Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Navsmart and possibly more infections - dnsapi.dll compromised


  • This topic is locked This topic is locked
13 replies to this topic

#1 indiagenie

indiagenie

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 16 August 2016 - 10:05 AM

Hi, I am posting here as per second round of troubleshooting instructions from an earlier post in the "Am I infected?" sub-section.

 

The link for that original post and the steps already performed is - http://www.bleepingcomputer.com/forums/t/623508/trotux-and-navsmart-possibly-impacting-dnsapi/

 

In summary, the problem is that both Chrome and IE were redirecting to Navsmart.info as home page. I suspected other infections on the computer too without any apparent visual clue which was confirmed by the multiple items found by the couple of tools used in the post quoted above. In addition to the symptom mentioned above, I also wanted to add that Chrome keeps saying via popup on launch that another application added MSN Bing as search engine and I could disable it. I do choose to disable it but it does come back every now and then on Chrome launch. It doesnt happen every time though.

 

The output of the FRST scan is as follows.

 

FRST.txt 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-08-2016 01

Ran by User (administrator) on GP (16-08-2016 20:09:23)
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Synaptics Incorporated) C:\Windows\System32\valWbioSyncSvc.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynFP\Shared\SensorDBSynch.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tposd.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\extapsup.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(© 2015 Microsoft Corporation) C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe
(Nico Mak Computing) C:\Program Files\WinZip\FAH\FAHWindow64.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\WzPreloader.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1605.1582.0_x64__8wekyb3d8bbwe\Calculator.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3510 series\Bin\HPNetworkCommunicator.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [LenovoOptMouseUpdate] => C:\Program Files\Lenovo\HOTKEY\extapsup.exe [255480 2013-06-21] (Lenovo Group Limited)
HKLM\...\Run: [TpShocks] => C:\WINDOWS\system32\TpShocks.exe [384344 2014-02-18] (Lenovo.)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13924080 2016-08-11] (Zemana Ltd.)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157992 2015-07-11] (Apple Inc.)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-08-13] (SUPERAntiSpyware)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [Google Update] => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-31] (Google Inc.)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [BingSvc] => C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-02-15] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [HP Deskjet 3510 series (NET)] => C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [Mojorojo] => C:\Users\User\AppData\Local\Mojorojo\Mojorojo.exe [53248 2016-08-06] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {7B286609-DA97-47E1-AC6B-33B8B4732C95} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2016-08-15]
ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAH\FAHConsole.exe (Nico Mak Computing)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk [2016-08-15]
ShortcutTarget: WinZip Preloader.lnk -> C:\Program Files\WinZip\WzPreloader.exe (WinZip Computing, S.L.)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3510 series (Network).lnk [2016-08-15]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3510 series (Network).lnk -> C:\Program Files\HP\HP Deskjet 3510 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3510 series.lnk [2016-08-15]
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3510 series.lnk -> C:\Program Files\HP\HP Deskjet 3510 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 31.3.252.70 31.3.252.76
Tcpip\..\Interfaces\{319a0ecb-7467-4519-838d-ce37fcdbb2cd}: [DhcpNameServer] 31.3.252.70 31.3.252.76
ManualProxies: 
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-907560198-880740586-4193796491-1001 -> DefaultScope {AD8FC1B9-88E2-4126-A0AD-B1D1490C343E} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-907560198-880740586-4193796491-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-907560198-880740586-4193796491-1001 -> {AD8FC1B9-88E2-4126-A0AD-B1D1490C343E} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-07-19] (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-06-14] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2016-07-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-02-16] (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2016-06-14] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-16] (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2016-05-17] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-14] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-14] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-01-06] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-07-17] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-07-17] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-19] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin HKU\S-1-5-21-907560198-880740586-4193796491-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-907560198-880740586-4193796491-1001: @talk.google.com/O1DPlugin -> C:\Users\User\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-907560198-880740586-4193796491-1001: @tools.google.com/Google Update;version=3 -> C:\Users\User\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin HKU\S-1-5-21-907560198-880740586-4193796491-1001: @tools.google.com/Google Update;version=9 -> C:\Users\User\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-07-19] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
 
