Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with HEUR:Trojan-Downloader.Script.Generic


  • This topic is locked This topic is locked
22 replies to this topic

#1 The Durango Kid

The Durango Kid

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 27 March 2017 - 03:54 PM

Machine:   Laptop Dell Precision M6400
OS:   Windows 7 Pro SP1 – 64 bit
Anti-virus:   Kaspersky Internet Security 2017
Browser:   Internet Explorer 11
 
 
 
Hello,
 
It looks like I caught this on my machine:  HEUR:Trojan-Downloader.Script.Generic
 
 
Here's an history/ description of the problem.
--------------------------------------------------------
 
Probably too much details, but who knows, it might be useful to you.
 
I was downloading a small utility application when I noticed that the downloading process was stuck at 99%, 1% to go ...  
It was a very small file, so I got worried after a while and I interrupted the download.
 
I asked Kaspersky to scan the file, but the scanning would stuck at 50% forever ...  I tried several time to no avail ...  I then tried to shift-delete the file, but nothing would happen ...  The file name and icon showed that it was incomplete/ partially downloaded, but strangely, the full name and icon came up after a while ...  After that, I was successfull in deleting the file by a regular delete, than emptying the recycle bin.  I then ran Rkill and then ComboFix (I still had these apps from a session at bleeping 2 years ago).  I then closed my computer and went to bed.
 
After rebooting the following morning, I asked Kaspersky to do a full scan of my system, with all scanning options at the most severe settings.  Kaspersky found 4 threats (note that I performed the same scan 2 days before and all was clean).  It told me that 2 threats had been taken care of, but was unable to eradicate the other 2 ...  Kaspersky was proposing me to skip, exclude or delete these untreated threats, so I deleted the first ...  Then Kaspersky interface resetted itself and told me that all was clean and good (despite the fact I had not had the chance to deal with the second threat).
 
I then redid the same Kaspersky scan, and Kaspersky found again (10 times) the same malware "HEUR:Trojan-Downloader.Script.Generic", and telling me that all of them had been eradicated and I was good and clean.  
So I redid the same full scan again, and now Kaspersky found and successfully eradicated the same malware 20 times, and again says that I am now all clean.  Yet another scan and Kaspersky found and destroyed the same guy again, 40 times ...  And now I'm suppose to be all clean ...
 
After that, I ran a scan with Emsisoft Emergency Kit, but it found nothing ...  I had an old version of Malwarebyte (free edition) so I tried that too, but Malwarebyte was unable to upgrade (this coming from Malwarebyte, or the Trojan ?).  I ran the scan anyway but Malwarebyte found nothing.
 
--------------------------------------------------------
 
I have these threats on records (file names and locations) in the quarantine section of Kaspersky, so i could make a print screen of that if it's any use to you.  The only threat listed is always:  HEUR:Trojan-Downloader.Script.Generic
 
I read on the web that this malware digs deeper into your system at each reboot, and tries to download other trojans onto your system, so to mitigate the damage, I'm no longer rebooting my machine (only put it to sleep) and stay disconnected from the internet (I'm in an Internet Cafe now).  I have rebooted 3 or 4 times since the initial download/infection.
 
Please let me know if you think it´s ok for me to connect to the internet via my laptop ...  It would be a lot easier for me ...   :o )
 
 
I hope you can help me ! ...  :o )
And thanks for your time ...
 
The Kid
 
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by User (administrator) on USER-PC (27-03-2017 17:17:30)
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User & Administrator & MSSQL$SQLEXPRESS)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\stacsv64.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avpui.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\ksde.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\ksdeui.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2016-01-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-02-12] (Western Digital Technologies, Inc.)
HKU\S-1-5-18\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27545048 2017-03-14] (Skype Technologies S.A.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Sound Off.lnk [2016-08-15]
ShortcutTarget: Sound Off.lnk -> C:\_JFMonette\Computer, Windows & Software\Configuration of Windows 7\NirCmd for sound icons\nircmd.exe (NirSoft)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~ew shortcut.tmp [2015-11-22] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{326D8D10-F634-449F-BA89-92399250D7B0}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C19064F3-8591-4F01-BC33-873876E1D88F}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{CB39A27B-0DC9-48B9-882A-972AAACA27EE}: [DhcpNameServer] 24.48.19.13 24.202.72.13 24.53.0.2
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3904156222-3458198690-710301323-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3904156222-3458198690-710301323-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3904156222-3458198690-710301323-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.ca/?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-3904156222-3458198690-710301323-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Kaspersky Protection -> {2E38825B-8815-42CF-9126-C58BC28D4591} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-07-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-21] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-07-12] (Microsoft Corporation)
BHO-x32: Kaspersky Protection -> {2E38825B-8815-42CF-9126-C58BC28D4591} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
BHO-x32: No Name -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: No Name -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> No File
Toolbar: HKLM - Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
Toolbar: HKLM-x32 - Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
Toolbar: HKU\S-1-5-21-3904156222-3458198690-710301323-1000 -> Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
 
