Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Runouce, Win32/Chir.B@mm, Readme Infection


  • This topic is locked This topic is locked
30 replies to this topic

#1 scotter96

scotter96

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 15 October 2016 - 12:00 AM

Hi!
 
For the last 7 days, i've been busy removing this virus/worm Win32/Chir.B@mm a.k.a. runouce.exe but it kept coming back, given the situation I would like to appreciate anyone who can assist me to COMPLETELY REMOVE this threat without the necessary to format all my drives and do a "clean" install.
 
So here is the list of what the threat do / may do:
1. create a new file and run it named "runouce.exe". (located in C:\Windows\System32) - CONFIRMED
2. mess up with most app files or any files with *.exe extension. (preventing user from running it) - CONFIRMED
3. automatically adds a new startup command to run the virus every time the computer started. - CONFIRMED
4. creates new *.eml files on almost every directory. - CONFIRMED
5. still runs on safe mode. - CONFIRMED
6. reactivate itself (create runouce.exe file and run on startup) every time computer restarted. - CONFIRMED
7. clone and hide itself within other drives. - CONFIRMED: i know this for a fact bc i just fresh installed my system drive and it still shows up in the taskmgr.
8. only infect any *.exe files with name like "antivirus, malware, etc." associated with it. (some of my games can be installed perfectly)
9. Mess with the Windows system file. (prevented the windows from booting up - fixed with last known good config)
 
Here is what i've done so far:
1. Attempted to kill task and remove runouce.exe. (success, but it came back)
2. Creates a new empty folder in system32 named "runouce.exe" with all denied privilege on Everyone. (i can't even delete it on safe mode without changing the permission)
3. Manually searched and deleted anything regarding "runouce" in RegEdit.
4. Attempted to remove runouce startup command in MSConfig. (success, but it came back)
5. Scanned the computer with Malwarebytes Antimalware and Super Anti Spyware both on safe mode and normal.
6. Deleted *.eml files in all drives using "del /s *.eml" command in cmd.
 
And here is my current state:
1. The runouce.exe file stopped appearing and the task no longer running.
2. Some installed apps still crashes after first restart. (before restart it worked properly) - MAIN ISSUE
3. A startup command to run runouce.exe on MSConfig still exists and keep reappearing, but its worthless since it is only an empty folder.
4. Some *.exe files can still run. - e.g. my games, and few apps
5. Internet connection worked properly until this point.
6. Every time I turned on realtime protect from Super AntiSpyware, it immediately detects a runouce process and file on "C:\Windows\System32" every seconds. - looks like it's been remotely ran from somewhere else to reactivate the virus.
7. I can still play few games and listen to musics
 
Here is list of known infected *.exe:
1. Browser : Google Chrome, Firefox, Opera, Slimjet.
2. AV : AVG, Malwarebytes, Superantispyware, Smadav.
3. Cleaner: CCleaner.
4. Other: Bandicam, Fraps.
5. Imaging : Photoshop CS5, GiF Viewer, Picasa.
6. Player: KMPlayer, PotPlayer
7. Setup / Autorun & Uninstaller files
 
What I'm going to do while waiting for reply:
1. Search and destroy infected installers (*.exe) and *.eml files
2. Deletes anything associated with "runouce" in RegEdit.
 
Beyond this point, I added what's inside FRST.txt, and I also uploaded the Addition.txt file.
I will be checking this topic regularly and any help would be greatly appreciated, thanks in advance!

 

 

