Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have I been Infected?


  • Please log in to reply
25 replies to this topic

#1 Superdv

Superdv

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 01:18 PM

Can anyone help, please?

 

My Word documents in My Documents folder have all become corrupted.  All files (which date back several years) now carry the same date & time of 30-1-2017 at 23.16 & all contain gibberish as well as being many times longer than the originals were.  They all say they are in some sort of Asian font (they're not, they're just a collection of random letters & symbols) but no amount of changing the font settings will work

 

I also have a strange file which has appeared on my desktop & in the root directory  - KEY file which carries the exact same date & time.

 

I assumed that this was ransomware - I did accidentally click on what I now assume to be the rogue site posing as a legit one - but I have not received any ransom request.

 

My AV (Bullguard) did detect something but on 'googling' this, I could find no trace of what they said it could be.

 

Bullguard customer support are useless - saying that it couldn't be Ransomware because I haven't received a ransom nor could it be  Malware or a Virus & that I must have changed a setting on Word!

 

I have tried the files on other machines but they remain corrupted.  Word will not change the format or the font whatever I do.  I have also tried to change these using Kingsoft WPS - with the same result.  New documents created after this date & time are unaffected

 

Obviously I have back ups so the fact that my Docs are corrupted is not in itself a problem but what I am worried about is the fact that Bullguard say that they have removed the infection (whilst not admitting that there was one in the first place).  It would seem that the infection may have been removed but not before it dropped its payload.  

 

 I have to say that I don't trust BG's customer service as they are assiduously avoiding answering my questions.

 

What I am concerned about is :

1) Have I been the victim of a virus/Malware etc?

 

2)If so, why was it only partially detected & what can I do now?

 

3) if it's not a virus etc ... what happened & can I reverse it?

 

I am using Windows 7

 

Thanks in advance for any help on this

 

 

 

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 13 February 2017 - 01:56 PM

Hi Superfv,

 

It could just be corruption, or a file worm, or a failed ransomware infection... it's hard to tell really. They key file makes me think it's a failed ransomware infection, but the fact that it only targeted MS Word documents is unusual.

 

Let's do some scans and gather some information, eliminate some possibilities.

 

acucz8_th.jpg Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

  • List hosts
  • list Ip config
  • List Winsick
  • Last 10 events

Click Go and note the saved Result.txt on your desktop, to copy into your reply

 

34hammr.jpg Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • please copy and paste the log into your reply.

If prompted by your firewall allow DIG.exe
If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

 

149nkg7.jpg Please download Farbar Service Scanner and run it

  • Please check all of the boxes then click Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log into your reply.

 

 

2zh1g08.jpg  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Right click and "Run as Administrator".
  • The tool will open and start scanning your system.
  • On completion a log will open, note the saved JRT.txt on your desktop to copy into your reply

 

malwarebytes_icon_mini_by_linux_rules-d9 Please download and install MalwareBytes Anti-Malware.

  • Run the program.
  • Click Scan Now.
  • If threats are detected, clickRemove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the HISTORY tab.
  • Click Application Logs, followed by the first Scan Log.
  • Click Export, followed by Copy to Clipboard. Paste the log in your next reply.

 

 

Please include in your reply

  • MTB log
  • Security Check Log
  • FSS log
  • JRT log
  • MBAM log

TsVk!


Edited by TsVk!, 13 February 2017 - 02:05 PM.


#3 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 02:19 PM

Wow!  Thank you for your very quick response.

 

Will try to do all those things & will report back asap



#4 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 02:32 PM

Sorry - I'm new to all this.  Do I post the results here or in the Log Results forum?



#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 13 February 2017 - 02:38 PM

Just copy and paste the results straight into your replies here.