FireFox:
========
FF DefaultProfile: h13mz1z5.default
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\h13mz1z5.default [2017-03-25]
FF Homepage: Mozilla\Firefox\Profiles\h13mz1z5.default -> hxxps://www.google.ca/?gws_rd=ssl
FF HKLM\...\Firefox\Extensions: [light_plugin_F6F079488B53499DB99380A7E11A93F6@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\FFExt\light_plugin_firefox\addon.xpi
FF Extension: (Kaspersky Protection) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\FFExt\light_plugin_firefox\addon.xpi [2017-01-07]
FF HKLM-x32\...\Firefox\Extensions: [light_plugin_F6F079488B53499DB99380A7E11A93F6@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\FFExt\light_plugin_firefox\addon.xpi
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2012-08-08] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-19] (Google Inc.)
FF Plugin HKU\S-1-5-21-3904156222-3458198690-710301323-1000: @tools.google.com/Google Update;version=3 -> C:\Users\User\AppData\Local\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-3904156222-3458198690-710301323-1000: @tools.google.com/Google Update;version=9 -> C:\Users\User\AppData\Local\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://www.netflix.com/browse"
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2017-03-25]
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-26]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-26]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-13]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-13]
CHR Extension: (Adblock Plus) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-03-22]
CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-13]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-26]
CHR Extension: (Unsubtitle for Netflix) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhallfieahekmidfbaeobbdiajlmapfg [2015-12-08]
CHR Extension: (Kaspersky Protection) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhoibnponjcgjgcnfacekaijdbbplhib [2017-02-12]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-26]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-20]
CHR HKLM\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] - hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
CHR HKLM-x32\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] - hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-03-24] (SUPERAntiSpyware.com)
S4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe [89600 2009-09-09] (Andrea Electronics Corporation)
R2 AVP17.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe [241544 2016-06-28] (AO Kaspersky Lab)
S3 ColdFusion 8 .NET Service; C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe [77824 2016-06-27] () [File not signed]
S3 ColdFusion 8 Application Server; C:\ColdFusion8\runtime\bin\jrunsvc.exe [65536 2008-03-18] (Macromedia Inc.) [File not signed]
S3 ColdFusion 8 ODBC Agent; C:\ColdFusion8\db\slserver54\bin\swagent.exe [696320 2016-06-27] () [File not signed]
S3 ColdFusion 8 ODBC Server; C:\ColdFusion8\db\slserver54\bin\swstrtr.exe [114688 2016-06-27] () [File not signed]
S3 ColdFusion 8 Search Server; C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe [2743056 2008-03-12] (Verity, Inc.) [File not signed]
S4 FoxitReaderService; C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe [1659592 2016-12-29] (Foxit Software Inc.)
S3 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-21] (Microsoft Corporation)
S3 klvssbrigde64; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\vssbridge64.exe [77328 2016-06-28] (AO Kaspersky Lab)
R2 KSDE1.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\ksde.exe [241544 2016-06-28] (AO Kaspersky Lab)
S3 MpsSvc; . [0 2017-03-27] () <==== ATTENTION (zero byte File/Folder)
S3 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [370368 2015-06-10] (Microsoft Corporation)
S4 NVIDIA Performance Driver Service; C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [6810728 2009-12-08] ()
S4 NVWMI; C:\Windows\system32\nvwmi64.exe [1290016 2013-09-05] (NVIDIA Corporation)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [613056 2015-06-10] (Microsoft Corporation)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\STacSV64.exe [240640 2009-09-09] (IDT, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [308088 2016-01-14] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S4 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5088256 2010-02-01] (Dell Inc.) [File not signed]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AR9271; C:\Windows\System32\DRIVERS\athuwx.sys [2224160 2013-06-28] (Atheros Communications, Inc.)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [238936 2016-06-10] (AO Kaspersky Lab)
R1 epp; C:\Program Files\Emsisoft Emergency Kit\bin64\epp.sys [115216 2017-01-03] (Emsisoft Ltd)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [554416 2016-06-02] (AO Kaspersky Lab)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [63920 2016-06-07] (AO Kaspersky Lab)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [86352 2016-06-14] (AO Kaspersky Lab)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [78216 2016-05-31] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [195296 2017-03-14] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [313112 2017-03-14] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [1035488 2017-03-14] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [57936 2017-01-07] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [52144 2016-05-18] (AO Kaspersky Lab)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [41648 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [45488 2016-05-31] (AO Kaspersky Lab)
R3 kltap; C:\Windows\System32\DRIVERS\kltap.sys [52152 2016-06-07] (The OpenVPN Project)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [75696 2016-05-17] (AO Kaspersky Lab)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [135904 2017-03-14] (AO Kaspersky Lab)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [199392 2017-03-14] (AO Kaspersky Lab)
S4 RsFx0300; C:\Windows\System32\DRIVERS\RsFx0300.sys [247488 2014-02-21] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2013-07-14] (Microsoft Corporation) [File not signed]
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64_prewin8.sys [23200 2016-01-14] (Western Digital Technologies)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-27 17:17 - 2017-03-27 17:18 - 00017295 _____ C:\Users\User\Desktop\FRST.txt
2017-03-27 17:12 - 2017-03-27 16:37 - 02424832 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2017-03-26 17:58 - 2017-03-27 17:04 - 00010073 _____ C:\Users\User\Desktop\To Do Now.txt
2017-03-26 17:16 - 2017-03-26 18:30 - 315908096 _____ C:\Users\User\Desktop\kav_rescue_10.iso
2017-03-26 12:53 - 2017-03-26 12:56 - 00207400 _____ C:\Windows\ntbtlog.txt
2017-03-25 21:31 - 2017-03-25 21:31 - 00016196 _____ C:\ComboFix.txt
2017-03-23 11:57 - 2017-03-23 11:58 - 00000224 _____ C:\Users\User\Desktop\Survey 2017 on developers.url
2017-03-22 12:36 - 2017-03-22 12:36 - 00000000 ____D C:\ProgramData\Western Digital
2017-03-22 12:36 - 2017-03-22 12:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Western Digital
2017-03-22 12:36 - 2017-03-22 12:36 - 00000000 ____D C:\Program Files (x86)\Western Digital
2017-03-22 12:17 - 2017-03-22 12:17 - 00000000 ____D C:\Users\User\AppData\Local\Western Digital
2017-03-22 11:17 - 2017-03-24 15:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate
2017-03-22 11:17 - 2017-03-22 11:17 - 00000000 ____D C:\Program Files (x86)\Seagate
2017-03-21 18:53 - 2017-03-24 12:23 - 00000283 _____ C:\Users\User\Desktop\Compare source and destination with Robocopy.url
2017-03-19 18:10 - 2017-03-19 18:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-03-19 14:13 - 2017-03-19 16:24 - 00003332 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-03-19 14:13 - 2017-03-19 16:24 - 00003204 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-03-19 12:40 - 2017-03-22 12:36 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-18 22:12 - 2017-03-23 20:16 - 00000284 _____ C:\Users\User\Desktop\Robocopy examples.url
2017-03-18 21:49 - 2017-03-24 15:20 - 00000270 _____ C:\Users\User\Desktop\Robocopy backup best practices.url
2017-03-18 19:49 - 2017-03-21 22:28 - 00000175 _____ C:\Users\User\Desktop\Robocopy list of switch.url
2017-03-16 22:28 - 2017-03-04 14:24 - 00394448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-03-16 22:28 - 2017-03-04 13:39 - 00346320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-03-16 22:28 - 2017-03-04 05:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-03-16 22:28 - 2017-03-04 05:20 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-03-16 22:28 - 2017-03-04 05:02 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-03-16 22:28 - 2017-03-04 05:01 - 00576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-03-16 22:28 - 2017-03-04 05:01 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-03-16 22:28 - 2017-03-04 05:01 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-03-16 22:28 - 2017-03-04 05:01 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-03-16 22:28 - 2017-03-04 04:59 - 02895360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-03-16 22:28 - 2017-03-04 04:52 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-03-16 22:28 - 2017-03-04 04:51 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-03-16 22:28 - 2017-03-04 04:48 - 25746944 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-03-16 22:28 - 2017-03-04 04:46 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-03-16 22:28 - 2017-03-04 04:45 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-03-16 22:28 - 2017-03-04 04:45 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-03-16 22:28 - 2017-03-04 04:45 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-03-16 22:28 - 2017-03-04 04:44 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-03-16 22:28 - 2017-03-04 04:36 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-03-16 22:28 - 2017-03-04 04:32 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-03-16 22:28 - 2017-03-04 04:31 - 06045696 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-03-16 22:28 - 2017-03-04 04:23 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-03-16 22:28 - 2017-03-04 04:21 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-03-16 22:28 - 2017-03-04 04:16 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-03-16 22:28 - 2017-03-04 04:16 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-03-16 22:28 - 2017-03-04 04:13 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-03-16 22:28 - 2017-03-04 04:11 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-03-16 22:28 - 2017-03-04 03:57 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-03-16 22:28 - 2017-03-04 03:55 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-03-16 22:28 - 2017-03-04 03:54 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-03-16 22:28 - 2017-03-04 03:52 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-03-16 22:28 - 2017-03-04 03:52 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-03-16 22:28 - 2017-03-04 03:26 - 15259648 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-03-16 22:28 - 2017-03-04 03:25 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-03-16 22:28 - 2017-03-04 03:12 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-03-16 22:28 - 2017-03-04 03:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-03-16 22:28 - 2017-03-04 01:18 - 20281856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-03-16 22:28 - 2017-03-02 15:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2017-03-16 22:28 - 2017-03-02 15:02 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2017-03-16 22:28 - 2017-03-02 15:01 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-03-16 22:28 - 2017-03-02 15:01 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2017-03-16 22:28 - 2017-03-02 15:01 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2017-03-16 22:28 - 2017-03-02 15:00 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-03-16 22:28 - 2017-03-02 14:55 - 02287104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-03-16 22:28 - 2017-03-02 14:54 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2017-03-16 22:28 - 2017-03-02 14:53 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2017-03-16 22:28 - 2017-03-02 14:51 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2017-03-16 22:28 - 2017-03-02 14:50 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2017-03-16 22:28 - 2017-03-02 14:49 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-03-16 22:28 - 2017-03-02 14:49 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-03-16 22:28 - 2017-03-02 14:41 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2017-03-16 