Attached File  Addition.txt   27.6KB   1 downloads
 
----------------------------------------------------------------------------------------------------------------
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-10-2016
Ran by scotter96 (administrator) on KESUMA-PC (15-10-2016 10:36:22)
Running from C:\Users\scotter96\Desktop
Loaded Profiles: scotter96 (Available Profiles: scotter96 & UpdatusUser)
Platform: Microsoft Windows 7 Ultimate  (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(IObit) C:\Program Files\IObit\IObit Uninstaller\UninstallMonitor.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Farbar) C:\Users\scotter96\Desktop\d435fdg.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [638972 2015-08-04] (Oracle Corporation)
HKLM\...\Run: [TaskManager] => C:\Windows\System32\taskmgr.exe [254976 2009-07-14] (Microsoft Corporation)
HKLM\...\Run: [CheckNDISPort00ac23] => C:\Program Files\BOLT Mobile WiFi Hostless Modem\BOLT! 4G MF90\CheckNDISPort_df.exe [500220 2013-08-05] ()
HKLM\...\Run: [CancelAutoPlay_df] => C:\Program Files\BOLT Mobile WiFi Hostless Modem\BOLT! 4G MF90\CancelAutoPlay_df.exe [487420 2013-08-05] ()
HKLM\...\Run: [Runonce] => C:\Windows\system32\runouce.exe [0 2016-10-13] ()
HKLM\...\Run: [CommonToolkitTray_Solvusoft] => C:\Program Files\Solvusoft\Tray\SolvusoftTray.exe [1727040 2015-09-24] (Solvusoft Corporation)
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [381952 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\Run: [TaskMgr] => C:\Windows\System32\taskmgr.exe [254976 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [3893324 2014-07-23] (Tonec Inc.)
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\MountPoints2: H - H:\AutoRun.exe
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\MountPoints2: J - J:\DriverPackSolution.exe
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\MountPoints2: {88006737-90ec-11e6-8e4b-1078d28c930b} - H:\AutoRun.exe
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\MountPoints2: {88006748-90ec-11e6-8e4b-1c4bd6b517a2} - H:\AutoRun.exe
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll [2014-04-21] (Tonec Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{D2122D5B-080F-48F7-A5F8-6F8449842A67}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\Software\Microsoft\Internet Explorer\Main,Start Page =
HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://u.msn.com/id-id/?ocid=iehp
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2014-07-10] (Internet Download Manager, Tonec Inc.)
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files\IObit\IObit Uninstaller\UninstallExplorer.dll [2015-11-12] (IObit)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2016-10-13] (Oracle Corporation)
BHO: Advanced SystemCare Browser Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll [2014-02-20] (IObit)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2016-10-13] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\scotter96\AppData\Roaming\Mozilla\Firefox\Profiles\mxxoxmv7.default [2016-10-15]
FF HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\scotter96\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\scotter96\AppData\Roaming\IDM\idmmzcc5 [2016-10-15] [not signed]
FF HKU\S-1-5-21-4075002238-1410507272-4250569412-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\scotter96\AppData\Roaming\IDM\idmmzcc5
FF Plugin: @adobe.com/AuthorwarePlayer -> C:\Windows\system32\Macromed\AUTHORWA\np32asw.dll [2004-07-02] (Macromedia, Inc.)
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-11] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1220162.dll [2015-08-31] (Adobe Systems, Inc.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2016-10-13] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2016-10-13] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [No File]
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-10-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-10-15] (Google Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\scotter96\AppData\Local\Google\Chrome\User Data\Default [2016-10-15]
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2014-07-08]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ALG; C:\Windows\System32\alg.exe [87040 2009-07-14] (Microsoft Corporation) [File not signed]
S3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [584704 2009-07-14] (Microsoft Corporation) [File not signed]
S3 ehSched; C:\Windows\ehome\ehsched.exe [122368 2009-07-14] (Microsoft Corporation) [File not signed]
S3 Fax; C:\Windows\system32\fxssvc.exe [550400 2009-07-14] (Microsoft Corporation) [File not signed]
S2 gupdate; C:\Program Files\Google\Update\GoogleUpdate.exe [194704 2016-10-15] (Google Inc.) [File not signed]
S3 gupdatem; C:\Program Files\Google\Update\GoogleUpdate.exe [194704 2016-10-15] (Google Inc.) [File not signed]
S2 LiveUpdateSvc; C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe [3001624 2016-07-20] (IObit) [File not signed]
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1548800 2016-03-10] (Malwarebytes) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1170944 2016-03-10] (Malwarebytes) [File not signed]
S3 MSDTC; C:\Windows\System32\msdtc.exe [161792 2009-07-14] (Microsoft Corporation) [File not signed]
S3 msiserver; C:\Windows\System32\msiexec.exe [100864 2009-07-14] (Microsoft Corporation) [File not signed]
S2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [1307416 2013-03-15] (NVIDIA Corporation) [File not signed]
S3 RpcLocator; C:\Windows\system32\locator.exe [36864 2009-07-14] (Microsoft Corporation) [File not signed]
S3 SNMPTRAP; C:\Windows\System32\snmptrap.exe [40448 2009-07-14] (Microsoft Corporation) [File not signed]
R2 Spooler; C:\Windows\System32\spoolsv.exe [344064 2009-07-14] (Microsoft Corporation) [File not signed]
S2 sppsvc; C:\Windows\system32\sppsvc.exe [3207168 2016-10-13] (Microsoft Corporation) [File not signed]
S3 TrustedInstaller; C:\Windows\servicing\TrustedInstaller.exe [232448 2009-07-14] (Microsoft Corporation) [File not signed]
S3 UI0Detect; C:\Windows\system32\UI0Detect.exe [63488 2016-10-13] (Microsoft Corporation) [File not signed]
S3 vds; C:\Windows\System32\vds.exe [480256 2016-10-13] (Microsoft Corporation) [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27768 2012-12-11] (VIA Technologies, Inc.)
S3 VSS; C:\Windows\system32\vssvc.exe [1053184 2009-07-14] (Microsoft Corporation) [File not signed]
S3 wbengine; C:\Windows\system32\wbengine.exe [1230336 2009-07-14] (Microsoft Corporation) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)
S3 wmiApSrv; C:\Windows\system32\wbem\WmiApSrv.exe [163840 2009-07-14] (Microsoft Corporation) [File not signed]
S3 WMPNetworkSvc; C:\Program Files\Windows Media Player\wmpnetwk.exe [1148928 2009-07-14] (Microsoft Corporation) [File not signed]
R2 WSearch; C:\Windows\system32\SearchIndexer.exe [455680 2009-07-14] (Microsoft Corporation) [File not signed]
S2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [X]
S2 AdvancedSystemCareService9; C:\Program Files\IObit\Advanced SystemCare\ASCService.exe [X]
S2 Stereo Service; "C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [26424 2015-02-26] () [File not signed]
R2 ammntdrv; C:\Windows\system32\ammntdrv.sys [129720 2015-02-26] () [File not signed]