#6 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 02:47 PM

OK.  Thanks.  These are the requested logs:

 

MTB Log:

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Dawn (administrator) on 13-02-2017 at 19:09:25
Running from "C:\Users\Dawn\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: TouchSmart 300 Manufacturer: Hewlett-Packard
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
802.11n Wireless LAN Card = Wireless Network Connection (Connected)
Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Wireless Network Connection" nexthop=192.168.1.254 publish=Yes
add address name="Wireless Network Connection" address=192.168.1.99 mask=255.255.255.0
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : HPTouch
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Wireless LAN adapter Wireless Network Connection 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 00-26-82-5A-02-8C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : 802.11n Wireless LAN Card
   Physical Address. . . . . . . . . : 00-26-82-5A-02-8D
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a09a:a2cf:3798:f739%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.99(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 218113666
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-51-85-3E-70-71-BC-3A-FB-5A
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
   Physical Address. . . . . . . . . : 70-71-BC-3A-FB-5A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{446BC9C1-8CD7-4263-B528-B4396F8B467E}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{5B7F9DF6-0B10-4E64-9BB4-341682A0EBD3}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.lan:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dsldevice.lan
Address:  192.168.1.254
 
Name:    google.com
Addresses:  2a00:1450:4009:807::200e
 216.58.208.174
 
 
Pinging google.com [216.58.208.174] with 32 bytes of data:
Reply from 216.58.208.174: bytes=32 time=17ms TTL=54
Reply from 216.58.208.174: bytes=32 time=17ms TTL=54
 
Ping statistics for 216.58.208.174:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 17ms, Average = 17ms
Server:  dsldevice.lan
Address:  192.168.1.254
 
Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
 2001:4998:44:204::a7
 2001:4998:c:a06::2:4008
 206.190.36.45
 98.138.253.109
 98.139.183.24
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=96ms TTL=50
Reply from 98.139.183.24: bytes=32 time=96ms TTL=50
 
Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 96ms, Maximum = 96ms, Average = 96ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 17...00 26 82 5a 02 8c ......Microsoft Virtual WiFi Miniport Adapter
 12...00 26 82 5a 02 8d ......802.11n Wireless LAN Card
 11...70 71 bc 3a fb 5a ......Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 20...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.99    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.99    281
     192.168.1.99  255.255.255.255         On-link      192.168.1.99    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.99    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.99    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.99    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.1.254  Default 
===========================================================================
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 12    281 fe80::/64                On-link
 12    281 fe80::a09a:a2cf:3798:f739/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (02/13/2017 08:52:46 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (02/13/2017 08:14:28 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/12/2017 08:42:10 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/11/2017 07:37:30 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/10/2017 08:42:18 PM) (Source: Application Hang) (User: )
Description: The program WINWORD.EXE version 9.0.0.2717 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1ec0
 
Start Time: 01d283dddf9562c1
 
Termination Time: 5
 
Application Path: C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE
 
Report Id: 5f87b8c2-efd1-11e6-b23a-7071bc3afb5a
 
Error: (02/10/2017 08:11:08 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (02/10/2017 07:32:18 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/09/2017 10:55:37 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (02/09/2017 08:42:39 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/08/2017 06:16:13 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (02/13/2017 09:20:21 AM) (Source: atikmdag) (User: )
Description: Display is not active
 
Error: (02/13/2017 08:14:10 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (02/13/2017 08:13:20 AM) (Source: Service Control Manager) (User: )
Description: The MediatekRegistryWriter service failed to start due to the following error: 
%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (02/13/2017 08:13:20 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the MediatekRegistryWriter service to connect.
 
Error: (02/13/2017 08:12:44 AM) (Source: atikmdag) (User: )
Description: Display is not active
 
Error: (02/13/2017 08:12:44 AM) (Source: atikmdag) (User: )
Description: CPLIB :: General - Invalid Parameter
 
Error: (02/13/2017 08:12:46 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 23:18:13 on ‎12/‎02/‎2017 was unexpected.
 
Error: (02/12/2017 09:53:05 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (02/12/2017 09:53:00 AM) (Source: atikmdag) (User: )
Description: Display is not active
 
Error: (02/12/2017 08:41:50 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
 
Microsoft Office Sessions:
=========================
Error: (02/13/2017 08:52:46 AM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{410F406E-7AFC-4E9F-BF7E-0CB3C72BDAB9}\recordingmanager.exe
 
Error: (02/13/2017 08:14:28 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/12/2017 08:42:10 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/11/2017 07:37:30 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/10/2017 08:42:18 PM) (Source: Application Hang)(User: )
Description: WINWORD.EXE9.0.0.27171ec001d283dddf9562c15C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE5f87b8c2-efd1-11e6-b23a-7071bc3afb5a
 