22:28 - 2017-03-02 14:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-03-16 22:28 - 2017-03-02 14:35 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2017-03-16 22:28 - 2017-03-02 14:32 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2017-03-16 22:28 - 2017-03-02 14:31 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-03-16 22:28 - 2017-03-02 14:29 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-03-16 22:28 - 2017-03-02 14:28 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2017-03-16 22:28 - 2017-03-02 14:22 - 04604416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-03-16 22:28 - 2017-03-02 14:21 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-03-16 22:28 - 2017-03-02 14:19 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-03-16 22:28 - 2017-03-02 14:17 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-03-16 22:28 - 2017-03-02 14:17 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2017-03-16 22:28 - 2017-03-02 14:11 - 13654528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-03-16 22:28 - 2017-03-02 13:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-03-16 22:28 - 2017-03-02 13:50 - 01312768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-03-16 22:28 - 2017-03-02 13:50 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-03-16 22:28 - 2017-02-09 13:35 - 05548264 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-03-16 22:28 - 2017-02-09 13:33 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-03-16 22:28 - 2017-02-09 13:32 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-03-16 22:28 - 2017-02-09 13:32 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-03-16 22:28 - 2017-02-09 13:31 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-03-16 22:28 - 2017-02-09 13:31 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-03-16 22:28 - 2017-02-09 13:19 - 04000488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2017-03-16 22:28 - 2017-02-09 13:19 - 03945192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2017-03-16 22:28 - 2017-02-09 13:00 - 03220480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-03-16 22:28 - 2017-02-09 11:06 - 01648128 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-03-16 22:28 - 2017-01-11 15:01 - 01887744 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-03-16 22:27 - 2017-02-11 12:58 - 00462848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-03-16 22:27 - 2017-02-11 12:58 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-03-16 22:27 - 2017-02-11 12:58 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-03-16 22:27 - 2017-02-10 13:32 - 00803328 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2017-03-16 22:27 - 2017-02-10 13:32 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-03-16 22:27 - 2017-02-10 13:17 - 00628736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2017-03-16 22:27 - 2017-02-10 13:17 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2017-03-16 22:27 - 2017-02-10 11:33 - 01251328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-03-16 22:27 - 2017-02-09 13:36 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-03-16 22:27 - 2017-02-09 13:35 - 00706792 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-03-16 22:27 - 2017-02-09 13:35 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-03-16 22:27 - 2017-02-09 13:35 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-03-16 22:27 - 2017-02-09 13:32 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00040960 _____ (Microsoft Corporation) C:\Windows\system32\WcsPlugInService.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00625664 _____ (Microsoft Corporation) C:\Windows\system32\mscms.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00250880 _____ (Microsoft Corporation) C:\Windows\system32\icm32.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:16 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00481792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icm32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:03 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2017-03-16 22:27 - 2017-02-09 13:03 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2017-03-16 22:27 - 2017-02-09 13:03 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2017-03-16 22:27 - 2017-02-09 13:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-03-16 22:27 - 2017-02-09 12:59 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2017-03-16 22:27 - 2017-02-09 12:58 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2017-03-16 22:27 - 2017-02-09 12:55 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-03-16 22:27 - 2017-02-09 12:55 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-03-16 22:27 - 2017-02-09 12:55 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-03-16 22:27 - 2017-02-09 12:54 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2017-03-16 22:27 - 2017-02-09 12:54 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-03-16 22:27 - 2017-02-09 12:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-03-16 22:27 - 2017-02-09 12:51 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WcsPlugInService.dll
2017-03-16 22:27 - 2017-02-09 12:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2017-03-16 22:27 - 2017-02-09 12:50 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2017-03-16 22:27 - 2017-02-09 12:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2017-03-16 22:27 - 2017-02-09 12:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2017-03-16 22:27 - 2017-02-09 12:49 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 11:06 - 01180160 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-03-16 22:27 - 2017-02-06 13:14 - 00733696 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-03-16 22:27 - 2017-01-13 15:00 - 00976896 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-03-16 22:27 - 2017-01-13 15:00 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2017-03-16 22:27 - 2017-01-13 14:45 - 00741888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-03-16 22:27 - 2017-01-13 14:45 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2017-03-16 22:27 - 2017-01-11 15:01 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2017-03-16 22:27 - 2017-01-11 14:43 - 01241088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-03-16 22:27 - 2017-01-11 14:43 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2017-03-16 22:27 - 2017-01-06 15:00 - 01574912 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2017-03-16 22:27 - 2017-01-06 14:44 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2017-03-16 18:03 - 2017-03-16 18:03 - 00000190 _____ C:\Users\User\Desktop\Hobocopy.url
2017-03-12 18:11 - 2017-03-12 18:12 - 13560645 _____ C:\Users\User\Desktop\2017-03-11 Jean Francois.m4a
2017-03-04 22:54 - 2017-03-04 22:54 - 00997125 _____ C:\Users\User\Desktop\Breaking the Habit of Being Yourself_ How to Lose Your Mind and Create a New One.epub
2017-03-04 11:50 - 2017-03-17 14:07 - 00000000 ____D C:\Users\User\AppData\Roaming\vlc
2017-03-03 14:08 - 2017-03-03 14:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2017-03-03 14:08 - 2017-03-03 14:08 - 00000000 ____D C:\Program Files\VideoLAN
2017-03-01 15:36 - 2017-03-01 15:36 - 00000000 ____D C:\ProgramData\Google
2017-02-25 16:51 - 2017-02-25 16:51 - 00001730 _____ C:\Users\User\Desktop\Massaging Pressure Therapy for Hearing Loss.pdf.lnk
2017-02-25 12:37 - 2017-02-25 12:37 - 00001257 _____ C:\Users\User\Desktop\Stuff.txt.lnk
2017-02-25 12:34 - 2017-02-25 12:35 - 00001423 _____ C:\Users\User\Desktop\Choses Faites.docx.lnk
2017-02-25 12:34 - 2017-02-25 12:35 - 00001349 _____ C:\Users\User\Desktop\To Do.docx.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-27 17:17 - 2015-11-02 13:01 - 00000000 ____D C:\FRST
2017-03-27 15:52 - 2009-07-14 02:13 - 00970786 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-27 15:52 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\inf
2017-03-27 15:17 - 2014-11-14 19:08 - 00013954 _____ C:\Users\User\Desktop\Backup.txt
2017-03-27 14:56 - 2009-07-14 01:45 - 00031504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-27 14:56 - 2009-07-14 01:45 - 00031504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-27 14:51 - 2016-07-06 18:20 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2017-03-26 19:14 - 2014-11-12 23:19 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2017-03-26 15:04 - 2016-10-25 10:46 - 00003032 _____ C:\Windows\System32\Tasks\Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901}
2017-03-26 14:48 - 2009-07-14 02:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-26 14:47 - 2016-07-10 09:33 - 00000000 ____D C:\Program Files\Emsisoft Emergency Kit
2017-03-26 12:24 - 2014-11-24 16:36 - 00000000 ____D C:\Users\User\AppData\Local\Apps\2.0
2017-03-25 22:32 - 2016-07-05 15:02 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-25 21:31 - 2016-09-02 12:34 - 00000000 ____D C:\Users\MSSQL$SQLEXPRESS
2017-03-25 21:31 - 2016-08-10 12:06 - 00000000 ____D C:\Users\Administrator
2017-03-25 21:31 - 2016-06-27 17:10 - 00000000 ____D C:\Users\DefaultAppPool.IIS APPPOOL.000
2017-03-25 21:31 - 2015-10-28 13:37 - 00000000 ____D C:\Qoobox
2017-03-25 21:31 - 2009-07-14 02:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2017-03-25 21:22 - 2009-07-13 23:34 - 00000215 _____ C:\Windows\system.ini
2017-03-25 21:19 - 2015-10-28 13:36 - 00000000 ____D C:\Windows\erdnt
2017-03-24 17:09 - 2015-10-28 15:14 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-03-24 17:03 - 2016-07-10 15:46 - 00000000 ____D C:\Users\User\Desktop\Scan Tools
2017-03-20 21:29 - 2017-01-15 11:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-20 21:29 - 2014-11-19 16:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-19 18:15 - 2017-01-15 11:50 - 00000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2017-03-19 18:11 - 2014-10-27 13:48 - 00000000 ____D C:\Users\User\AppData\Roaming\Skype
2017-03-19 18:10 - 2015-04-05 13:41 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-03-19 18:10 - 2015-04-04 18:04 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2017-03-19 18:10 - 2014-10-27 12:17 - 00000000 ____D C:\ProgramData\Skype
2017-03-19 16:28 - 2016-08-09 19:29 - 00003144 _____ C:\Users\User\Desktop\Update Chrome.txt
2017-03-19 15:31 - 2015-05-04 13:19 - 00002207 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-17 22:06 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\system32\NDF
2017-03-17 10:08 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\rescache
2017-03-17 09:41 - 2009-07-14 01:45 - 00432360 _____ C:\Windows\system32\FNTCACHE.DAT
2017-03-16 22:39 - 2009-07-14 02:32 - 00000000 ____D C:\Program Files\DVD Maker
2017-03-16 22:39 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
2017-03-16 22:39 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\system32\inetsrv
2017-03-16 22:35 - 2016-07-05 20:26 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2017-03-16 09:50 - 2016-08-11 22:21 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2017-03-16 09:50 - 2016-08-11 22:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2017-03-15 18:06 - 2014-10-24 15:44 - 00000000 ____D C:\Windows\system32\MRT
2017-03-15 17:57 - 2016-08-11 22:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-03-15 17:57 - 2014-10-24 15:44 - 138634176 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-03-15 17:13 - 2017-01-24 16:08 - 00004448 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2017-03-15 17:13 - 2017-01-24 16:08 - 00004314 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-03-15 17:12 - 2016-08-16 20:11 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-15 17:12 - 2016-08-16 20:11 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-15 17:12 - 2014-12-08 12:42 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-15 17:12 - 2014-12-08 12:42 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-14 09:56 - 2016-09-12 22:03 - 01035488 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys
2017-03-14 09:56 - 2016-09-12 22:03 - 00135904 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klwtp.sys
2017-03-14 09:56 - 2016-06-14 16:47 - 00199392 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\kneps.sys
2017-03-14 09:55 - 2016-06-26 14:10 - 00195296 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys
2017-03-14 09:54 - 2016-09-12 22:03 - 00313112 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2017-03-13 20:10 - 2016-11-28 14:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2017-03-01 15:37 - 2016-10-02 17:07 - 00002786 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-03-01 15:36 - 2014-10-24 14:53 - 00000000 ____D C:\Program Files (x86)\Google
2017-03-01 12:42 - 2014-11-14 19:02 - 00000000 ____D C:\_JFMonette
 
