll
2016-04-14 01:05 - 2016-02-05 13:54 - 00109568 _____ (Microsoft Corporation) C:\windows\system32\fveapibase.dll
2016-04-14 01:05 - 2016-02-05 12:33 - 00015360 _____ (Microsoft Corporation) C:\windows\SysWOW64\tbs.dll
2016-04-14 01:05 - 2015-06-03 15:21 - 00451080 _____ (Microsoft Corporation) C:\windows\system32\fveapi.dll
2016-04-14 01:04 - 2016-03-17 17:56 - 02084864 _____ (Microsoft Corporation) C:\windows\system32\ole32.dll
2016-04-14 01:04 - 2016-03-17 17:28 - 01414144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ole32.dll
2016-04-14 01:04 - 2016-02-02 13:57 - 00511488 _____ (Microsoft Corporation) C:\windows\system32\rpcss.dll
2016-04-14 01:03 - 2016-03-15 19:16 - 00760320 _____ (Microsoft Corporation) C:\windows\system32\samsrv.dll
2016-04-14 01:03 - 2016-03-15 19:16 - 00106496 _____ (Microsoft Corporation) C:\windows\system32\samlib.dll
2016-04-14 01:03 - 2016-03-15 18:53 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\samlib.dll
2016-04-14 01:03 - 2016-01-20 19:51 - 00073664 _____ (Microsoft Corporation) C:\windows\system32\Drivers\disk.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-14 10:08 - 2015-06-13 11:42 - 00000000 ____D C:\Users\JJJ\Desktop\CCC
2016-05-13 17:06 - 2010-10-19 23:44 - 00000000 ____D C:\Users\JJJ\Documents\SSS
2016-05-13 16:03 - 2010-08-24 23:09 - 00000193 _____ C:\windows\WORDPAD.INI
2016-05-13 14:16 - 2009-07-13 23:45 - 00018736 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-13 14:16 - 2009-07-13 23:45 - 00018736 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-13 04:12 - 2009-07-14 00:13 - 00781790 _____ C:\windows\system32\PerfStringBackup.INI
2016-05-13 04:12 - 2009-07-13 22:20 - 00000000 ____D C:\windows\inf
2016-05-13 04:02 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-05-13 04:02 - 2009-07-13 23:45 - 00335312 _____ C:\windows\system32\FNTCACHE.DAT
2016-05-13 03:57 - 2014-12-11 07:24 - 00000000 ____D C:\windows\system32\appraiser
2016-05-13 03:57 - 2009-07-14 02:45 - 00000000 ____D C:\Program Files\Windows Journal
2016-05-13 03:25 - 2013-08-16 03:01 - 00000000 ____D C:\windows\system32\MRT
2016-05-13 03:08 - 2010-09-01 11:47 - 139319312 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2016-05-12 15:02 - 2011-02-08 23:26 - 00000000 ____D C:\Users\JJJ\Desktop\DDD
2016-05-11 13:51 - 2015-06-11 21:32 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-05-11 13:48 - 2015-06-11 21:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-05-11 13:00 - 2010-08-24 02:55 - 00000000 ____D C:\Users\JJJ
2016-05-11 12:57 - 2013-04-13 03:10 - 00000000 ____D C:\Users\UpdatusUser
2016-05-11 12:57 - 2009-11-20 15:47 - 00000000 ____D C:\ProgramData\Norton
2016-05-11 12:57 - 2009-07-13 22:20 - 00000000 ____D C:\windows\registration
2016-05-11 10:03 - 2016-03-09 22:07 - 00000556 _____ C:\Users\JJJ\Desktop\JRT.txt
2016-05-11 08:32 - 2015-08-02 15:49 - 00000000 ____D C:\windows\System32\Tasks\Remediation
2016-05-11 08:28 - 2009-07-14 00:08 - 00032630 _____ C:\windows\Tasks\SCHEDLGU.TXT
2016-05-11 07:45 - 2015-06-11 12:05 - 00000000 ____D C:\AdwCleaner
2016-05-10 17:48 - 2016-03-15 17:25 - 01479876 _____ C:\windows\ntbtlog.txt
2016-05-06 17:29 - 2013-01-24 17:15 - 00000000 ____D C:\Users\JJJ\Desktop\DDDDVD
2016-05-06 15:54 - 2015-03-04 06:58 - 00000000 ____D C:\Users\JJJ\Desktop\DTJ
2016-05-06 03:02 - 2015-08-03 03:47 - 00000000 ___SD C:\windows\SysWOW64\GWX
2016-05-06 03:02 - 2015-08-03 03:47 - 00000000 ___SD C:\windows\system32\GWX
2016-05-04 21:56 - 2011-02-19 06:44 - 00000000 ____D C:\Users\JJJ\AppData\Local\CrashDumps
2016-05-03 18:37 - 2016-03-20 07:04 - 00000342 _____ C:\windows\wininit.ini
2016-05-03 18:37 - 2012-05-02 15:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-26 17:06 - 2016-03-15 17:26 - 00260096 ___SH C:\Users\JJJ\Desktop\Thumbs.db
2016-04-20 17:42 - 2010-08-24 20:04 - 00000000 ____D C:\Users\JJJ\Desktop\bbb
2016-04-14 17:12 - 2010-09-23 18:00 - 00000000 ___RD C:\Users\JJJ\Desktop\SSS