Chrome: 
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-15]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-15]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-15]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-15]
CHR Extension: (Adblock Plus) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-08-15]
CHR Extension: (Bing) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-08-15]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-15]
CHR Extension: (Chrome Remote Desktop) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2016-08-15]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-15]
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2016-08-15]
CHR Extension: (Skype) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2016-08-15]
CHR Extension: (Ghostery) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-08-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-15]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-15]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-15]
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-15]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-15]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-15]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-15]
CHR Extension: (Adblock Plus) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-08-15]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-15]
CHR Extension: (Chrome Remote Desktop) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2016-08-15]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-15]
CHR Extension: (Ghostery) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-08-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-15]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-15]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-15]
CHR HKU\S-1-5-21-907560198-880740586-4193796491-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
S2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\52.0.2743.48\remoting_host.exe [76616 2016-06-20] (Google Inc.)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [374360 2016-05-27] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-12] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-12] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-07-17] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-07-17] (Intel Corporation)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [136288 2012-08-11] (Lenovo Group Limited)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [24560 2014-06-18] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [255096 2015-10-25] (Synaptics Incorporated)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7248144 2016-08-09] (TeamViewer GmbH)
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [86544 2016-07-13] (Synaptics Incorporated)
R2 valWbioSyncSvc; C:\Windows\system32\valWbioSyncSvc.exe [56848 2016-07-13] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-07-01] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13924080 2016-08-11] (Zemana Ltd.)
S2 Edervu; "C:\Users\User\AppData\Roaming\IkahaTom\Hutkaya.exe" -cms [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-08-11] ()
R0 IntelHSWPcc; C:\Windows\System32\drivers\IntelPcc.sys [101976 2013-04-25] (Intel Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [47008 2013-07-30] ()
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [615728 2015-06-04] (Realtek Semiconductor Corporation)
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [761600 2015-06-15] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\System32\drivers\rtwlane.sys [3445248 2015-10-30] (Realtek Semiconductor Corporation                           )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [51320 2015-10-25] (Synaptics Incorporated)
R1 SMIDriver; C:\Windows\system32\DRIVERS\smi.sys [39488 2016-07-13] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2016-08-16] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-08-16] (Zemana Ltd.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-16 20:09 - 2016-08-16 20:10 - 00023892 _____ C:\Users\User\Downloads\FRST.txt
2016-08-16 20:08 - 2016-08-16 20:09 - 00000000 ____D C:\FRST
2016-08-16 20:06 - 2016-08-16 20:07 - 02394624 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2016-08-16 10:19 - 2016-08-16 10:19 - 06761600 _____ (ESET spol. s r.o.) C:\Users\User\Downloads\esetonlinescanner_enu.exe
2016-08-16 10:19 - 2016-08-16 10:19 - 00000000 ____D C:\Users\User\AppData\Local\ESET
2016-08-16 09:18 - 2016-08-16 09:18 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2016-08-16 08:59 - 2016-08-16 09:18 - 00000000 ____D C:\ProgramData\HitmanPro
2016-08-16 08:58 - 2016-08-16 09:00 - 11438608 _____ (SurfRight B.V.) C:\Users\User\Downloads\HitmanPro_x64.exe
2016-08-16 08:53 - 2016-08-16 09:58 - 00001830 _____ C:\Users\User\Desktop\sc-cleaner.txt
2016-08-16 08:15 - 2016-08-16 20:09 - 01765026 _____ C:\WINDOWS\ZAM.krnl.trace
2016-08-16 08:15 - 2016-08-16 20:09 - 00255071 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2016-08-16 08:15 - 2016-08-16 08:42 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-08-16 08:15 - 2016-08-16 08:15 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2016-08-16 08:15 - 2016-08-16 08:15 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2016-08-16 08:15 - 2016-08-16 08:15 - 00001145 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-08-16 08:15 - 2016-08-16 08:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-08-16 08:13 - 2016-08-16 08:13 - 00000000 ____D C:\Users\User\AppData\Local\Zemana
2016-08-16 08:11 - 2016-08-16 08:12 - 05603048 _____ ( ) C:\Users\User\Downloads\Zemana.AntiMalware.Setup.exe
2016-08-16 08:07 - 2016-08-16 08:09 - 00000000 ____D C:\Users\User\Downloads\rkill
2016-08-16 08:00 - 2016-08-16 08:00 - 00000000 ___HD C:\OneDriveTemp
2016-08-15 14:08 - 2016-08-15 14:08 - 00001321 _____ C:\Users\User\Downloads\setup.zip
2016-08-15 13:31 - 2016-08-15 13:31 - 00001064 _____ C:\Users\User\Desktop\AdwCleaner.exe - Shortcut.lnk
2016-08-15 11:59 - 2016-08-15 11:59 - 00000000 ____D C:\Users\User\AppData\Local\BlueStacks
2016-08-15 11:50 - 2016-08-15 11:50 - 00000000 ____D C:\Users\User\AppData\Local\TeamViewer
2016-08-15 11:47 - 2016-08-16 11:33 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-08-15 11:47 - 2016-08-15 11:47 - 00001112 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk
2016-08-15 11:47 - 2016-08-15 11:47 - 00001100 _____ C:\Users\Public\Desktop\TeamViewer 11.lnk
2016-08-15 11:47 - 2016-08-15 11:47 - 00000000 ____D C:\Users\User\AppData\Roaming\TeamViewer
2016-08-15 11:46 - 2016-08-15 11:47 - 09814472 _____ (TeamViewer GmbH) C:\Users\User\Downloads\TeamViewer_Setup_en.exe
2016-08-15 11:16 - 2016-08-15 11:17 - 00034667 _____ C:\Users\User\Downloads\MTB.txt