R2 amwrtdrv; C:\Windows\system32\amwrtdrv.sys [14392 2015-02-26] () [File not signed]
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [287008 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [197376 2016-09-26] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [47360 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [231680 2016-07-27] (AVG Technologies CZ, s.r.o.)
R0 avgunivx; C:\Windows\System32\DRIVERS\avgunivx.sys [65280 2016-06-20] (AVG Technologies CZ, s.r.o.)
S3 DrvAgent32; C:\Windows\system32\Drivers\DrvAgent32.sys [23456 2016-10-12] (Phoenix Technologies) [File not signed]
S3 INIDVD; C:\Windows\System32\DRIVERS\inidvd.sys [15768 2010-10-26] (Initio Corporation)
R3 int0800; C:\Windows\System32\DRIVERS\flashud.sys [42496 2009-09-09] (Intel Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [126336 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-10-15] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
R1 SCDEmu; C:\Windows\system32\Drivers\SCDEmu.sys [116320 2014-06-27] (Power Software Ltd)
R3 Serenum; C:\Windows\System32\DRIVERS\nuvserenum.sys [17920 2014-01-12] (Windows ® Win 7 DDK provider)
R3 Serial; C:\Windows\System32\DRIVERS\nuvserial.sys [76288 2014-01-12] (Nuvoton Technology Corp.)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [566960 2015-08-11] (VIA Technologies, Inc.)
S1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [X]
S1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-15 10:36 - 2016-10-15 10:36 - 00013012 _____ C:\Users\scotter96\Desktop\FRST.txt
2016-10-15 10:36 - 2016-10-15 10:36 - 00000000 ____D C:\FRST
2016-10-15 10:35 - 2016-10-15 10:35 - 01784320 _____ (Farbar) C:\Users\scotter96\Desktop\d435fdg.exe
2016-10-15 10:23 - 2016-10-15 10:24 - 05659993 _____ (Swearware) C:\Users\scotter96\Desktop\dsfw334.exe
2016-10-15 10:23 - 2016-10-15 10:23 - 00411648 _____ C:\Users\scotter96\Desktop\mu5tblso.exe
2016-10-15 10:11 - 2016-10-15 10:11 - 00001023 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-10-15 10:11 - 2016-10-15 10:11 - 00001011 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-10-15 10:11 - 2016-10-15 10:11 - 00001011 _____ C:\ProgramData\Desktop\Mozilla Firefox.lnk
2016-10-15 10:11 - 2016-10-15 10:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-10-15 10:05 - 2016-10-15 10:05 - 00000983 _____ C:\Users\scotter96\Desktop\Internet Download Manager.lnk
2016-10-15 10:05 - 2016-10-15 10:05 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2016-10-15 10:05 - 2016-10-15 10:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2016-10-15 10:05 - 2016-10-15 10:05 - 00000000 ____D C:\Program Files\Internet Download Manager
2016-10-15 10:02 - 2016-10-15 10:02 - 00000000 ____D C:\Windows\erdnt
2016-10-15 10:02 - 2016-10-15 10:02 - 00000000 ____D C:\Qoobox
2016-10-15 09:55 - 2016-10-15 09:55 - 00729944 ____R (Swearware) C:\Users\scotter96\Desktop\5y5efg6g5ugh.scr
2016-10-15 09:55 - 2016-10-15 09:55 - 00020021 _____ C:\Users\scotter96\Desktop\attach.txt
2016-10-15 09:55 - 2016-10-15 09:55 - 00016584 _____ C:\Users\scotter96\Desktop\dds.txt
2016-10-15 09:34 - 2016-10-15 10:12 - 00000372 _____ C:\Windows\Tasks\WinThruster-scotter96-Startup.job
2016-10-15 09:33 - 2016-10-15 10:09 - 00000384 _____ C:\Windows\Tasks\WinThruster-scotter96-Notification.job
2016-10-15 09:33 - 2016-10-15 09:33 - 00002039 _____ C:\Users\Public\Desktop\WinThruster.lnk
2016-10-15 09:33 - 2016-10-15 09:33 - 00002039 _____ C:\ProgramData\Desktop\WinThruster.lnk
2016-10-15 09:33 - 2016-10-15 09:33 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Solvusoft
2016-10-15 09:33 - 2016-10-15 09:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Solvusoft
2016-10-15 09:33 - 2016-10-15 09:33 - 00000000 ____D C:\Program Files\Solvusoft
2016-10-15 09:31 - 2016-10-15 09:33 - 00000000 ___HD C:\ProgramData\{B96EB44A-7860-4F13-BC9A-0A73CA5F11C2}
2016-10-15 09:31 - 2016-10-15 09:32 - 00000000 ____D C:\ProgramData\Solvusoft
2016-10-15 09:31 - 2016-10-15 09:31 - 00000000 ____D C:\Users\scotter96\AppData\Local\IIIQF
2016-10-15 09:30 - 2016-10-15 09:31 - 08972952 _____ (Solvusoft Corporation ) C:\Users\scotter96\Downloads\Setup_WinThruster_2016.exe
2016-10-15 09:28 - 2016-10-15 09:35 - 00000000 ____D C:\Program Files\Exterminate It!
2016-10-15 09:28 - 2016-10-15 09:28 - 00001043 _____ C:\Users\Public\Desktop\Exterminate It!.lnk
2016-10-15 09:28 - 2016-10-15 09:28 - 00001043 _____ C:\ProgramData\Desktop\Exterminate It!.lnk
2016-10-15 09:28 - 2016-10-15 09:28 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Curiolab
2016-10-15 09:28 - 2016-10-15 09:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Exterminate It!
2016-10-15 09:25 - 2016-10-15 09:25 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Mozilla
2016-10-15 09:25 - 2016-10-15 09:25 - 00000000 ____D C:\Users\scotter96\AppData\Local\Mozilla
2016-10-15 09:24 - 2016-10-15 09:24 - 00315392 ____N (Microsoft Corporation) C:\Windows\Setup1.exe
2016-10-15 09:24 - 2016-10-15 09:24 - 00100864 _____ (Microsoft Corporation) C:\Windows\ST6UNST.EXE
2016-10-15 08:58 - 2016-10-15 08:58 - 00001002 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d22687a82f6a33.job
2016-10-15 08:50 - 2016-10-15 08:50 - 00000000 ____D C:\Users\scotter96\AppData\Local\Dropbox
2016-10-15 08:50 - 2016-10-15 08:50 - 00000000 ____D C:\ProgramData\Dropbox
2016-10-15 08:50 - 2016-10-15 08:50 - 00000000 ____D C:\Program Files\Dropbox
2016-10-15 08:38 - 2016-10-15 08:38 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\ProductData
2016-10-15 08:37 - 2016-10-15 08:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare
2016-10-15 08:37 - 2016-10-15 08:37 - 00002110 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller.lnk
2016-10-15 08:37 - 2016-10-15 08:37 - 00000364 _____ C:\Windows\Tasks\RunAsStdUser Task.job
2016-10-15 08:37 - 2016-10-15 08:37 - 00000000 ____D C:\Windows\Tasks\ImCleanDisabled
2016-10-15 08:37 - 2016-10-15 08:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
2016-10-15 08:37 - 2016-10-15 08:37 - 00000000 ____D C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98}
2016-10-15 08:37 - 2016-10-15 08:37 - 00000000 ____D C:\Program Files\Common Files\IObit
2016-10-15 08:36 - 2016-10-15 08:38 - 00000000 ____D C:\Users\scotter96\AppData\LocalLow\IObit
2016-10-15 08:36 - 2016-10-15 08:38 - 00000000 ____D C:\ProgramData\ProductData
2016-10-15 08:36 - 2016-10-15 08:37 - 00002098 _____ C:\Users\Public\Desktop\IObit Uninstaller.lnk
2016-10-15 08:36 - 2016-10-15 08:37 - 00002098 _____ C:\ProgramData\Desktop\IObit Uninstaller.lnk
2016-10-15 08:36 - 2016-10-15 08:36 - 00000274 _____ C:\Windows\Tasks\Uninstaller_SkipUac_Administrator.job
2016-10-15 08:36 - 2016-10-15 08:36 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Apple Computer
2016-10-15 08:35 - 2016-10-15 09:18 - 00000000 ____D C:\Program Files\IObit
2016-10-15 08:35 - 2016-10-15 08:44 - 00000000 ____D C:\ProgramData\IObit
2016-10-15 08:35 - 2016-10-15 08:35 - 00000000 ____D C:\ProgramData\{3C5CBD7B-3D1D-411E-96C2-513FFCA84D2D}
2016-10-15 07:40 - 2016-10-15 07:40 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\TuneUp Software
2016-10-15 07:40 - 2016-10-15 07:40 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\AVG