==================== Files in the root of some directories =======
 
2014-11-11 23:20 - 2014-11-11 23:20 - 0000000 _____ () C:\ProgramData\Wave
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-25 14:51
 
==================== End of FRST.txt ============================
 

Attached Files



BC AdBot (Login to Remove)

 


#2 The Durango Kid

The Durango Kid
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 27 March 2017 - 06:37 PM

Machine:      Laptop Dell Precision M6400
OS:          Windows 7 Pro SP1 – 64 bit
Anti-virus:      Kaspersky Internet Security 2017
Browser:       Internet Explorer 11


Hello,

It looks like I caught this on my machine:  HEUR:Trojan-Downloader.Script.Generic


Here's an history/ description of the problem.
--------------------------------------------------------

Probably too much details, but who knows, it might be useful to you.

I was downloading a small utility application when I noticed that the downloading process was stuck at 99%, 1% to go ...  It was a very small file, so I got worried after a while and I interrupted the download.

I asked Kaspersky to scan the file, but the scanning would stuck at 50% forever ...  I tried several time to no avail ...  I then tried to shift-delete the file, but nothing would happen ...  The file name and icon showed that it was incomplete/ partially downloaded, but strangely, the full name and icon came up after a while ...  After that, I was successfull in deleting the file by a regular delete, than emptying the recycle bin.  I then ran Rkill and then ComboFix (I still had these apps from a session at bleeping 2 years ago).  I then closed my computer and went to bed.

After rebooting the following morning, I asked Kaspersky to do a full scan of my system, with all scanning options at the most severe settings.  Kaspersky found 4 threats (note that I performed the same scan 2 days before and all was clean).  It told me that 2 threats had been taken care of, but was unable to eradicate the other 2 ...  Kaspersky was proposing me to skip, exclude or delete these untreated threats, so I deleted the first ...  Then the Kaspersky interface resetted itself and told me that all was clean and good (despite the fact I had not had the chance to deal with the second threat).  

I then redid the same Kaspersky scan, and Kaspersky found again (10 times) the same malware "HEUR:Trojan-Downloader.Script.Generic", and telling me that all of them had been eradicated and I was good and clean.  So I redid the same full scan again, and now Kaspersky found and successfully eradicated the same malware 20 times, and again says that I am now all clean.  Yet another scan and Kaspersky found and destroyed the same guy again 40 times ...  And now I'm suppose to be all clean ...

After that, I ran a scan with Emsisoft Emergency Kit, but it found nothing ...  I had an old version of Malwarebyte (free edition) so I tried that too, but Malwarebyte was unable to upgrade (this coming from Malwarebyte, or the Trojan ?).  I ran the scan anyway and Malwarebyte found nothing.

--------------------------------------------------------

I have these threats on records (file names and locations) in the quarantine section of Kaspersky, so I could make a print screen of that if it's any use to you.  The only threat listed is always:  HEUR:Trojan-Downloader.Script.Generic

I read on the web that this malware digs deeper into your system at each reboot, and tries to download other trojans onto your system, so to mitigate the damage, I'm no longer rebooting my machine (only put it to sleep) and stay disconnected from the internet (I'm in an Internet Cafe now).  I have rebooted 3 or 4 times since the initial download/ infection.

Please let me know if you think it´s ok for me to connect to the internet via my laptop ...  It would be easier for me ...   :o )

--------------------------------------------------------

I hope you can help me !
And thanks for your time ...

The Kid



.........................................................................................................................
.........................................................................................................................
.........................................................................................................................
.........................................................................................................................
.........................................................................................................................



Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by User (administrator) on USER-PC (27-03-2017 17:17:30)
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User & Administrator & MSSQL$SQLEXPRESS)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\stacsv64.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avpui.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\ksde.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\ksdeui.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2016-01-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-02-12] (Western Digital Technologies, Inc.)
HKU\S-1-5-18\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27545048 2017-03-14] (Skype Technologies S.A.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Sound Off.lnk [2016-08-15]
ShortcutTarget: Sound Off.lnk -> C:\_JFMonette\Computer, Windows & Software\Configuration of Windows 7\NirCmd for sound icons\nircmd.exe (NirSoft)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~ew shortcut.tmp [2015-11-22] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{326D8D10-F634-449F-BA89-92399250D7B0}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C19064F3-8591-4F01-BC33-873876E1D88F}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{CB39A27B-0DC9-48B9-882A-972AAACA27EE}: [DhcpNameServer] 24.48.19.13 24.202.72.13 24.53.0.2

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3904156222-3458198690-710301323-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3904156222-3458198690-710301323-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3904156222-3458198690-710301323-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.ca/?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-3904156222-3458198690-710301323-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Kaspersky Protection -> {2E38825B-8815-42CF-9126-C58BC28D4591} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-07-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-21] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-07-12] (Microsoft Corporation)
BHO-x32: Kaspersky Protection -> {2E38825B-8815-42CF-9126-C58BC28D4591} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
BHO-x32: No Name -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: No Name -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> No File
Toolbar: HKLM - Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
Toolbar: HKLM-x32 - Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
Toolbar: HKU\S-1-5-21-3904156222-3458198690-710301323-1000 -> Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\IEExt\ie_plugin.dll [2017-01-07] (AO Kaspersky Lab)
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