2016-08-15 11:16 - 2016-08-15 11:16 - 00892416 _____ (Farbar) C:\Users\User\Downloads\MiniToolBox.exe
2016-08-15 10:46 - 2016-08-16 18:11 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-15 10:45 - 2016-08-15 11:01 - 00000670 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-08-15 10:45 - 2016-08-15 10:45 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-15 10:45 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-08-15 10:45 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-08-15 10:45 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-08-15 10:42 - 2016-08-15 10:43 - 22851472 _____ (Malwarebytes ) C:\Users\User\Downloads\mbam-setup-2.2.1.1043.exe
2016-08-15 10:23 - 2016-08-15 10:23 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\User\Desktop\rkill.exe
2016-08-15 10:23 - 2016-08-15 10:23 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\User\Desktop\rkill64.exe
2016-08-15 10:13 - 2016-08-15 10:13 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2016-08-15 10:12 - 2016-08-15 10:17 - 00249260 _____ C:\WINDOWS\ntbtlog.txt
2016-08-15 09:19 - 2016-08-15 10:20 - 00477600 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\sc-cleaner.exe
2016-08-15 09:12 - 2016-08-16 09:57 - 00000000 ____D C:\AdwCleaner
2016-08-15 09:08 - 2016-08-16 08:09 - 00004724 _____ C:\Users\User\Desktop\Rkill.txt
2016-08-15 09:06 - 2016-08-15 09:06 - 00912452 _____ C:\Users\User\Downloads\rkill.zip
2016-08-15 09:04 - 2016-08-15 10:21 - 02915320 _____ (Google) C:\Users\User\Downloads\chrome_cleanup_tool.exe
2016-08-15 09:02 - 2016-08-15 09:12 - 03784256 _____ C:\Users\User\Downloads\AdwCleaner.exe
2016-08-15 09:00 - 2016-08-15 09:00 - 00081928 _____ C:\Users\User\Downloads\download.htm
2016-08-15 08:19 - 2016-08-15 08:19 - 00000000 ____D C:\Users\User\AppData\Local\join.me
2016-08-15 08:07 - 2016-08-15 08:07 - 00000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2016-08-15 08:04 - 2016-08-16 08:36 - 00001237 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-08-15 08:04 - 2016-08-16 08:36 - 00001237 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-14 15:28 - 2008-05-05 15:19 - 00000000 ____D C:\Users\User\Desktop\Elemental Dragon series
2016-08-13 19:34 - 2016-08-13 19:34 - 00000000 ____D C:\SUPERDelete
2016-08-13 19:13 - 2016-08-13 19:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-08-13 15:42 - 2016-08-03 16:44 - 01505984 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-08-13 15:42 - 2016-08-03 16:44 - 00092352 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-08-13 15:42 - 2016-08-03 16:44 - 00050368 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-08-13 15:42 - 2016-08-03 16:06 - 07469408 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-08-13 15:42 - 2016-08-03 16:06 - 00099680 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pdc.sys
2016-08-13 15:42 - 2016-08-03 16:06 - 00037744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wldp.dll
2016-08-13 15:42 - 2016-08-03 16:00 - 00026408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-08-13 15:42 - 2016-08-03 15:53 - 00693600 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2016-08-13 15:42 - 2016-08-03 15:53 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2016-08-13 15:42 - 2016-08-03 15:52 - 01322760 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-08-13 15:42 - 2016-08-03 15:52 - 00808288 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-08-13 15:42 - 2016-08-03 15:52 - 00465248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2016-08-13 15:42 - 2016-08-03 15:52 - 00331616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
2016-08-13 15:42 - 2016-08-03 15:52 - 00058408 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsNativeApi.dll
2016-08-13 15:42 - 2016-08-03 15:51 - 22561256 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-08-13 15:42 - 2016-08-03 15:51 - 03675512 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-08-13 15:42 - 2016-08-03 15:51 - 00566112 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
2016-08-13 15:42 - 2016-08-03 15:51 - 00303216 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe
2016-08-13 15:42 - 2016-08-03 15:50 - 01540224 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2016-08-13 15:42 - 2016-08-03 15:50 - 00692136 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll
2016-08-13 15:42 - 2016-08-03 15:49 - 00604928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-08-13 15:42 - 2016-08-03 15:49 - 00161632 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-08-13 15:42 - 2016-08-03 15:43 - 01988448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-08-13 15:42 - 2016-08-03 15:43 - 00576864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-08-13 15:42 - 2016-08-03 15:43 - 00393056 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2016-08-13 15:42 - 2016-08-03 15:41 - 00422744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rdbss.sys
2016-08-13 15:42 - 2016-08-03 15:21 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdlrecover.exe
2016-08-13 15:42 - 2016-08-03 15:21 - 00084480 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2016-08-13 15:42 - 2016-08-03 15:16 - 22384128 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-08-13 15:42 - 2016-08-03 15:14 - 00189952 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-08-13 15:42 - 2016-08-03 15:14 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshbth.dll
2016-08-13 15:42 - 2016-08-03 15:14 - 00044544 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll
2016-08-13 15:42 - 2016-08-03 15:13 - 16985088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2016-08-13 15:42 - 2016-08-03 15:11 - 00128512 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthpan.sys
2016-08-13 15:42 - 2016-08-03 15:11 - 00112640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthenum.sys
2016-08-13 15:42 - 2016-08-03 15:11 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepositoryClient.dll
2016-08-13 15:42 - 2016-08-03 15:11 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepositoryBroker.dll
2016-08-13 15:42 - 2016-08-03 15:10 - 00181248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rfcomm.sys
2016-08-13 15:42 - 2016-08-03 15:10 - 00127488 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEDataLayerHelpers.dll
2016-08-13 15:42 - 2016-08-03 15:10 - 00091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\bthserv.dll
2016-08-13 15:42 - 2016-08-03 15:10 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe
2016-08-13 15:42 - 2016-08-03 15:10 - 00047616 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmTasks.dll
2016-08-13 15:42 - 2016-08-03 15:09 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\system32\cdd.dll
2016-08-13 15:42 - 2016-08-03 15:09 - 00104448 _____ (Microsoft Corporation) C:\WINDOWS\system32\BluetoothApis.dll