2016-10-15 07:40 - 2016-10-15 07:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-10-15 07:38 - 2016-10-15 07:42 - 00000000 ____D C:\ProgramData\MFAData
2016-10-15 07:38 - 2016-10-15 07:38 - 00000000 ___HD C:\$AVG
2016-10-15 07:38 - 2016-10-15 07:38 - 00000000 ____D C:\Users\scotter96\AppData\Local\MFAData
2016-10-15 07:37 - 2016-10-15 09:15 - 00000348 ____H C:\Windows\Tasks\AVG EUpdate Task.job
2016-10-15 07:36 - 2016-10-15 07:36 - 00001064 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-10-15 07:36 - 2016-10-15 07:36 - 00001064 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2016-10-15 07:36 - 2016-10-15 07:36 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-10-15 07:33 - 2016-10-15 09:15 - 00000000 ____D C:\Users\scotter96\AppData\Local\AvgSetupLog
2016-10-15 07:33 - 2016-10-15 07:40 - 00000000 ____D C:\Users\scotter96\AppData\Local\Avg
2016-10-15 07:33 - 2016-10-15 07:38 - 00000000 ____D C:\ProgramData\Avg
2016-10-14 21:49 - 2016-10-14 21:49 - 00001440 _____ C:\Users\scotter96\Desktop\CarSpawner - Shortcut.lnk
2016-10-14 19:15 - 2016-10-14 19:15 - 00000917 _____ C:\Windows\GTA-SA_Trn_Settings.ini
2016-10-14 15:34 - 2016-10-15 08:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GAMI
2016-10-14 15:34 - 2016-10-14 15:34 - 00001793 _____ C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\GAMI starten.lnk
2016-10-14 15:34 - 2016-10-14 15:34 - 00001769 _____ C:\Users\UpdatusUser\Desktop\GAMI.lnk
2016-10-14 15:34 - 2016-10-14 15:34 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GAMI
2016-10-13 23:49 - 2016-10-14 23:29 - 00000000 ____D C:\Users\scotter96\Documents\GTA San Andreas User Files
2016-10-13 23:49 - 2016-10-13 23:49 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2016-10-13 23:38 - 2016-07-26 14:24 - 00406184 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-10-13 23:35 - 2016-10-13 23:35 - 00000000 ____D C:\Users\scotter96\AppData\Local\ElevatedDiagnostics
2016-10-13 23:26 - 2016-10-13 23:26 - 00001860 _____ C:\Users\Public\Desktop\GTA San Andreas.lnk
2016-10-13 23:26 - 2016-10-13 23:26 - 00001860 _____ C:\ProgramData\Desktop\GTA San Andreas.lnk
2016-10-13 23:26 - 2016-10-13 23:26 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2016-10-13 23:26 - 2016-10-13 23:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rockstar Games
2016-10-13 23:26 - 2016-10-13 23:26 - 00000000 ____D C:\Program Files\Rockstar Games
2016-10-13 20:45 - 2016-10-13 20:45 - 00000000 ____D C:\Windows\system32\runouce.exe
2016-10-13 20:37 - 2016-10-14 21:48 - 00000518 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 878ac96c-06c7-4c49-a6cd-677cee15eba8.job
2016-10-13 20:37 - 2016-10-13 22:06 - 00000518 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 0ac21b01-8ac8-402a-9ce1-5d95af73feac.job
2016-10-13 20:37 - 2016-10-13 20:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-10-13 20:37 - 2016-10-13 20:37 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\SUPERAntiSpyware.com
2016-10-13 20:37 - 2016-10-13 20:37 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-10-13 20:25 - 2016-10-13 20:25 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Macromedia
2016-10-13 13:42 - 2016-10-12 22:46 - 00000000 ____D C:\Windows\Panther
2016-10-13 11:25 - 2016-10-13 11:25 - 00003208 ____N C:\bootsqm.dat
2016-10-13 11:20 - 2016-10-15 08:45 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-10-13 11:20 - 2016-10-15 08:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-10-13 11:20 - 2016-10-13 19:01 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\DriverPack Notifier
2016-10-13 11:19 - 2016-10-13 11:19 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\DRPSu
2016-10-13 09:49 - 2016-10-13 09:49 - 00002056 _____ C:\Users\Public\Desktop\BOLT! 4G MF90.lnk
2016-10-13 09:49 - 2016-10-13 09:49 - 00002056 _____ C:\ProgramData\Desktop\BOLT! 4G MF90.lnk
2016-10-13 09:49 - 2016-10-13 09:49 - 00000000 ____D C:\Windows\system32\SupportAppPBBOLT Mobile WiFi Hostless Modem
2016-10-13 09:49 - 2016-10-13 09:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BOLT! 4G MF90
2016-10-13 09:49 - 2016-10-13 09:49 - 00000000 ____D C:\Program Files\BOLT Mobile WiFi Hostless Modem
2016-10-13 09:35 - 2016-10-15 08:15 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-10-13 09:35 - 2016-10-15 07:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-10-13 09:35 - 2016-10-13 09:35 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-10-13 09:35 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-10-13 09:35 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-10-13 09:35 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-10-13 00:41 - 2016-10-15 08:50 - 00759940 _____ C:\Windows\ntbtlog.txt
2016-10-13 00:18 - 2016-10-13 00:18 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Adobe
2016-10-13 00:14 - 2016-10-15 08:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\uTorrent
2016-10-13 00:13 - 2016-10-15 09:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Image Viewer
2016-10-13 00:13 - 2016-10-15 08:45 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PotPlayer
2016-10-13 00:13 - 2016-10-15 08:45 - 00000000 ____D C:\Program Files\Daum
2016-10-13 00:13 - 2016-10-15 08:39 - 00000000 ____D C:\Program Files\Foxit Software
2016-10-13 00:13 - 2016-10-15 07:59 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\AIMP3
2016-10-13 00:13 - 2016-10-13 00:18 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\PotPlayerMini
2016-10-13 00:13 - 2016-10-13 00:13 - 00000879 _____ C:\Users\Public\Desktop\AIMP3.lnk
2016-10-13 00:13 - 2016-10-13 00:13 - 00000879 _____ C:\ProgramData\Desktop\AIMP3.lnk
2016-10-13 00:13 - 2016-10-13 00:13 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Foxit Software
2016-10-13 00:13 - 2016-10-13 00:13 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\FastStone
2016-10-13 00:13 - 2016-10-13 00:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AIMP3
2016-10-13 00:13 - 2016-10-13 00:13 - 00000000 ____D C:\Program Files\AIMP3
2016-10-13 00:12 - 2016-10-13 00:12 - 00097888 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Sun
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Opera Software
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Users\scotter96\AppData\LocalLow\Sun
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Users\scotter96\AppData\Local\Opera Software
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Users\scotter96\.oracle_jre_usage
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\ProgramData\Oracle
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Program Files\Java
2016-10-13 00:12 - 2016-10-13 00:12 - 00000000 ____D C:\Program Files\Common Files\Java
2016-10-13 00:11 - 2016-10-13 00:11 - 00000143 _____ C:\AiOLog.txt
2016-10-13 00:11 - 2016-10-13 00:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-10-13 00:11 - 2016-10-13 00:11 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-10-13 00:08 - 2016-10-13 00:10 - 00000000 ____D C:\ProgramData\Package Cache
2016-10-13 00:06 - 2016-10-15 08:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SAM CoDeC Pack
2016-10-13 00:06 - 2016-10-13 00:06 - 00001023 _____ C:\Users\Public\Desktop\AOMEI Backupper Standard.lnk
2016-10-13 00:06 - 2016-10-13 00:06 - 00001023 _____ C:\ProgramData\Desktop\AOMEI Backupper Standard.lnk