FireFox:
========
FF DefaultProfile: h13mz1z5.default
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\h13mz1z5.default [2017-03-25]
FF Homepage: Mozilla\Firefox\Profiles\h13mz1z5.default -> hxxps://www.google.ca/?gws_rd=ssl
FF HKLM\...\Firefox\Extensions: [light_plugin_F6F079488B53499DB99380A7E11A93F6@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\FFExt\light_plugin_firefox\addon.xpi
FF Extension: (Kaspersky Protection) - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\FFExt\light_plugin_firefox\addon.xpi [2017-01-07]
FF HKLM-x32\...\Firefox\Extensions: [light_plugin_F6F079488B53499DB99380A7E11A93F6@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\FFExt\light_plugin_firefox\addon.xpi
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2012-08-08] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-12-29] (Foxit Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-03-19] (Google Inc.)
FF Plugin HKU\S-1-5-21-3904156222-3458198690-710301323-1000: @tools.google.com/Google Update;version=3 -> C:\Users\User\AppData\Local\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-3904156222-3458198690-710301323-1000: @tools.google.com/Google Update;version=9 -> C:\Users\User\AppData\Local\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://www.netflix.com/browse"
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2017-03-25]
CHR Extension: (Google Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-26]
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-26]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-13]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-13]
CHR Extension: (Adblock Plus) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-03-22]
CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-13]
CHR Extension: (Google Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-26]
CHR Extension: (Unsubtitle for Netflix) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhallfieahekmidfbaeobbdiajlmapfg [2015-12-08]
CHR Extension: (Kaspersky Protection) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhoibnponjcgjgcnfacekaijdbbplhib [2017-02-12]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-26]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-20]
CHR HKLM\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] - hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
CHR HKLM-x32\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] - hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-03-24] (SUPERAntiSpyware.com)
S4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe [89600 2009-09-09] (Andrea Electronics Corporation)
R2 AVP17.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe [241544 2016-06-28] (AO Kaspersky Lab)
S3 ColdFusion 8 .NET Service; C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe [77824 2016-06-27] () [File not signed]
S3 ColdFusion 8 Application Server; C:\ColdFusion8\runtime\bin\jrunsvc.exe [65536 2008-03-18] (Macromedia Inc.) [File not signed]
S3 ColdFusion 8 ODBC Agent; C:\ColdFusion8\db\slserver54\bin\swagent.exe [696320 2016-06-27] () [File not signed]
S3 ColdFusion 8 ODBC Server; C:\ColdFusion8\db\slserver54\bin\swstrtr.exe [114688 2016-06-27] () [File not signed]
S3 ColdFusion 8 Search Server; C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe [2743056 2008-03-12] (Verity, Inc.) [File not signed]
S4 FoxitReaderService; C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe [1659592 2016-12-29] (Foxit Software Inc.)
S3 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-21] (Microsoft Corporation)
S3 klvssbrigde64; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\x64\vssbridge64.exe [77328 2016-06-28] (AO Kaspersky Lab)
R2 KSDE1.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Secure Connection 1.0\ksde.exe [241544 2016-06-28] (AO Kaspersky Lab)
S3 MpsSvc; . [0 2017-03-27] () <==== ATTENTION (zero byte File/Folder)
S3 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [370368 2015-06-10] (Microsoft Corporation)
S4 NVIDIA Performance Driver Service; C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [6810728 2009-12-08] ()
S4 NVWMI; C:\Windows\system32\nvwmi64.exe [1290016 2013-09-05] (NVIDIA Corporation)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [613056 2015-06-10] (Microsoft Corporation)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\STacSV64.exe [240640 2009-09-09] (IDT, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [308088 2016-01-14] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S4 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5088256 2010-02-01] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AR9271; C:\Windows\System32\DRIVERS\athuwx.sys [2224160 2013-06-28] (Atheros Communications, Inc.)
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [238936 2016-06-10] (AO Kaspersky Lab)
R1 epp; C:\Program Files\Emsisoft Emergency Kit\bin64\epp.sys [115216 2017-01-03] (Emsisoft Ltd)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [554416 2016-06-02] (AO Kaspersky Lab)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [63920 2016-06-07] (AO Kaspersky Lab)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [86352 2016-06-14] (AO Kaspersky Lab)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [78216 2016-05-31] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [195296 2017-03-14] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [313112 2017-03-14] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [1035488 2017-03-14] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [57936 2017-01-07] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [52144 2016-05-18] (AO Kaspersky Lab)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [41648 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [45488 2016-05-31] (AO Kaspersky Lab)
R3 kltap; C:\Windows\System32\DRIVERS\kltap.sys [52152 2016-06-07] (The OpenVPN Project)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [75696 2016-05-17] (AO Kaspersky Lab)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [135904 2017-03-14] (AO Kaspersky Lab)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [199392 2017-03-14] (AO Kaspersky Lab)
S4 RsFx0300; C:\Windows\System32\DRIVERS\RsFx0300.sys [247488 2014-02-21] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2013-07-14] (Microsoft Corporation) [File not signed]
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64_prewin8.sys [23200 2016-01-14] (Western Digital Technologies)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-27 17:17 - 2017-03-27 17:18 - 00017295 _____ C:\Users\User\Desktop\FRST.txt
2017-03-27 17:12 - 2017-03-27 16:37 - 02424832 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2017-03-26 17:58 - 2017-03-27 17:04 - 00010073 _____ C:\Users\User\Desktop\To Do Now.txt
2017-03-26 17:16 - 2017-03-26 18:30 - 315908096 _____ C:\Users\User\Desktop\kav_rescue_10.iso
2017-03-26 12:53 - 2017-03-26 12:56 - 00207400 _____ C:\Windows\ntbtlog.txt
2017-03-25 21:31 - 2017-03-25 21:31 - 00016196 _____ C:\ComboFix.txt
2017-03-23 11:57 - 2017-03-23 11:58 - 00000224 _____ C:\Users\User\Desktop\Survey 2017 on developers.url
2017-03-22 12:36 - 2017-03-22 12:36 - 00000000 ____D C:\ProgramData\Western Digital
2017-03-22 12:36 - 2017-03-22 12:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Western Digital
2017-03-22 12:36 - 2017-03-22 12:36 - 00000000 ____D C:\Program Files (x86)\Western Digital
2017-03-22 12:17 - 2017-03-22 12:17 - 00000000 ____D C:\Users\User\AppData\Local\Western Digital
2017-03-22 11:17 - 2017-03-24 15:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate
2017-03-22 11:17 - 2017-03-22 11:17 - 00000000 ____D C:\Program Files (x86)\Seagate
2017-03-21 18:53 - 2017-03-24 12:23 - 00000283 _____ C:\Users\User\Desktop\Compare source and destination with Robocopy.url
2017-03-19 18:10 - 2017-03-19 18:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-03-19 14:13 - 2017-03-19 16:24 - 00003332 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-03-19 14:13 - 2017-03-19 16:24 - 00003204 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-03-19 12:40 - 2017-03-22 12:36 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-18 22:12 - 2017-03-23 20:16 - 00000284 _____ C:\Users\User\Desktop\Robocopy examples.url
2017-03-18 21:49 - 2017-03-24 15:20 - 00000270 _____ C:\Users\User\Desktop\Robocopy backup best practices.url
2017-03-18 19:49 - 2017-03-21 22:28 - 00000175 _____ C:\Users\User\Desktop\Robocopy list of switch.url