2016-08-13 15:42 - 2016-08-03 15:08 - 00412160 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2016-08-13 15:42 - 2016-08-03 15:08 - 00379392 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2016-08-13 15:42 - 2016-08-03 15:07 - 00110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\IdCtrls.dll
2016-08-13 15:42 - 2016-08-03 15:06 - 00221696 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-08-13 15:42 - 2016-08-03 15:06 - 00211456 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2016-08-13 15:42 - 2016-08-03 15:06 - 00198144 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2016-08-13 15:42 - 2016-08-03 15:05 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-08-13 15:42 - 2016-08-03 15:05 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUDFPlatform.dll
2016-08-13 15:42 - 2016-08-03 15:04 - 00383488 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-08-13 15:42 - 2016-08-03 15:03 - 00339968 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorService.dll
2016-08-13 15:42 - 2016-08-03 15:03 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEEventDispatcher.dll
2016-08-13 15:42 - 2016-08-03 15:01 - 00506880 _____ (Microsoft Corporation) C:\WINDOWS\system32\tileobjserver.dll
2016-08-13 15:42 - 2016-08-03 15:01 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsApi.dll
2016-08-13 15:42 - 2016-08-03 15:01 - 00247296 _____ (Microsoft Corporation) C:\WINDOWS\system32\wevtutil.exe
2016-08-13 15:42 - 2016-08-03 15:00 - 24613888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-08-13 15:42 - 2016-08-03 15:00 - 00970752 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-08-13 15:42 - 2016-08-03 15:00 - 00515072 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneDriveSettingSyncProvider.dll
2016-08-13 15:42 - 2016-08-03 14:59 - 14252544 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2016-08-13 15:42 - 2016-08-03 14:59 - 02127360 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-08-13 15:42 - 2016-08-03 14:59 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe
2016-08-13 15:42 - 2016-08-03 14:59 - 01387520 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-08-13 15:42 - 2016-08-03 14:59 - 00954368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthport.sys
2016-08-13 15:42 - 2016-08-03 14:59 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-08-13 15:42 - 2016-08-03 14:59 - 00084992 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BTHUSB.SYS
2016-08-13 15:42 - 2016-08-03 14:58 - 01213440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll
2016-08-13 15:42 - 2016-08-03 14:58 - 00848896 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-08-13 15:42 - 2016-08-03 14:58 - 00529920 _____ (Microsoft Corporation) C:\WINDOWS\system32\LogonController.dll
2016-08-13 15:42 - 2016-08-03 14:57 - 07536640 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll
2016-08-13 15:42 - 2016-08-03 14:57 - 01752576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-08-13 15:42 - 2016-08-03 14:57 - 01717760 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2016-08-13 15:42 - 2016-08-03 14:57 - 00381952 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll
2016-08-13 15:42 - 2016-08-03 14:50 - 13390336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-08-13 15:42 - 2016-08-03 14:48 - 06974464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-08-13 15:42 - 2016-08-03 14:48 - 02067968 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2016-08-13 15:42 - 2016-08-03 14:48 - 01388032 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-08-13 15:42 - 2016-08-03 14:47 - 02175488 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2016-08-13 15:42 - 2016-08-03 14:46 - 05123072 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2016-08-13 15:42 - 2016-08-03 14:46 - 03589120 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-08-13 15:42 - 2016-08-03 14:46 - 02635776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2016-08-13 15:42 - 2016-08-03 14:46 - 01732096 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-08-13 15:42 - 2016-08-03 14:45 - 07833088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-08-13 15:42 - 2016-08-03 14:44 - 04895232 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-08-13 15:42 - 2016-08-03 14:44 - 01997824 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
2016-08-13 15:42 - 2016-08-03 14:43 - 03025920 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-08-13 15:42 - 2016-08-03 14:43 - 02280960 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-08-13 15:42 - 2016-08-03 14:42 - 02746368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll
2016-08-13 15:42 - 2016-08-03 14:41 - 04171264 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2016-08-13 15:42 - 2016-08-03 11:22 - 00034088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wldp.dll
2016-08-13 15:42 - 2016-08-03 11:04 - 00501592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2016-08-13 15:42 - 2016-08-03 11:04 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2016-08-13 15:42 - 2016-08-03 11:03 - 00051128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsNativeApi.dll
2016-08-13 15:42 - 2016-08-03 11:01 - 02921368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-08-13 15:42 - 2016-08-03 11:01 - 00957608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-08-13 15:42 - 2016-08-03 11:01 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-08-13 15:42 - 2016-08-03 11:00 - 21123320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-08-13 15:42 - 2016-08-03 11:00 - 00465760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
2016-08-13 15:42 - 2016-08-03 11:00 - 00255168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe
2016-08-13 15:42 - 2016-08-03 10:27 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdlrecover.exe
2016-08-13 15:42 - 2016-08-03 10:18 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshbth.dll
2016-08-13 15:42 - 2016-08-03 10:17 - 13018112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2016-08-13 15:42 - 2016-08-03 10:14 - 00048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepositoryClient.dll
2016-08-13 15:42 - 2016-08-03 10:14 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepositoryBroker.dll
2016-08-13 15:42 - 2016-08-03 10:12 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BluetoothApis.dll
2016-08-13 15:42 - 2016-08-03 10:10 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IdCtrls.dll
2016-08-13 15:42 - 2016-08-03 10:09 - 19351040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-08-13 15:42 - 2016-08-03 10:07 - 00335872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-08-13 15:42 - 2016-08-03 10:07 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEEventDispatcher.dll