==================== Files in the root of some directories =======

2012-04-27 12:23 - 2015-05-15 06:44 - 0000070 _____ () C:\Users\JJJ\AppData\Roaming\wklnhst.dat
2011-05-12 14:01 - 2011-07-18 15:54 - 0001940 _____ () C:\Users\JJJ\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
2010-10-14 10:59 - 2010-10-14 11:25 - 0000777 _____ () C:\ProgramData\hpzinstall.log

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-12 21:04

==================== End of FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:05 PM

Posted 14 May 2016 - 01:26 PM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicyUsers\S-1-5-21-527237640-484763769-1060284398-1003\User: Restriction <======= ATTENTION
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
Toolbar: HKU\S-1-5-21-527237640-484763769-1060284398-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-16]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-16]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx <not found>
S3 wanatw; system32\DRIVERS\wanatw64.sys [X]


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

---

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

p.s.
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Use Firefox to update it.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)

Please post the logs for my review.

#5 how_word

how_word
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 15 May 2016 - 04:02 PM

Thank you for the detailed instructions.

I ran FRST and the computer restarted automatic, with a warning that it did not recognize FRST64.exe. I proceeded. The fixlist.txt was removed. I restarted the computer.

When I checked at
java.com/en/download/installed.jsp
I was informed that "Java is disabled or not installed"
Do I need to install Java?
I then found and clicked to remove/Uninstall Java 8 Update 45 (64-bit)
I got the window prompt: "Do you want  to allow the following program to update software on the computer" "Java SE Environment 8 Update 45" I pressed yes,

I also updated Adobe Flash

I tried to DL RogueKiller from the bleeping computer link (bleepingcomputer.com/download/roguekiller/dl/121/) but it wouldn't respond, I clicked the related link on that page (.sur-la-toile.com/RogueKiller/RogueKiller.exe) and tried to run -a warning window explained it was the 32 bit, and wanted me to 'for better results' run the 64 bit instead. I ran the 32 bit as instructed, I clicked Start Scan to Execute the scan.

2 threats detected
Suspicious.Path | Scheduled Task
   \{6B3FB174-905A-4E27-A5AF-99E9895150A5}, C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\uistub.exe
PUM.HomePage | Firefox: Config
   FIREFX@tb2isrrv.default-1394367927409, browser.startup.homepage
not firefOx@...;
In orange and green respectively.

adlice.com/pum-removal/ opened in FireFox.

 I checked to Remove Selected above and a second report was generated.

The PUM was either my homepage as entered or an app that allows me to choose the new tab homepage in Firefox (for some reason FF thinks I want to open new tabs in a Google chaser page where Google tracks my movements and makes suggestions as to where I may want to go next in a new tab (thanks FF)).
The norton Uistub was the Norton shortcut in my taskbar.

Either were easy enough to replace.


I hope you don't mind but I attached both reports in one document.