2016-10-13 00:06 - 2016-10-13 00:06 - 00000082 _____ C:\Windows\system32\winsevr.dat
2016-10-13 00:06 - 2016-10-13 00:06 - 00000000 ____D C:\Windows\system32\Macromed
2016-10-13 00:06 - 2016-10-13 00:06 - 00000000 ____D C:\Windows\system32\Backup
2016-10-13 00:06 - 2016-10-13 00:06 - 00000000 ____D C:\Windows\system32\Adobe
2016-10-13 00:06 - 2016-10-13 00:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AOMEI Backupper
2016-10-13 00:06 - 2016-10-13 00:06 - 00000000 ____D C:\ProgramData\AomeiBR
2016-10-13 00:06 - 2015-08-11 16:03 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-10-13 00:06 - 2015-08-11 16:03 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-10-13 00:06 - 2015-02-26 00:00 - 00129720 _____ C:\Windows\system32\ammntdrv.sys
2016-10-13 00:06 - 2015-02-26 00:00 - 00026424 _____ C:\Windows\system32\ambakdrv.sys
2016-10-13 00:06 - 2015-02-26 00:00 - 00014392 _____ C:\Windows\system32\amwrtdrv.sys
2016-10-13 00:06 - 2014-09-10 23:14 - 00163480 _____ (Microsoft Corporation) C:\Windows\system32\comdlg32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 01070232 _____ (Microsoft Corporation) C:\Windows\system32\mscomctl.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00660120 _____ (Microsoft Corporation) C:\Windows\system32\mscomct2.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00617896 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00444328 _____ (Microsoft Corporation) C:\Windows\system32\MShflxgd.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00416408 _____ (Microsoft Corporation ) C:\Windows\system32\comct332.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00279192 _____ (Microsoft Corporation) C:\Windows\system32\msdatgrd.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00259736 _____ (Microsoft Corporation) C:\Windows\system32\msflxgrd.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00253080 _____ (Microsoft Corporation) C:\Windows\system32\msdatlst.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00222360 _____ (Microsoft Corporation) C:\Windows\system32\tabctl32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00219288 _____ (Microsoft Corporation) C:\Windows\system32\richtx32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00218776 _____ (Microsoft Corporation) C:\Windows\system32\dblist32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00212112 _____ (Microsoft Corporation) C:\Windows\system32\mci32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00179352 _____ (Microsoft Corporation) C:\Windows\system32\msmask32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00170920 _____ (Microsoft Corporation) C:\Windows\system32\comct232.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00131728 _____ (Microsoft Corporation) C:\Windows\system32\msinet.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00130712 _____ (Microsoft Corporation) C:\Windows\system32\msstdfmt.dll
2016-10-13 00:06 - 2013-11-25 20:27 - 00127640 _____ (Microsoft Corporation) C:\Windows\system32\mswinsck.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00119960 _____ (Microsoft Corporation) C:\Windows\system32\mscomm32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00108696 _____ (Microsoft Corporation) C:\Windows\system32\MSSTKPRP.DLL
2016-10-13 00:06 - 2013-11-25 20:27 - 00104088 _____ (Microsoft Corporation) C:\Windows\system32\picclp32.ocx
2016-10-13 00:06 - 2013-11-25 20:27 - 00084624 _____ (Microsoft Corporation) C:\Windows\system32\sysinfo.ocx
2016-10-13 00:06 - 2011-01-13 02:36 - 01054208 _____ (Microsoft Corporation) C:\Windows\system32\MFC71u.dll
2016-10-13 00:06 - 2011-01-13 02:25 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\MFC71DEU.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\MFC71ITA.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\MFC71FRA.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\MFC71ESP.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\MFC71ENU.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\MFC71KOR.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\MFC71JPN.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\MFC71CHT.DLL
2016-10-13 00:06 - 2011-01-13 02:25 - 00040960 _____ (Microsoft Corporation) C:\Windows\system32\MFC71CHS.DLL
2016-10-13 00:06 - 2011-01-13 02:19 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\MFC71.dll
2016-10-13 00:06 - 2011-01-13 01:53 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\atl71.dll
2016-10-13 00:06 - 2008-04-15 19:00 - 01355776 _____ (Microsoft Corporation) C:\Windows\system32\msvbvm50.dll
2016-10-13 00:06 - 2007-02-01 23:13 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\msvcp71.dll
2016-10-13 00:06 - 2007-02-01 20:11 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\msvcr71.dll
2016-10-13 00:06 - 2007-01-30 23:04 - 00339968 _____ (Microsoft Corporation) C:\Windows\system32\msvcr70.dll
2016-10-13 00:06 - 2006-08-26 03:28 - 01017344 _____ (Microsoft Corporation) C:\Windows\system32\mfc70u.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\mfc70ita.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\mfc70fra.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\mfc70esp.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\mfc70deu.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\mfc70enu.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\mfc70kor.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\mfc70jpn.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\mfc70cht.dll
2016-10-13 00:06 - 2006-08-26 03:15 - 00040960 _____ (Microsoft Corporation) C:\Windows\system32\mfc70chs.dll
2016-10-13 00:06 - 2006-08-26 03:07 - 01024000 _____ (Microsoft Corporation) C:\Windows\system32\mfc70.dll
2016-10-13 00:06 - 2006-08-26 02:17 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\atl70.dll
2016-10-13 00:06 - 2006-04-11 03:41 - 01066176 _____ (Microsoft Corporation) C:\Windows\system32\MSCOMCTL32.OCX
2016-10-13 00:06 - 2005-01-20 22:25 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\msvci70.dll
2016-10-13 00:06 - 2002-01-05 08:40 - 00487424 _____ (Microsoft Corporation) C:\Windows\system32\MSVCP70.DLL
2016-10-13 00:06 - 1996-01-12 07:00 - 00935632 _____ (Microsoft Corporation) C:\Windows\system\Vb40016.dll
2016-10-13 00:06 - 1996-01-12 07:00 - 00722192 _____ (Microsoft Corporation) C:\Windows\system32\Vb40032.dll
2016-10-13 00:06 - 1994-11-18 04:00 - 00210944 _____ C:\Windows\system32\msvcrt10.dll
2016-10-13 00:06 - 1993-05-12 00:00 - 00398416 _____ (Microsoft Corporation) C:\Windows\system\Vbrun300.dll
2016-10-13 00:06 - 1992-10-21 05:00 - 00356992 _____ (Microsoft Corporation) C:\Windows\system\vbrun200.dll
2016-10-13 00:06 - 1991-05-10 06:00 - 00271264 _____ C:\Windows\system\vbrun100.dll
2016-10-13 00:05 - 2015-08-18 06:28 - 02554488 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2016-10-13 00:05 - 2015-08-18 05:02 - 05147024 _____ C:\Windows\system32\nvcoproc.bin
2016-10-13 00:03 - 2015-08-18 15:47 - 24200312 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv32.dll
2016-10-13 00:03 - 2015-08-18 15:47 - 16128768 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2um.dll