2016-08-13 15:42 - 2016-08-03 10:05 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsApi.dll
2016-08-13 15:42 - 2016-08-03 10:05 - 00178688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wevtutil.exe
2016-08-13 15:42 - 2016-08-03 10:04 - 00792064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-08-13 15:42 - 2016-08-03 10:04 - 00400896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll
2016-08-13 15:42 - 2016-08-03 10:03 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-08-13 15:42 - 2016-08-03 10:03 - 02050048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-08-13 15:42 - 2016-08-03 10:03 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-08-13 15:42 - 2016-08-03 10:02 - 12585984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2016-08-13 15:42 - 2016-08-03 10:02 - 01526272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-08-13 15:42 - 2016-08-03 10:02 - 01467392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2016-08-13 15:42 - 2016-08-03 10:02 - 00434688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LogonController.dll
2016-08-13 15:42 - 2016-08-03 10:01 - 06743040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll
2016-08-13 15:42 - 2016-08-03 10:01 - 00705536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-08-13 15:42 - 2016-08-03 09:59 - 12133376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-08-13 15:42 - 2016-08-03 09:58 - 03663360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-08-13 15:42 - 2016-08-03 09:55 - 05323776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-08-13 15:42 - 2016-08-03 09:55 - 04078080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2016-08-13 15:42 - 2016-08-03 09:53 - 05660672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-08-13 15:42 - 2016-08-03 09:53 - 01799680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2016-08-13 15:42 - 2016-08-03 09:52 - 02501120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-08-13 15:42 - 2016-08-03 09:52 - 01502208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-08-13 15:42 - 2016-08-03 09:51 - 01708032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
2016-08-13 15:42 - 2016-08-03 09:49 - 02180096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepository.dll
2016-08-11 22:38 - 2016-08-11 22:38 - 00250912 _____ C:\WINDOWS\SysWOW64\kz.exe
2016-08-11 22:18 - 2016-08-11 22:18 - 00000000 ____D C:\WINDOWS\system32\oghu
2016-08-11 21:46 - 2016-08-11 21:46 - 00000000 _____ C:\autoexec.bat
2016-08-11 21:41 - 2016-08-11 21:41 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys
2016-08-06 18:06 - 2016-08-06 18:06 - 00987728 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup (3).exe
2016-08-06 17:54 - 2016-08-06 17:54 - 00987728 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup (2).exe
2016-08-06 17:22 - 2016-08-06 17:22 - 00987728 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup (1).exe
2016-08-06 17:08 - 2016-08-06 17:09 - 00987728 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup.exe
2016-08-06 16:31 - 2016-08-15 11:00 - 00000000 ____D C:\Users\User\AppData\Roaming\Nhamik
2016-08-06 16:31 - 2016-08-15 11:00 - 00000000 ____D C:\Users\User\AppData\LocalLow\Company
2016-08-06 16:31 - 2016-08-15 11:00 - 00000000 ____D C:\Program Files\Jukguyyekc
2016-08-06 16:31 - 2016-08-06 16:31 - 00000000 ____D C:\Users\User\AppData\Local\Tempfolder
2016-08-06 16:25 - 2016-08-15 11:02 - 00000000 ____D C:\Program Files\XBox
2016-08-06 16:23 - 2016-08-16 08:35 - 00000000 __SHD C:\Users\User\AppData\Local\Mojorojo
2016-08-06 16:23 - 2016-08-06 16:23 - 00138240 _____ C:\Users\User\AppData\Roaming\Installer.dat
2016-08-06 16:20 - 2016-08-06 16:18 - 00001045 _____ C:\WINDOWS\system32\Drivers\etc\hp.bak
2016-08-06 16:19 - 2016-08-06 16:19 - 00000000 ___HD C:\Program Files (x86)\5tc101
2016-08-06 16:16 - 2016-08-06 16:16 - 04909056 _____ C:\Users\User\Downloads\Cross.Stitch.Crazy.-.August.2016.pdf (1).iso
2016-08-06 16:15 - 2016-08-06 16:15 - 04909056 _____ C:\Users\User\Downloads\Cross.Stitch.Crazy.-.August.2016.pdf.iso
2016-08-03 16:12 - 2016-08-03 16:13 - 10553846 _____ C:\Users\User\Downloads\PMBOKGuideFifthEd.pdf
2016-08-02 11:23 - 2016-08-02 11:23 - 00000000 ____D C:\Users\User\AppData\LocalLow\Temp
2016-07-31 13:09 - 2016-07-31 13:09 - 00062424 _____ C:\Users\User\Downloads\2016-07-31-13-09-06-992_1469950746992_XXXPS6111X_Acknowledgement.pdf
2016-07-31 12:41 - 2016-07-31 12:41 - 00095574 _____ C:\Users\User\Desktop\2016-07-31-12-12-28-139_1469947348139_XXXPS6111X_ITRV.pdf
2016-07-31 12:39 - 2016-07-31 12:39 - 00044183 _____ C:\Users\User\Downloads\2016-07-31-12-12-28-139_1469947348139_XXXPS6111X_ITRV.zip
2016-07-31 12:21 - 2016-07-31 12:21 - 00060936 _____ C:\Users\User\Downloads\AEOPC7095K-2016.pdf
2016-07-31 11:44 - 2016-07-31 11:44 - 00053621 _____ C:\Users\User\Downloads\AZSPS6111R-2016.pdf
2016-07-31 11:43 - 2016-07-31 11:43 - 00055131 _____ C:\Users\User\Downloads\AZSPS6111R-2015 (1).pdf
2016-07-31 11:41 - 2016-07-31 11:41 - 00055134 _____ C:\Users\User\Downloads\AZSPS6111R-2015.pdf
2016-07-31 11:33 - 2016-07-31 11:33 - 00040070 _____ C:\Users\User\Downloads\Payslip_100733270_UserSaluja_Nov2015.htm
2016-07-28 19:55 - 2016-07-28 19:55 - 00347553 _____ C:\Users\User\Downloads\Ranita Saluja-Test Report.pdf
2016-07-28 19:54 - 2016-07-28 19:54 - 08732820 _____ C:\Users\User\Downloads\PRINCE2Manual (1).pdf
2016-07-28 19:47 - 2016-07-28 19:47 - 08733059 _____ C:\Users\User\Downloads\PRINCE2 OGC Manual.pdf
2016-07-28 19:47 - 2016-07-28 19:47 - 00627168 _____ C:\Users\User\Downloads\3_ITIL Foundations Course Serv Del (1).pdf
2016-07-28 19:47 - 2016-07-28 19:47 - 00618225 _____ C:\Users\User\Downloads\2_ITIL Foundations Course Service Supp (1).pdf
2016-07-28 19:47 - 2016-07-28 19:47 - 00345348 _____ C:\Users\User\Downloads\1_ITIL Foundations Course Intro (1).pdf
2016-07-28 19:46 - 2016-07-28 19:47 - 00975857 _____ C:\Users\User\Downloads\V3_ITIL_Foundation1.pdf
2016-07-28 19:45 - 2016-07-28 19:45 - 01764864 _____ C:\Users\User\Downloads\Salary Computation-IMPORTANT.xls
2016-07-28 19:43 - 2016-07-28 19:43 - 00139818 _____ C:\Users\User\Downloads\tutorialspoint.com_PMP_Mock_Exam_200_Q_A.pdf
2016-07-28 19:43 - 2016-07-28 19:43 - 00031770 _____ C:\Users\User\Downloads\PMP Prepwork march 2013.xlsx
2016-07-28 19:42 - 2016-07-28 19:42 - 04304851 _____ C:\Users\User\Downloads\The.Secret._Rhonda.Byrne_.pdf
2016-07-28 19:40 - 2016-07-28 19:40 - 00627168 _____ C:\Users\User\Downloads\3_ITIL Foundations Course Serv Del.pdf
2016-07-28 19:40 - 2016-07-28 19:40 - 00618225 _____ C:\Users\User\Downloads\2_ITIL Foundations Course Service Supp.pdf
2016-07-28 19:40 - 2016-07-28 19:40 - 00345348 _____ C:\Users\User\Downloads\1_ITIL Foundations Course Intro.pdf
2016-07-28 19:32 - 2016-07-28 19:32 - 00145920 _____ C:\Users\User\Downloads\FTE Analysis_FIFO_back01.xls