2017-03-16 22:28 - 2017-03-04 14:24 - 00394448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-03-16 22:28 - 2017-03-04 13:39 - 00346320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-03-16 22:28 - 2017-03-04 05:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-03-16 22:28 - 2017-03-04 05:20 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-03-16 22:28 - 2017-03-04 05:02 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-03-16 22:28 - 2017-03-04 05:01 - 00576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-03-16 22:28 - 2017-03-04 05:01 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-03-16 22:28 - 2017-03-04 05:01 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-03-16 22:28 - 2017-03-04 05:01 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-03-16 22:28 - 2017-03-04 04:59 - 02895360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-03-16 22:28 - 2017-03-04 04:52 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-03-16 22:28 - 2017-03-04 04:51 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-03-16 22:28 - 2017-03-04 04:48 - 25746944 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-03-16 22:28 - 2017-03-04 04:46 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-03-16 22:28 - 2017-03-04 04:45 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-03-16 22:28 - 2017-03-04 04:45 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-03-16 22:28 - 2017-03-04 04:45 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-03-16 22:28 - 2017-03-04 04:44 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-03-16 22:28 - 2017-03-04 04:36 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-03-16 22:28 - 2017-03-04 04:32 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-03-16 22:28 - 2017-03-04 04:31 - 06045696 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-03-16 22:28 - 2017-03-04 04:23 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-03-16 22:28 - 2017-03-04 04:21 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-03-16 22:28 - 2017-03-04 04:16 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-03-16 22:28 - 2017-03-04 04:16 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-03-16 22:28 - 2017-03-04 04:13 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-03-16 22:28 - 2017-03-04 04:11 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-03-16 22:28 - 2017-03-04 03:57 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-03-16 22:28 - 2017-03-04 03:55 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-03-16 22:28 - 2017-03-04 03:54 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-03-16 22:28 - 2017-03-04 03:52 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-03-16 22:28 - 2017-03-04 03:52 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-03-16 22:28 - 2017-03-04 03:26 - 15259648 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-03-16 22:28 - 2017-03-04 03:25 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-03-16 22:28 - 2017-03-04 03:12 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-03-16 22:28 - 2017-03-04 03:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-03-16 22:28 - 2017-03-04 01:18 - 20281856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-03-16 22:28 - 2017-03-02 15:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2017-03-16 22:28 - 2017-03-02 15:02 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2017-03-16 22:28 - 2017-03-02 15:01 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-03-16 22:28 - 2017-03-02 15:01 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2017-03-16 22:28 - 2017-03-02 15:01 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2017-03-16 22:28 - 2017-03-02 15:00 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-03-16 22:28 - 2017-03-02 14:55 - 02287104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-03-16 22:28 - 2017-03-02 14:54 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2017-03-16 22:28 - 2017-03-02 14:53 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2017-03-16 22:28 - 2017-03-02 14:51 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2017-03-16 22:28 - 2017-03-02 14:50 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2017-03-16 22:28 - 2017-03-02 14:49 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-03-16 22:28 - 2017-03-02 14:49 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-03-16 22:28 - 2017-03-02 14:41 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2017-03-16 22:28 - 2017-03-02 14:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-03-16 22:28 - 2017-03-02 14:35 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2017-03-16 22:28 - 2017-03-02 14:32 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2017-03-16 22:28 - 2017-03-02 14:31 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-03-16 22:28 - 2017-03-02 14:29 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-03-16 22:28 - 2017-03-02 14:28 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2017-03-16 22:28 - 2017-03-02 14:22 - 04604416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-03-16 22:28 - 2017-03-02 14:21 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-03-16 22:28 - 2017-03-02 14:19 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-03-16 22:28 - 2017-03-02 14:17 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-03-16 22:28 - 2017-03-02 14:17 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2017-03-16 22:28 - 2017-03-02 14:11 - 13654528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-03-16 22:28 - 2017-03-02 13:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-03-16 22:28 - 2017-03-02 13:50 - 01312768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-03-16 22:28 - 2017-03-02 13:50 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-03-16 22:28 - 2017-02-09 13:35 - 05548264 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-03-16 22:28 - 2017-02-09 13:33 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-03-16 22:28 - 2017-02-09 13:32 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-03-16 22:28 - 2017-02-09 13:32 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-03-16 22:28 - 2017-02-09 13:31 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-03-16 22:28 - 2017-02-09 13:31 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-03-16 22:28 - 2017-02-09 13:19 - 04000488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2017-03-16 22:28 - 2017-02-09 13:19 - 03945192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2017-03-16 22:28 - 2017-02-09 13:00 - 03220480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-03-16 22:28 - 2017-02-09 11:06 - 01648128 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-03-16 22:28 - 2017-01-11 15:01 - 01887744 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-03-16 22:27 - 2017-02-11 12:58 - 00462848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-03-16 22:27 - 2017-02-11 12:58 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-03-16 22:27 - 2017-02-11 12:58 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-03-16 22:27 - 2017-02-10 13:32 - 00803328 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2017-03-16 22:27 - 2017-02-10 13:32 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-03-16 22:27 - 2017-02-10 13:17 - 00628736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2017-03-16 22:27 - 2017-02-10 13:17 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2017-03-16 22:27 - 2017-02-10 11:33 - 01251328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-03-16 22:27 - 2017-02-09 13:36 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-03-16 22:27 - 2017-02-09 13:35 - 00706792 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-03-16 22:27 - 2017-02-09 13:35 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-03-16 22:27 - 2017-02-09 13:35 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-03-16 22:27 - 2017-02-09 13:32 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00040960 _____ (Microsoft Corporation) C:\Windows\system32\WcsPlugInService.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2017-03-16 22:27 - 2017-02-09 13:32 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00625664 _____ (Microsoft Corporation) C:\Windows\system32\mscms.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00250880 _____ (Microsoft Corporation) C:\Windows\system32\icm32.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:31 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:16 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00481792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icm32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:14 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 13:03 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2017-03-16 22:27 - 2017-02-09 13:03 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2017-03-16 22:27 - 2017-02-09 13:03 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2017-03-16 22:27 - 2017-02-09 13:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-03-16 22:27 - 2017-02-09 12:59 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2017-03-16 22:27 - 2017-02-09 12:58 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2017-03-16 22:27 - 2017-02-09 12:55 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-03-16 22:27 - 2017-02-09 12:55 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-03-16 22:27 - 2017-02-09 12:55 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-03-16 22:27 - 2017-02-09 12:54 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2017-03-16 22:27 - 2017-02-09 12:54 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-03-16 22:27 - 2017-02-09 12:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-03-16 22:27 - 2017-02-09 12:51 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WcsPlugInService.dll