Attached Files


Edited by how_word, 15 May 2016 - 04:02 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:05 PM

Posted 16 May 2016 - 07:37 AM

The PUM was either my homepage as entered or an app that allows me to choose the new tab homepage in Firefox (for some reason FF thinks I want to open new tabs in a Google chaser page where Google tracks my movements and makes suggestions as to where I may want to go next in a new tab (thanks FF)).

This actifity may be caused by this FF Extension installed recently.
FF Extension: gtranslate - C:\Users\JJJ\AppData\Roaming\Mozilla\Firefox\Profiles\tb2isrrv.default-1394367927409\Extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi [2016-05-02]
Read about it.
http://www.systemlookup.com/FF_Extensions/52.html

Just disable it for now.

Let me know if the problem persists.

#7 how_word

how_word
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 18 May 2016 - 01:35 PM

I would still like to find out about the ArmUI.ini file appearing in my Temp folder.

This continues to occur. It may be related to AdobeARM.exe *32 (Adobe Reader and Acrobat Manager)?

 I am not sure why Adobe Reader and Acrobat Manager constantly starts while I am online, it continues to run even after I close Firefox. I habitually End Process for it in Task Manager. When I find that it has started up, there is the acro_rd_dir folder in my Temp folder, and AdobeArm.log with the ArmUI.ini and a randomly named LOG file.

The most recent example, MSIa7b41.LOG
contains the data in the attached txt file:
 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:05 PM

Posted 19 May 2016 - 07:21 AM



Open the ArmUI.ini file with Notepad and post the content for my review.

===

You may do this now or wait until I review the content on the ArmUI.ini file.

The start of the 16-5-18-LOG.txt
=== Verbose logging started: 5/18/2016 13:18:16 Build type: SHIP UNICODE 5.00.7601.00 Calling process: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe ===

You will find many failed processes in the log.

At the end.

This installation is forbidden by system policy. Contact your system administrator.
C:\windows\Installer\a308d7d.msi


I suggest your remove this programs via the Control Panel > Programs > Programs and Features applet.

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)

Restart the computer normally.

===

#9 how_word

how_word
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 20 May 2016 - 09:09 AM

Thank you for checking that file.

 

You instructed "I suggest your remove this programs via the Control Panel > Programs > Programs and Features applet."

I am unsure which program/s you mean: AdobeARM.exe, a308d7d.msi, or Adobe AIR

 

I keep trashing/recycling the ArmUI.ini files, but I will keep and post the next one.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:05 PM

Posted 20 May 2016 - 10:04 AM

Remove Abode AIR and the a308d7d.msi if present.

#11 how_word

how_word
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 20 May 2016 - 11:02 AM

After writing the above, I googled that the Adobe AIR is unsupported since 2011 and I would never have used it anyway, so I deleted it. And restarted my computer.

I was waiting for the ArmUI.ini file to appear before returning here, then, it was created after I visited Youtube. Also an AdobeARM.log and a randomly named (MSIe54a4.log) file was added to TEMP file. I will attach all of those in with the attached txt file, with search cues at the top to jump to whichever section (I hope that makes sense?)

The ArmUI.ini file is written in several languages (ENU english), which I believe is different than I have seen in the previous ones.

I didn't read your last message before I deleted Adobe AIR, and restarted the computer, etc.

I was unable to find this subfolder: C:\windows\Installer\
but a search of my computer for a308d7d.msi, did bring me there.

Windows configured Adobe acrobat Reader DC to uninsall it.

This created a TEMP file: MSIbad8e.LOG, which I will also add to the .txt.
 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:05 PM

Posted 21 May 2016 - 07:30 AM

The ArmUi.ini file is not what I had expected.

This problem with Adobe should now be transfer to Adobe.
You can check their Forum or start a new topic here.
https://forums.adobe.com/community/acrobat

This is not caused by malware and not my forte.

p.s.

The ArmUI.ini file is written in several languages (ENU english), which I believe is different than I have seen in the previous ones.


The various languages are for reporting a message when the installation is in progress.
It will report in the language of the Operating system language that is installed.

Edited by nasdaq, 27 May 2016 - 07:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users