2016-07-28 19:32 - 2016-07-28 19:32 - 00044032 _____ C:\Users\User\Downloads\vipin doc(1).xls
2016-07-28 19:31 - 2016-07-28 19:31 - 00668160 _____ C:\Users\User\Downloads\MOST 4.0.ppt
2016-07-28 19:31 - 2016-07-28 19:31 - 00045568 _____ C:\Users\User\Downloads\C&R - PP Timelines.xls
2016-07-28 19:31 - 2016-07-28 19:31 - 00039424 _____ C:\Users\User\Downloads\FTE Analysis.xls
2016-07-28 19:30 - 2016-07-28 19:31 - 01889093 _____ C:\Users\User\Downloads\PP - Roadway Rating.pdf
2016-07-28 19:30 - 2016-07-28 19:30 - 00054272 _____ C:\Users\User\Downloads\FTE validation - C&R (Yellow) v1.xls
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-16 20:07 - 2014-08-03 15:02 - 00000912 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-16 19:53 - 2014-11-09 18:44 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-907560198-880740586-4193796491-1001UA.job
2016-08-16 19:40 - 2014-10-19 02:13 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-08-16 15:56 - 2014-08-03 05:37 - 00000000 ____D C:\Users\User\AppData\Local\Packages
2016-08-16 09:36 - 2014-08-03 21:14 - 00000000 __RDO C:\Users\User\OneDrive
2016-08-16 09:32 - 2015-07-16 16:11 - 00000000 ____D C:\Users\User\AppData\Roaming\Skype
2016-08-16 09:32 - 2014-08-03 15:02 - 00000908 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-16 09:31 - 2016-07-16 14:18 - 00000000 ____D C:\ProgramData\Synaptics
2016-08-16 09:31 - 2016-06-18 20:47 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-08-16 09:31 - 2016-04-27 11:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-16 09:31 - 2014-08-03 08:05 - 00000000 __SHD C:\Users\User\IntelGraphicsProfiles
2016-08-16 09:30 - 2015-10-30 11:58 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-08-16 08:09 - 2015-10-30 12:54 - 00000000 ___HD C:\Program Files\WindowsApps
2016-08-16 08:09 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-08-16 08:01 - 2015-07-16 16:11 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-08-16 08:01 - 2015-07-16 16:11 - 00000000 ____D C:\ProgramData\Skype
2016-08-15 20:53 - 2014-11-09 18:44 - 00000862 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-907560198-880740586-4193796491-1001Core.job
2016-08-15 13:17 - 2016-04-27 03:01 - 00351424 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-08-15 12:02 - 2015-10-30 12:51 - 00000000 ____D C:\WINDOWS\INF
2016-08-15 11:59 - 2015-10-30 12:54 - 00000000 __RHD C:\Users\Public\Libraries
2016-08-15 11:58 - 2014-10-30 14:20 - 00000000 ____D C:\ProgramData\Package Cache
2016-08-15 11:57 - 2014-08-07 04:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2016-08-15 11:56 - 2014-08-07 04:56 - 00000000 ____D C:\Program Files (x86)\HP
2016-08-15 11:26 - 2016-06-18 21:06 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-15 11:02 - 2015-10-30 12:54 - 00000000 ___RD C:\WINDOWS\Offline Web Pages
2016-08-15 11:01 - 2016-06-18 21:55 - 00001047 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Optional Features.lnk
2016-08-15 11:01 - 2016-06-18 21:48 - 00002395 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-08-15 11:01 - 2016-06-18 20:56 - 00001576 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-08-15 11:01 - 2015-08-14 22:16 - 00002295 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinZip.lnk
2016-08-15 11:01 - 2015-08-14 22:16 - 00002289 _____ C:\Users\Public\Desktop\WinZip.lnk
2016-08-15 11:01 - 2015-07-31 06:42 - 00002558 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mouse Properties (Touchpad Clickpad Trackpad TrackPoint Mouse Pointer Pointing Pad).lnk
2016-08-15 11:01 - 2015-07-27 20:32 - 00001795 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-08-15 11:01 - 2015-07-27 20:30 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-08-15 11:01 - 2015-07-16 16:11 - 00002713 _____ C:\Users\Public\Desktop\Skype.lnk
2016-08-15 11:01 - 2015-07-06 00:42 - 00001364 _____ C:\Users\User\Desktop\vlc.exe - Shortcut.lnk
2016-08-15 11:01 - 2014-08-04 04:01 - 00001864 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-08-15 11:01 - 2014-08-03 16:28 - 00000949 _____ C:\ProgramData\Microsoft\Windows\Start Menu\µTorrent.lnk
2016-08-15 11:01 - 2014-08-03 16:28 - 00000943 _____ C:\Users\Public\Desktop\µTorrent.lnk
2016-08-15 11:01 - 2014-08-03 08:48 - 00002110 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Update Search.lnk
2016-08-15 11:00 - 2014-10-16 03:09 - 00000000 ____D C:\ProgramData\Browser
2016-08-15 11:00 - 2014-08-12 00:22 - 00000000 ____D C:\Program Files (x86)\MossNet
2016-08-15 10:23 - 2015-07-05 16:36 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2016-08-15 10:08 - 2016-06-18 20:50 - 00000000 ____D C:\Users\User
2016-08-15 08:04 - 2014-08-03 15:02 - 00000000 ____D C:\Users\User\AppData\Local\Google
2016-08-15 08:04 - 2014-08-03 15:02 - 00000000 ____D C:\Program Files (x86)\Google
2016-08-13 20:28 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\rescache
2016-08-13 19:56 - 2016-04-27 11:12 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-08-13 19:53 - 2014-08-04 04:01 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-08-13 19:52 - 2016-04-27 10:52 - 00000000 ____D C:\Program Files\Windows Journal
2016-08-13 19:52 - 2015-10-30 12:54 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-08-13 19:52 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\SysWOW64\en-GB
2016-08-13 19:52 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\system32\en-GB
2016-08-13 19:52 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-08-13 19:18 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\system32\SecureBootUpdates
2016-08-13 19:18 - 2015-10-30 12:41 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-08-13 19:18 - 2014-08-12 05:48 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2016-08-13 19:18 - 2013-08-22 18:55 - 00000167 _____ C:\WINDOWS\win.ini
2016-08-13 19:17 - 2014-08-03 08:23 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-08-13 19:13 - 2014-08-03 08:23 - 147640136 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-08-06 16:52 - 2015-10-30 12:54 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-07-30 21:02 - 2014-08-03 15:02 - 00003970 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-30 21:02 - 2014-08-03 15:02 - 00003738 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-30 20:48 - 2014-11-09 18:44 - 00004028 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-907560198-880740586-4193796491-1001UA
2016-07-30 20:48 - 2014-11-09 18:44 - 00003652 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-907560198-880740586-4193796491-1001Core
2016-07-28 16:21 - 2014-08-03 16:27 - 00000000 ____D C:\Users\User\AppData\Roaming\uTorrent
2016-07-28 00:55 - 2014-08-03 08:10 - 00504488 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-07-18 20:51 - 2016-06-18 21:48 - 00000000 ____D C:\Users\User\AppData\Local\MicrosoftEdge
 