2016-10-13 00:03 - 2015-08-18 15:47 - 11272048 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2016-10-13 00:03 - 2015-08-18 15:47 - 11209376 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2016-10-13 00:03 - 2015-08-18 15:47 - 10704560 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2016-10-13 00:03 - 2015-08-18 15:47 - 03987576 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2016-10-13 00:03 - 2015-08-18 15:47 - 00907440 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR.dll
2016-10-13 00:03 - 2015-08-18 15:47 - 00869040 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC.dll
2016-10-13 00:02 - 2016-10-13 00:02 - 00000000 ____D C:\Program Files\VIA
2016-10-13 00:02 - 2015-08-18 15:47 - 15294072 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2016-10-13 00:02 - 2015-08-18 15:47 - 01059504 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco3234181.dll
2016-10-13 00:02 - 2015-08-18 15:47 - 00912688 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco3234181.dll
2016-10-13 00:01 - 2015-08-11 20:33 - 00566960 _____ (VIA Technologies, Inc.) C:\Windows\system32\Drivers\viahduaa.sys
2016-10-13 00:01 - 2015-08-11 20:33 - 00025776 _____ (Creative Technology Ltd.) C:\Windows\system32\Drivers\VMfilt32.sys
2016-10-13 00:01 - 2015-08-06 19:14 - 01085952 _____ (VIA Technologies, Inc.) C:\Windows\system32\VIASysFx.dll
2016-10-13 00:01 - 2014-11-04 15:41 - 01728768 _____ (Creative Technology Ltd.) C:\Windows\system32\VMAPO232.DLL
2016-10-13 00:01 - 2014-05-08 19:02 - 02538160 _____ (VIA Technologies, Inc.) C:\Windows\system32\VIAPropPageExt.dll
2016-10-13 00:01 - 2014-02-26 18:54 - 01698816 _____ (VIA Technologies, Inc.) C:\Windows\system32\ViaMicArrayAPO.dll
2016-10-13 00:01 - 2014-01-12 16:05 - 00076288 _____ (Nuvoton Technology Corp.) C:\Windows\system32\Drivers\nuvserial.sys
2016-10-13 00:01 - 2014-01-12 16:05 - 00017920 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\nuvserenum.sys
2016-10-13 00:01 - 2013-07-22 18:40 - 00322048 _____ (Creative Technology Ltd.) C:\Windows\system32\VMWRP32.DLL
2016-10-13 00:01 - 2012-12-11 22:00 - 00086648 _____ (VIA Technologies,Inc.) C:\Windows\system32\ViaMicArrayPropPageExt.dll
2016-10-13 00:01 - 2012-12-11 22:00 - 00063096 _____ (Windows ® Codename Longhorn DDK provider) C:\Windows\system32\VtSrdAPO.dll
2016-10-13 00:01 - 2012-12-11 21:59 - 01021560 _____ (VIA Technologies, Inc.) C:\Windows\system32\ViaKaraokeApo.dll
2016-10-13 00:01 - 2012-12-11 21:59 - 00112248 _____ (VIA Technologies,Inc.) C:\Windows\system32\ViaKaraokePropPageExt.dll
2016-10-13 00:01 - 2012-12-11 21:59 - 00047736 _____ (TODO: <Company name>) C:\Windows\system32\PropPageExt.dll
2016-10-13 00:01 - 2012-12-11 21:59 - 00027768 _____ (VIA Technologies, Inc.) C:\Windows\system32\ViakaraokeSrv.exe
2016-10-13 00:01 - 2011-09-27 22:13 - 00739328 _____ (Creative Technology Ltd.) C:\Windows\system32\VMAPO32.DLL
2016-10-13 00:01 - 2011-09-27 22:13 - 00554496 _____ (Creative Technology Ltd.) C:\Windows\system32\VMTHX32.DLL
2016-10-13 00:01 - 2011-09-27 22:13 - 00047104 _____ (Creative Technology Ltd.) C:\Windows\system32\VMPPLD32.DLL
2016-10-13 00:01 - 2010-10-26 22:54 - 00044032 _____ (Creative Technology Ltd.) C:\Windows\system32\VMPPCN32.DLL
2016-10-13 00:01 - 2010-10-26 21:18 - 00015768 _____ (Initio Corporation) C:\Windows\system32\Drivers\inidvd.sys
2016-10-13 00:00 - 2015-08-24 14:11 - 00733424 _____ (Realtek ) C:\Windows\system32\Drivers\Rt86win7.sys
2016-10-13 00:00 - 2015-08-24 14:11 - 00127104 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst32.dll
2016-10-13 00:00 - 2015-08-24 14:11 - 00104592 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp32.dll
2016-10-12 23:59 - 2009-09-09 16:23 - 00042496 _____ (Intel Corporation) C:\Windows\system32\Drivers\flashud.sys
2016-10-12 23:49 - 2016-10-12 23:49 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\PowerISO
2016-10-12 23:48 - 2016-10-12 23:48 - 00000969 _____ C:\Users\Public\Desktop\PowerISO.lnk
2016-10-12 23:48 - 2016-10-12 23:48 - 00000969 _____ C:\ProgramData\Desktop\PowerISO.lnk
2016-10-12 23:48 - 2016-10-12 23:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerISO
2016-10-12 23:48 - 2016-10-12 23:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2016-10-12 23:48 - 2016-10-12 23:48 - 00000000 ____D C:\Program Files\PowerISO
2016-10-12 23:48 - 2016-10-12 23:48 - 00000000 ____D C:\Program Files\7-Zip
2016-10-12 23:39 - 2016-10-15 10:09 - 00001002 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-12 23:39 - 2016-10-15 09:44 - 00001006 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-10-12 23:39 - 2016-10-15 09:09 - 00000000 ____D C:\Users\scotter96\AppData\Local\Google
2016-10-12 23:39 - 2016-10-12 23:40 - 00000000 ____D C:\Program Files\Google
2016-10-12 23:36 - 2016-10-12 23:36 - 00057560 _____ C:\Users\scotter96\AppData\Local\GDIPFONTCACHEV1.DAT
2016-10-12 23:36 - 2016-10-12 23:36 - 00000000 ____D C:\Program Files\Common Files\Windows Live
2016-10-12 23:34 - 2016-10-15 08:38 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\IObit
2016-10-12 23:33 - 2016-10-15 10:08 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\DMCache
2016-10-12 23:33 - 2016-10-15 10:06 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\IDM
2016-10-12 23:33 - 2016-10-12 23:33 - 00000000 ____D C:\Users\scotter96\Downloads\Video
2016-10-12 23:33 - 2016-10-12 23:33 - 00000000 ____D C:\Users\scotter96\Downloads\Compressed
2016-10-12 23:33 - 2016-10-12 23:33 - 00000000 ____D C:\ProgramData\IDM
2016-10-12 23:21 - 2016-10-12 23:21 - 00023456 _____ (Phoenix Technologies) C:\Windows\system32\Drivers\DrvAgent32.sys
2016-10-12 23:21 - 2016-10-12 23:21 - 00000000 ____D C:\Users\scotter96\AppData\Local\eSupport.com
2016-10-12 23:02 - 2016-10-12 23:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2016-10-12 23:00 - 2016-10-12 23:00 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
2016-10-12 23:00 - 2016-10-12 23:00 - 00000000 _SHDL C:\Users\UpdatusUser\My Documents
2016-10-12 23:00 - 2016-10-12 23:00 - 00000000 _SHDL C:\Users\UpdatusUser\Documents\My Videos
2016-10-12 23:00 - 2016-10-12 23:00 - 00000000 _SHDL C:\Users\UpdatusUser\Documents\My Pictures
2016-10-12 23:00 - 2016-10-12 23:00 - 00000000 _SHDL C:\Users\UpdatusUser\Documents\My Music
2016-10-12 23:00 - 2016-10-12 23:00 - 00000000 ____D C:\Users\UpdatusUser
2016-10-12 23:00 - 2016-10-12 23:00 - 00000000 ____D C:\Program Files\AGEIA Technologies
2016-10-12 23:00 - 2009-07-14 14:48 - 00000000 ____D C:\Users\UpdatusUser\AppData\Roaming\Media Center Programs
2016-10-12 22:59 - 2016-10-13 00:05 - 00000000 ____D C:\ProgramData\NVIDIA
2016-10-12 22:59 - 2016-10-12 22:59 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-10-12 22:59 - 2015-08-18 15:47 - 00060720 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2016-10-12 22:59 - 2015-08-18 06:28 - 04388016 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2016-10-12 22:59 - 2015-08-18 06:28 - 03062064 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc.dll
2016-10-12 22:59 - 2015-08-18 06:28 - 00670512 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2016-10-12 22:59 - 2015-08-18 06:28 - 00375088 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2016-10-12 22:59 - 2015-08-18 06:28 - 00061744 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2016-10-12 22:58 - 2016-10-13 00:04 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-10-12 22:58 - 2016-10-12 22:58 - 00000000 ____D C:\NVIDIA