2017-03-16 22:27 - 2017-02-09 12:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2017-03-16 22:27 - 2017-02-09 12:50 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2017-03-16 22:27 - 2017-02-09 12:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2017-03-16 22:27 - 2017-02-09 12:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2017-03-16 22:27 - 2017-02-09 12:49 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 12:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-03-16 22:27 - 2017-02-09 11:06 - 01180160 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-03-16 22:27 - 2017-02-06 13:14 - 00733696 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-03-16 22:27 - 2017-01-13 15:00 - 00976896 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-03-16 22:27 - 2017-01-13 15:00 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2017-03-16 22:27 - 2017-01-13 14:45 - 00741888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-03-16 22:27 - 2017-01-13 14:45 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2017-03-16 22:27 - 2017-01-11 15:01 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2017-03-16 22:27 - 2017-01-11 14:43 - 01241088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-03-16 22:27 - 2017-01-11 14:43 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2017-03-16 22:27 - 2017-01-06 15:00 - 01574912 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2017-03-16 22:27 - 2017-01-06 14:44 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2017-03-16 18:03 - 2017-03-16 18:03 - 00000190 _____ C:\Users\User\Desktop\Hobocopy.url
2017-03-12 18:11 - 2017-03-12 18:12 - 13560645 _____ C:\Users\User\Desktop\2017-03-11 Jean Francois.m4a
2017-03-04 22:54 - 2017-03-04 22:54 - 00997125 _____ C:\Users\User\Desktop\Breaking the Habit of Being Yourself_ How to Lose Your Mind and Create a New One.epub
2017-03-04 11:50 - 2017-03-17 14:07 - 00000000 ____D C:\Users\User\AppData\Roaming\vlc
2017-03-03 14:08 - 2017-03-03 14:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2017-03-03 14:08 - 2017-03-03 14:08 - 00000000 ____D C:\Program Files\VideoLAN
2017-03-01 15:36 - 2017-03-01 15:36 - 00000000 ____D C:\ProgramData\Google
2017-02-25 16:51 - 2017-02-25 16:51 - 00001730 _____ C:\Users\User\Desktop\Massaging Pressure Therapy for Hearing Loss.pdf.lnk
2017-02-25 12:37 - 2017-02-25 12:37 - 00001257 _____ C:\Users\User\Desktop\Stuff.txt.lnk
2017-02-25 12:34 - 2017-02-25 12:35 - 00001423 _____ C:\Users\User\Desktop\Choses Faites.docx.lnk
2017-02-25 12:34 - 2017-02-25 12:35 - 00001349 _____ C:\Users\User\Desktop\To Do.docx.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-27 17:17 - 2015-11-02 13:01 - 00000000 ____D C:\FRST
2017-03-27 15:52 - 2009-07-14 02:13 - 00970786 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-27 15:52 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\inf
2017-03-27 15:17 - 2014-11-14 19:08 - 00013954 _____ C:\Users\User\Desktop\Backup.txt
2017-03-27 14:56 - 2009-07-14 01:45 - 00031504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-27 14:56 - 2009-07-14 01:45 - 00031504 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-27 14:51 - 2016-07-06 18:20 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2017-03-26 19:14 - 2014-11-12 23:19 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2017-03-26 15:04 - 2016-10-25 10:46 - 00003032 _____ C:\Windows\System32\Tasks\Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901}
2017-03-26 14:48 - 2009-07-14 02:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-26 14:47 - 2016-07-10 09:33 - 00000000 ____D C:\Program Files\Emsisoft Emergency Kit
2017-03-26 12:24 - 2014-11-24 16:36 - 00000000 ____D C:\Users\User\AppData\Local\Apps\2.0
2017-03-25 22:32 - 2016-07-05 15:02 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-25 21:31 - 2016-09-02 12:34 - 00000000 ____D C:\Users\MSSQL$SQLEXPRESS
2017-03-25 21:31 - 2016-08-10 12:06 - 00000000 ____D C:\Users\Administrator
2017-03-25 21:31 - 2016-06-27 17:10 - 00000000 ____D C:\Users\DefaultAppPool.IIS APPPOOL.000
2017-03-25 21:31 - 2015-10-28 13:37 - 00000000 ____D C:\Qoobox
2017-03-25 21:31 - 2009-07-14 02:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2017-03-25 21:22 - 2009-07-13 23:34 - 00000215 _____ C:\Windows\system.ini
2017-03-25 21:19 - 2015-10-28 13:36 - 00000000 ____D C:\Windows\erdnt
2017-03-24 17:09 - 2015-10-28 15:14 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-03-24 17:03 - 2016-07-10 15:46 - 00000000 ____D C:\Users\User\Desktop\Scan Tools
2017-03-20 21:29 - 2017-01-15 11:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-20 21:29 - 2014-11-19 16:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-19 18:15 - 2017-01-15 11:50 - 00000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2017-03-19 18:11 - 2014-10-27 13:48 - 00000000 ____D C:\Users\User\AppData\Roaming\Skype
2017-03-19 18:10 - 2015-04-05 13:41 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-03-19 18:10 - 2015-04-04 18:04 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2017-03-19 18:10 - 2014-10-27 12:17 - 00000000 ____D C:\ProgramData\Skype
2017-03-19 16:28 - 2016-08-09 19:29 - 00003144 _____ C:\Users\User\Desktop\Update Chrome.txt
2017-03-19 15:31 - 2015-05-04 13:19 - 00002207 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-17 22:06 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\system32\NDF
2017-03-17 10:08 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\rescache
2017-03-17 09:41 - 2009-07-14 01:45 - 00432360 _____ C:\Windows\system32\FNTCACHE.DAT
2017-03-16 22:39 - 2009-07-14 02:32 - 00000000 ____D C:\Program Files\DVD Maker
2017-03-16 22:39 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
2017-03-16 22:39 - 2009-07-14 00:20 - 00000000 ____D C:\Windows\system32\inetsrv
2017-03-16 22:35 - 2016-07-05 20:26 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2017-03-16 09:50 - 2016-08-11 22:21 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2017-03-16 09:50 - 2016-08-11 22:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2017-03-15 18:06 - 2014-10-24 15:44 - 00000000 ____D C:\Windows\system32\MRT
2017-03-15 17:57 - 2016-08-11 22:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-03-15 17:57 - 2014-10-24 15:44 - 138634176 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-03-15 17:13 - 2017-01-24 16:08 - 00004448 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2017-03-15 17:13 - 2017-01-24 16:08 - 00004314 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-03-15 17:12 - 2016-08-16 20:11 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-15 17:12 - 2016-08-16 20:11 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-15 17:12 - 2014-12-08 12:42 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-15 17:12 - 2014-12-08 12:42 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-14 09:56 - 2016-09-12 22:03 - 01035488 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys
2017-03-14 09:56 - 2016-09-12 22:03 - 00135904 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klwtp.sys
2017-03-14 09:56 - 2016-06-14 16:47 - 00199392 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\kneps.sys
2017-03-14 09:55 - 2016-06-26 14:10 - 00195296 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys
2017-03-14 09:54 - 2016-09-12 22:03 - 00313112 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2017-03-13 20:10 - 2016-11-28 14:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2017-03-01 15:37 - 2016-10-02 17:07 - 00002786 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-03-01 15:36 - 2014-10-24 14:53 - 00000000 ____D C:\Program Files (x86)\Google
2017-03-01 12:42 - 2014-11-14 19:02 - 00000000 ____D C:\_JFMonette