==================== Files in the root of some directories =======
 
2010-08-29 02:13 - 2010-08-29 02:13 - 0096256 ____N (Google, inc) C:\Users\User\AppData\Roaming\AdbWinApi.dll
2010-08-29 02:13 - 2010-08-29 02:13 - 0060928 ____N (Google, inc) C:\Users\User\AppData\Roaming\AdbWinUsbApi.dll
2016-08-06 16:23 - 2016-08-06 16:23 - 0138240 _____ () C:\Users\User\AppData\Roaming\Installer.dat
2015-09-10 09:15 - 2015-09-10 09:15 - 0000000 _____ () C:\Users\User\AppData\Local\{B3BE9CAB-CF91-4FAC-8E32-BF6D2C62B938}
2014-08-07 04:56 - 2014-08-07 04:56 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-06-18 20:47 - 2016-06-18 20:47 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\User\AppData\Local\Temp\libeay32.dll
C:\Users\User\AppData\Local\Temp\msvcr120.dll
C:\Users\User\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll
[2016-06-19 02:08] - [2016-06-19 02:08] - 0686976 ____N (Microsoft Corporation) 4D6E6D11B7EB2FF2D0AA70BC58F2C40E
 
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-14 15:02
 
==================== End of FRST.txt ============================

 

 

Addition.txt is attached.

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 AM

Posted 17 August 2016 - 10:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows Firewall is disabled.
Turn ON your Firewall Windows 10.
https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [BingSvc] => C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-02-15] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [Mojorojo] => C:\Users\User\AppData\Local\Mojorojo\Mojorojo.exe [53248 2016-08-06] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {7B286609-DA97-47E1-AC6B-33B8B4732C95} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-15]
CHR HKU\S-1-5-21-907560198-880740586-4193796491-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
S2 Edervu; "C:\Users\User\AppData\Roaming\IkahaTom\Hutkaya.exe" -cms [X]
C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {2EF47E7D-7275-4680-9FAD-7DD985215131} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {3AAA05C0-F94F-428D-98A6-57749E351A07} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {5A85F8E9-2F2D-490A-BF22-9ACA1D91AB82} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5C958236-EAE9-4AC0-846C-36CED1ECCA36} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {7A176664-D92E-4936-8AF6-026F56A36BD1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {7D04B9EC-4EF2-46E4-90D0-350B73CD983C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {87EC7BCD-6BD1-47F7-A9AC-994E71741241} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8CBA4A51-AC48-47DC-A47F-BBD9F482EBE4} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {8D9B1E78-B6C2-4C20-9206-82FEE32D4CBC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8E103483-C201-4AAF-B3BB-08A72F43E20C} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8E3991AA-F7E0-46AA-8B13-BC13CAEB6951} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {9004D3F4-E1D0-49A3-A479-0EF06E9A8BB3} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {CAA0CDD5-9454-495E-9E10-0EC770B0638C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D31A8F17-A02B-48C5-85DA-C068EDEC8D05} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {F1D2E3AA-D079-49C6-AB72-77535086AFC9} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mojorojo
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mojorojoup

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know if the problem persists.

#3 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 17 August 2016 - 10:00 PM