Error: (02/10/2017 08:11:08 AM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{410F406E-7AFC-4E9F-BF7E-0CB3C72BDAB9}\recordingmanager.exe
 
Error: (02/10/2017 07:32:18 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/09/2017 10:55:37 AM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{410F406E-7AFC-4E9F-BF7E-0CB3C72BDAB9}\recordingmanager.exe
 
Error: (02/09/2017 08:42:39 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (02/08/2017 06:16:13 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
CodeIntegrity Errors:
===================================
  Date: 2017-02-02 23:50:45.861
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-02-02 23:50:45.830
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
**** End of log ****
 
Security Check Log:

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
BullGuard Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Google Chrome (56.0.2924.87) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 
 
 
FSS Log:
 

Farbar Service Scanner Version: 27-01-2016
Ran by Dawn (administrator) on 13-02-2017 at 19:21:44
Running from "C:\Users\Dawn\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
 
JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Dawn (Administrator) on 13/02/2017 at 19:24:49.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 153 
 
Successfully deleted: C:\Users\Dawn\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0GSAP10T (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0SMJ86HH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NYL5M8H (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2RY7RNZU (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3AP4HRKW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3ZHCDLWF (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\430VGTEA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4HDPKYS0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UF97FAZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5EGWFLXD (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5IYW79A5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DCHYBAZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6N69K25B (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6O6AQVQ4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6R4SAQS2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\815873ZC (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SYQMF0E (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8Z3PXYXV (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9F9LAS2C (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G9GWGEZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6JDADU7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AMOEDB2P (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQTJVYPY (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BW3IK0HB (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CVWBKSBX (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKSNITWH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5JUAQY1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ESEX41W7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EX4T107P (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EXQ1RXT1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F3IL8DPW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9HFGQ02 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GN9EPT8U (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IM8VEEFC (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INRNNEHM (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IR8WF265 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J5SPZGQQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8LDIYYW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8O8I0P0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFCMDI4X (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JRJ43SBK (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYFHM75N (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L3VYXPAN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NH55BOYQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NJWAV2QE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NNTAKQ0C (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P034HEQ4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8JD63H7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PWIZC7JQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXAZQQ43 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R1G2DGRW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5OZ4XJD (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RQLMD01R (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SYE5GI1E (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T3NX08G3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TE3MZZRF (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TU7S3IXQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U5HGKGL1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U7SHXBC3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U92Y0UR6 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UB6DPEQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VF6EDTEG (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VS0L8C7P (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8BT2FE0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W9E7IDWE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WTJBJMRN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X1LHJ3OS (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6E8VC29 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XYZ6F6BV (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y92RS0W4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YWHXLS1H (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLT6GJ3Z (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0GSAP10T (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0SMJ86HH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NYL5M8H (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2RY7RNZU (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3AP4HRKW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3ZHCDLWF (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\430VGTEA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4HDPKYS0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UF97FAZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5EGWFLXD (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5IYW79A5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DCHYBAZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6N69K25B (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6O6AQVQ4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6R4SAQS2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\815873ZC (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SYQMF0E (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8Z3PXYXV (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9F9LAS2C (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G9GWGEZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6JDADU7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AMOEDB2P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQTJVYPY (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BW3IK0HB (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CVWBKSBX (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKSNITWH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5JUAQY1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ESEX41W7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EX4T107P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EXQ1RXT1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F3IL8DPW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9HFGQ02 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GN9EPT8U (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IM8VEEFC (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INRNNEHM (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IR8WF265 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J5SPZGQQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8LDIYYW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8O8I0P0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JFCMDI4X (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JRJ43SBK (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYFHM75N (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L3VYXPAN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NH55BOYQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NJWAV2QE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NNTAKQ0C (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P034HEQ4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8JD63H7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PWIZC7JQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXAZQQ43 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R1G2DGRW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5OZ4XJD (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RQLMD01R (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SYE5GI1E (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T3NX08G3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TE3MZZRF (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TU7S3IXQ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U5HGKGL1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U7SHXBC3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U92Y0UR6 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UB6DPEQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VF6EDTEG (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VS0L8C7P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8BT2FE0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W9E7IDWE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WTJBJMRN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X1LHJ3OS (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6E8VC29 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XYZ6F6BV (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y92RS0W4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YWHXLS1H (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZLT6GJ3Z (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13/02/2017 at 19:28:05.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MBAM Log:

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 2/13/17
Scan Time: 7:36 PM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1252
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: HPTouch\Dawn
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 360781
Time Elapsed: 3 min, 54 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 1
Trojan.Agent.VBS, C:\USERS\DAWN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\X.VBS, Quarantined, [770], [302710],1.0.1252
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
So the last one looks as though there's something there but I'll leave you to decipher for me :)
 
 


#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 13 February 2017 - 03:42 PM

Let's just check your disk, there's an error there that needs looking into. (might make chasing up any potential virus issue pointless)

 

wrgtw4.jpg Test your HDD with HDDScan.

  • Download the zip archive and extract it to a new folder on your desktop.
  • Open the folder and double-click HDDScan.exe, and click Yes at the prompt.
  • First click on the 14akcy0.jpg button and wait for the report.
  • If any of the lights on the side are red please stop now and copy and paste the whole line in your reply.
  • If all are green, click on the blue disk orb in the middle of the screen&#160;122ovt1.jpg and then "Surface Tests" from the menu that appears
  • In the new screen click 2hf3lmw.jpg
  • In the bottom Test Manager window double click the test that is executing.
  • Click on the Map tab, here you can watch the scan progress until it is finished.
  • The read times on the right are how long the blocks take to respond to query.

                        15f1ydd.jpg

  • If you have any Bads the disk is faulty and needs replacing
  • if you have any 500ms entries your disk may become faulty sooner, rather than later.
  • 500ms entries are cautionary, this is a sign of an aging disk.

 

How do your results look?



#8 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 03:51 PM

Thank you.

 

I'll be rather annoyed if the disk is at fault as it is less than a year old (my last one failed!)

 

I don't have any red lights they are all green except for 1 which has a yellow triangle.  I haven't gone any further until I hear what you say!



#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 13 February 2017 - 03:55 PM

Which line has the yellow triangle? Please copy and paste the line.



#10 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 04:04 PM

  199 UltraDMA CRC Errors 200 200 0000000000-0003 000

#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 13 February 2017 - 04:08 PM

That's a really small count and is probably nothing, a loose cable or the computer taking a little knock when transferring data can cause that.

 

Please run the read test, just so we can eliminate this possibility before moving forward.



#12 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 February 2017 - 05:23 PM

Sorry - the test is still only at 70%.  I'm not well this evening so am going to have to go to bed now.  Ill leave it running & report back in the morning.

 

I do appreciate your help with this



#13 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 13 February 2017 - 05:37 PM

No problem, the test can take quite some time.

 

Speak later.



#14 Superdv

Superdv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 14 February 2017 - 05:00 AM

Good morning!
 
The test has finally finished ... & it's not looking too good:

 

 

I can't seem to copy & paste the resulting image (but then I'm not firing on all cylinders this morning thanks to the lurgi I'm suffering from!)

 

The result is not showing any Bads but it is showing 39 Red >500ms

 

So it looks as though I may have been sold a pup with this 'new' HD & it's time to get another? 

 

Would this have any bearing on the problem that I have had with the Word docs?



#15 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:46 PM

Posted 14 February 2017 - 02:26 PM

Hi,

 

It's unlikely that the file corruption would be caused by the disk issues.

 

I would say the most likely cause of the corruption is the X.VBS detection. X.VBS is a file worm as well as a trojan. That means that as well as propagating itself across your disk drives it can also download and install more nasties and send your personal information to 3rd parties when you are connected to the internet. It probably entered your machine as part of an installed program, a file in your email or by plugging in an infected USB.

 

I would look at it this way...

 

Even though we can remove the infection from your system and restore full functionality your HDD has entered a state of decline. Maybe it's not really worth the effort. If it was my machine I would be purchasing a new HDD (preferably an SSD as they are so cheap these days and far less prone to failure) and starting from scratch. You will be doing that in the relative near future anyway.

 

I would install Panda USB Vaccine now and treat your external drives to prevent them infecting your new install also. You may even consider installing it on your new machine too, or disabling autorun manually.

 

Let me know what you'd like to do.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users