2016-10-12 22:58 - 2015-08-18 15:47 - 14497568 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dum.dll
2016-10-12 22:58 - 2015-08-18 15:47 - 02824176 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi.dll
2016-10-12 22:58 - 2015-08-18 15:47 - 00021015 _____ C:\Windows\system32\nvinfo.pb
2016-10-12 22:58 - 2013-03-15 12:46 - 01012512 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco3231422.dll
2016-10-12 22:58 - 2013-03-15 12:46 - 00892704 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco3231422.dll
2016-10-12 22:58 - 2012-12-19 12:41 - 00154040 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda32v.sys
2016-10-12 22:58 - 2012-12-19 12:41 - 00028600 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap32.dll
2016-10-12 22:58 - 2012-12-18 15:31 - 00892856 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco3220103.dll
2016-10-12 22:55 - 2016-10-15 10:16 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-10-12 22:52 - 2016-10-12 22:52 - 00001417 _____ C:\Users\scotter96\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-10-12 22:51 - 2016-10-13 10:20 - 00000000 ____D C:\Users\scotter96\AppData\Local\VirtualStore
2016-10-12 22:51 - 2016-10-13 00:12 - 00000000 ____D C:\Users\scotter96
2016-10-12 22:51 - 2016-10-12 22:51 - 00000020 ___SH C:\Users\scotter96\ntuser.ini
2016-10-12 22:51 - 2016-10-12 22:51 - 00000000 _SHDL C:\Users\scotter96\My Documents
2016-10-12 22:51 - 2016-10-12 22:51 - 00000000 _SHDL C:\Users\scotter96\Documents\My Videos
2016-10-12 22:51 - 2016-10-12 22:51 - 00000000 _SHDL C:\Users\scotter96\Documents\My Pictures
2016-10-12 22:51 - 2016-10-12 22:51 - 00000000 _SHDL C:\Users\scotter96\Documents\My Music
2016-10-12 22:51 - 2009-07-14 14:48 - 00000000 ____D C:\Users\scotter96\AppData\Roaming\Media Center Programs
2016-10-12 22:46 - 2016-10-12 22:46 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-10-12 22:46 - 2016-10-12 22:46 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-10-12 22:44 - 2016-10-12 22:44 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-09-26 18:19 - 2016-09-26 18:19 - 00197376 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx86.sys
2016-09-22 14:44 - 2016-09-22 14:44 - 00257792 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdriverx.sys
2016-09-20 16:53 - 2016-09-20 16:53 - 00218880 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgldx86.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-15 10:16 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\inf
2016-10-15 10:14 - 2009-07-14 11:34 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-10-15 10:14 - 2009-07-14 11:34 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-10-15 10:09 - 2009-07-14 11:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-10-13 20:24 - 2009-07-14 07:41 - 03207168 _____ (Microsoft Corporation) C:\Windows\system32\sppsvc.exe
2016-10-13 20:24 - 2009-07-14 07:18 - 00088576 _____ (Microsoft Corporation) C:\Windows\system32\printui.exe
2016-10-13 20:24 - 2009-07-14 07:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\hh.exe
2016-10-13 20:24 - 2009-07-14 06:54 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\netiougc.exe
2016-10-13 20:24 - 2009-07-14 06:54 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\rasautou.exe
2016-10-13 20:24 - 2009-07-14 06:53 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\netbtugc.exe
2016-10-13 20:24 - 2009-07-14 06:53 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\bridgeunattend.exe
2016-10-13 20:24 - 2009-07-14 06:46 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\iscsicli.exe
2016-10-13 20:24 - 2009-07-14 06:38 - 00056320 _____ (Microsoft Corporation) C:\Windows\system32\dnscacheugc.exe
2016-10-13 20:24 - 2009-07-14 06:37 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-10-13 20:24 - 2009-07-14 06:36 - 00068096 _____ (Microsoft Corporation) C:\Windows\system32\wlrmdr.exe
2016-10-13 20:24 - 2009-07-14 06:36 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\UI0Detect.exe
2016-10-13 20:24 - 2009-07-14 06:36 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-10-13 20:24 - 2009-07-14 06:36 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\mpnotify.exe
2016-10-13 20:24 - 2009-07-14 06:34 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-10-13 20:24 - 2009-07-14 06:33 - 00094720 _____ (Microsoft Corporation) C:\Windows\system32\CertEnrollCtrl.exe
2016-10-13 20:24 - 2009-07-14 06:33 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\AxInstUI.exe
2016-10-13 20:24 - 2009-07-14 06:27 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\wermgr.exe
2016-10-13 20:24 - 2009-07-14 06:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\vds.exe
2016-10-13 20:24 - 2009-07-14 06:23 - 00290304 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-10-13 20:24 - 2009-07-14 06:23 - 00238080 _____ (Microsoft Corporation) C:\Windows\system32\recdisc.exe
2016-10-13 20:24 - 2009-07-14 06:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\vdsldr.exe
2016-10-13 20:24 - 2009-07-14 06:21 - 00554496 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm.exe
2016-10-13 20:24 - 2009-07-14 06:21 - 00075264 _____ (Microsoft Corporation) C:\Windows\system32\csrstub.exe
2016-10-13 20:24 - 2009-07-14 06:19 - 00070144 _____ (Microsoft Corporation) C:\Windows\system32\lodctr.exe
2016-10-13 20:24 - 2009-07-14 06:19 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\unlodctr.exe
2016-10-13 20:24 - 2009-07-14 06:16 - 00280576 _____ (Microsoft Corporation) C:\Windows\system32\drvinst.exe
2016-10-13 20:24 - 2009-07-14 06:16 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\newdev.exe
2016-10-13 20:24 - 2009-07-14 06:16 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ndadmin.exe
2016-10-13 20:24 - 2009-07-14 06:16 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\hdwwiz.exe
2016-10-13 20:24 - 2009-07-14 06:13 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\MuiUnattend.exe
2016-10-13 20:24 - 2009-07-14 06:12 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\expand.exe
2016-10-13 20:24 - 2009-07-14 06:12 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2016-10-13 19:02 - 2009-07-14 11:46 - 00001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-10-13 13:42 - 2009-07-14 11:52 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-10-13 13:42 - 2009-07-14 11:34 - 00000000 ____D C:\Windows\Setup
2016-10-13 11:21 - 2009-07-14 14:49 - 00000000 ____D C:\Windows\ShellNew
2016-10-13 11:21 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\TAPI
2016-10-13 11:21 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\SchCache
2016-10-13 00:07 - 2009-07-14 09:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-10-13 00:06 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\system
2016-10-12 22:59 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\Help
2016-10-12 22:49 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\rescache
2016-10-12 22:47 - 2009-07-14 11:33 - 00266808 _____ C:\Windows\system32\FNTCACHE.DAT
2016-10-12 22:46 - 2009-07-14 11:52 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-10-12 22:46 - 2009-07-14 09:37 - 00000000 ____D C:\Windows\system32\sysprep
2016-10-12 22:44 - 2009-07-14 14:49 - 00000000 ____D C:\Windows\CSC