Fixlog output after running fixlist

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-08-2016

Ran by User (18-08-2016 08:14:27) Run:1
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(© 2015 Microsoft Corporation) C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [BingSvc] => C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2016-02-15] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-907560198-880740586-4193796491-1001\...\Run: [Mojorojo] => C:\Users\User\AppData\Local\Mojorojo\Mojorojo.exe [53248 2016-08-06] ()
ShellIconOverlayIdentifiers: [JzShlobj] -> {7B286609-DA97-47E1-AC6B-33B8B4732C95} =>  No File
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-15]
CHR HKU\S-1-5-21-907560198-880740586-4193796491-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
S2 Edervu; "C:\Users\User\AppData\Roaming\IkahaTom\Hutkaya.exe" -cms [X]
C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe
C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\User\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {2EF47E7D-7275-4680-9FAD-7DD985215131} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {3AAA05C0-F94F-428D-98A6-57749E351A07} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {5A85F8E9-2F2D-490A-BF22-9ACA1D91AB82} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5C958236-EAE9-4AC0-846C-36CED1ECCA36} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {7A176664-D92E-4936-8AF6-026F56A36BD1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {7D04B9EC-4EF2-46E4-90D0-350B73CD983C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {87EC7BCD-6BD1-47F7-A9AC-994E71741241} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8CBA4A51-AC48-47DC-A47F-BBD9F482EBE4} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {8D9B1E78-B6C2-4C20-9206-82FEE32D4CBC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8E103483-C201-4AAF-B3BB-08A72F43E20C} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {8E3991AA-F7E0-46AA-8B13-BC13CAEB6951} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {9004D3F4-E1D0-49A3-A479-0EF06E9A8BB3} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {CAA0CDD5-9454-495E-9E10-0EC770B0638C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D31A8F17-A02B-48C5-85DA-C068EDEC8D05} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {F1D2E3AA-D079-49C6-AB72-77535086AFC9} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mojorojo
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mojorojoup
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe => No running process found
HKU\S-1-5-21-907560198-880740586-4193796491-1001\Software\Microsoft\Windows\CurrentVersion\Run\\BingSvc => value not found.
HKU\S-1-5-21-907560198-880740586-4193796491-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Mojorojo => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\JzShlobj => key not found. 
HKCR\CLSID\{7B286609-DA97-47E1-AC6B-33B8B4732C95} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj2 => key not found. 
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => key not found. 
C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
HKU\S-1-5-21-907560198-880740586-4193796491-1001\SOFTWARE\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd => key not found. 
Edervu => service not found.
C:\Users\User\AppData\Local\Microsoft\BingSvc\BingSvc.exe => moved successfully
"C:\Users\User\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
"C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9} => key not found. 
HKU\S-1-5-21-907560198-880740586-4193796491-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EF47E7D-7275-4680-9FAD-7DD985215131} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3AAA05C0-F94F-428D-98A6-57749E351A07} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A85F8E9-2F2D-490A-BF22-9ACA1D91AB82} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C958236-EAE9-4AC0-846C-36CED1ECCA36} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A176664-D92E-4936-8AF6-026F56A36BD1} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7D04B9EC-4EF2-46E4-90D0-350B73CD983C} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87EC7BCD-6BD1-47F7-A9AC-994E71741241} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CBA4A51-AC48-47DC-A47F-BBD9F482EBE4} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\rundetector => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D9B1E78-B6C2-4C20-9206-82FEE32D4CBC} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8E103483-C201-4AAF-B3BB-08A72F43E20C} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8E3991AA-F7E0-46AA-8B13-BC13CAEB6951} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-Weekend => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9004D3F4-E1D0-49A3-A479-0EF06E9A8BB3} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CAA0CDD5-9454-495E-9E10-0EC770B0638C} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D31A8F17-A02B-48C5-85DA-C068EDEC8D05} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F1D2E3AA-D079-49C6-AB72-77535086AFC9} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key not found. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mojorojo => key not found. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mojorojoup => key not found. 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6465925 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 3702 B
Edge => 0 B
Chrome => 8139862 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
User => 64425 B
 
RecycleBin => 0 B
EmptyTemp: => 14 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 08:15:01 ====

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 AM

Posted 18 August 2016 - 08:09 AM

Any remaining issues?

#5 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 18 August 2016 - 12:12 PM

No apparent issues but dnsapi.dll still gets detected by Zemana as infected.

#6 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 18 August 2016 - 12:13 PM

Also, windows security center shows an alert that it is shutdown and any attempts to start it are not working.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 AM

Posted 18 August 2016 - 12:53 PM



Please run the Farbar Recovery Scan Tool. Enter dnsapi.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#8 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 18 August 2016 - 01:21 PM

Here is the information:

 

 

Farbar Recovery Scan Tool (x64) Version: 17-08-2016

Ran by User (18-08-2016 23:43:39)
Running from C:\Users\User\Downloads
Boot Mode: Normal
 
================== Search Files: "dnsapi.dll" =============
 
C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_0d0987cfb6756063\dnsapi.dll
[2016-06-19 02:08][2016-06-19 02:08] 0535080 ____A (Microsoft Corporation) 6A7ACABAE92C837F5C1330188EAE36AE [File is digitally signed]
 
C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.0_none_2c65f66b01dd8f12\dnsapi.dll
[2015-10-30 12:48][2016-06-21 16:48] 0017780 ____A () 4C8C167B131EBE7A4D94504F82DAD316 [File not signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_02b4dd7d82149e68\dnsapi.dll
[2016-06-19 02:08][2016-06-19 02:08] 0686976 ____A (Microsoft Corporation) 9A3E17CDB177913C2A111C80F3D0DBB4 [File is digitally signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.0_none_22114c18cd7ccd17\dnsapi.dll
[2015-10-30 12:48][2016-06-21 16:34] 0010782 ____A () E4E48EFBCF7DF993A1377CB0518411BC [File not signed]
 
C:\Windows\SysWOW64\dnsapi.dll
[2016-06-19 02:08][2016-06-19 02:08] 0535080 ____A (Microsoft Corporation) 6A7ACABAE92C837F5C1330188EAE36AE [File is digitally signed]
 
C:\Windows\System32\dnsapi.dll
[2016-06-19 02:08][2016-06-19 02:08] 0686976 ____N (Microsoft Corporation) 4D6E6D11B7EB2FF2D0AA70BC58F2C40E [File not signed]
 
====== End of Search ======


#9 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 18 August 2016 - 01:27 PM

And this might not mean anything at all, but I see a lot of dll files with the specific last modified date of 6-19-16 (same as dnsapi.dll), almost all of them seem linked to networking. The other dlls all have dates in 2015.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 AM

Posted 19 August 2016 - 07:09 AM

Your current file in System 32 is corrupted.
This fix will replace it with a good copy.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:
Replace: C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_02b4dd7d82149e68\dnsapi.dll C:\Windows\System32\dnsapi.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know if the problem pesists.

#11 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 19 August 2016 - 12:12 PM

Here is the FixLog output

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 19-08-2016

Ran by User (19-08-2016 21:49:15) Run:3
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
 
CreateRestorePoint:
CloseProcesses:
Replace: C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_02b4dd7d82149e68\dnsapi.dll C:\Windows\System32\dnsapi.dll
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Windows\System32\dnsapi.dll => moved successfully
C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.212_none_02b4dd7d82149e68\dnsapi.dll copied successfully to C:\Windows\System32\dnsapi.dll
 
 
The system needed a reboot.
 
==== End of Fixlog 21:49:54 ====

 

After restarting and running Zemana, it did not find anything wrong. 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 AM

Posted 19 August 2016 - 01:14 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#13 indiagenie

indiagenie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 20 August 2016 - 12:06 PM

Noted. All is looking good indeed for now. Avira AV also installed for future protection too.

 

Thanks for all the help and patient guidance all the way. I really appreciate it.

 

Thanks again.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 AM

Posted 27 August 2016 - 10:17 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users