Some zero byte size files/folders:
==========================
C:\Windows\System32\runouce.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe
[2009-07-14 06:41] - [2009-07-14 08:14] - 2640896 ____A (Microsoft Corporation) 122F09F456F5F9D8FAD698E8E7050418

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe
[2009-07-14 06:34] - [2009-07-14 08:14] - 0053760 ____A (Microsoft Corporation) 3C312BB304D09C7E44C7546799A9A6D7

C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-10-14 21:48

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 15 October 2016 - 01:22 PM

Hi scotter :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to analyse your logs. In the meantime, I would like to know if you can access another computer, a CD/DVD and/or a USB Flash Drive.

This being said, it would be wise to start backing up your files on another media (just in case) as well.

Edited by Aura, 15 October 2016 - 01:48 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 scotter96

scotter96
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 October 2016 - 08:54 PM

Greetings, Aura! :)

 

I'm glad you showed up! I'm really sorry I can't reply to you soon enough, but from now I'll check on this thread more often.

And by the way, you can call me Scott.

 

As for the other media, maybe I can borrow a laptop and a USB Flash drive. And yes, I think its a good idea to backup the files, but unfortunately my really-need-to-backup documents (not including applications) gets over 50 GBs so its going to take a long time.

 

oh, and for further info, I ever copied some of my *.exe files to a friend's laptop and its Windows security essentials immediately detects them as virus even though i'm sure its not infected or clean. So, perhaps ALL *.exe files in my PC are now infected, which is a shame, but as long as the *.exe files are just autorun.exe or setup.exe (not including the files to be installed), i can always download another one on the internet. What do you think of this? is this a good idea?

 

And Aura, I'm in a middle of something right now, so I will not reply to you until a few hours. I hope its okay..

once again, thanks! :D



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 19 October 2016 - 06:58 AM

Hi Scott :)

Win32/Chir.B@mm will infect all .exe present on the system by appending malicious code to them that will be launched whenever the file is executed, so the detections on your friend's laptop weren't false positives.

File infectors infections are hard to remove because of that. If you miss one file and it gets executed, the infection will comeback and you'll be back to case 1. This is why we'll need to use a boot CD here (in that case, Kaspersky Rescue CD).

This being said, you shouldn't back-up any .exe file from your system as the risk of reinfection is too big.

Once you're done backing up your files (documents, pictures, music, etc.) let me know and we'll proceed with the clean-up.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 scotter96

scotter96
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 20 October 2016 - 09:23 PM

Ok, Aura.. I'll let you know when I'm done backing up my files.

 

And about the boot cd, i currently don't have a CD/DVD rom right now, any alternatives besides boot cd? maybe using flash drive?



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 21 October 2016 - 07:27 AM

You can use a USB Flash Drive, yes :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 scotter96

scotter96
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 22 October 2016 - 05:24 AM

Ok Aura, but I got something else in my mind. I'm planning to delete ALL of my *.exe files on ALL of my drive partitions and then do a clean install of my Windows 7, do you think that's enough to wipe out this threat and for my PC to regain its former peaceful state? Because i really do not want to erase all of my apps files (which is enormous in terms of size). Furthermore, I can easily download another AutoRun.exe or setup.exe on the web or copy it from my friends' instead of downloading the entire files and that will save a lot of times.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 22 October 2016 - 08:51 AM

Instead of deleting every .exe on every partitions, simply format your partitions (or the whole drive) during the Windows 7 setup and then proceed to install it. It'll be way easier/faster and this will get rid of the Chir.B@amm infection, yes.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 scotter96

scotter96
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 23 October 2016 - 03:01 AM

But Aura, doesn't the virus just infects all *.exe files(well, at least something that we can confirm right now)? So, just deletes all *.exe files will also deletes the virus? And with a clean install, I now have a fresh use-ready operating system?



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 23 October 2016 - 09:18 AM

Chir.B@amm infects .exe, .scr, .htm and .html files. And if you were to delete all the .exe files on your system, it wouldn't even boot anymore. You don't need to delete all the .exe files if you do a clean installation of Windows, since you'll be wiping the partitions (and hard drive as a whole if you want to do things properly) and from there install a new copy of Windows.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 scotter96

scotter96
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 25 October 2016 - 12:31 PM

Oh, ok then...

I'm sorry i can't reply to you soon enough, i will begin backuping ASAP. maybe tomorrow or in 2 days from now.

 

I'm just letting you know that i'm still here, Aura.



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 25 October 2016 - 12:33 PM

No worries, I'll be waiting :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 29 October 2016 - 11:56 AM

Hi scotter,

Are you still with me? Did you manage to do your back-up?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 scotter96

scotter96
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 30 October 2016 - 09:35 AM

Hey Aura,

 

Yes i'm still with you, and i have done backing up all my important files. Now I am ready for the next step. :D

Oh, and by the way I'm not currently nearby the PC that needs to be cleaned up, but I may be able to reach it tomorrow night, so you may as well write the steps now and i'll follow as soon as possible. Thank you for your patience :)



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 30 October 2016 - 11:45 AM

Good :) Now, you wanted to pursue with a clean reinstall of Windows, right?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users