==================== Files in the root of some directories =======

2014-11-11 23:20 - 2014-11-11 23:20 - 0000000 _____ () C:\ProgramData\Wave

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-25 14:51

==================== End of FRST.txt ============================
 

Attached Files



#3 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 28 March 2017 - 05:55 AM

Hi The Durango Kid & Welcome to the forums ^_^,

 


I would be helping you with your computer problems. Right now, I am a trainee at the Bleeping Computer Malware Removal Study Hall.
I am Pranav and now that we are friends, I would like to call you by your first name if that is fine with you     :hug:

All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic. That could take a few days. Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.

While you wait for further instructions, kindly do not run any additional tools as that might complicate the process of fixing your computer and cause delays.

Have a nice day!

Regards,
Pranav 


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#4 The Durango Kid

The Durango Kid
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 28 March 2017 - 09:28 AM

Hello Pranav,

 

My first name is Jean-Francois (JF), and thanks for your help !

I´m from Canada but I travel a lot ...  I was in India for 3 months in 2012 ...  Maybe we crossed each other in the street ? ( very small chance though ) ...  :o ) ...

 

Thanks again for helping me !

I will await your instructons and leave my laptop alone in the meanwhile ...   :o )

 

Cheers,

JF



#5 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 30 March 2017 - 03:42 AM

Hello Pranav,

 

My first name is Jean-Francois (JF), and thanks for your help !

I´m from Canada but I travel a lot ...  I was in India for 3 months in 2012 ...  Maybe we crossed each other in the street ? ( very small chance though ) ...   :o ) ...

 

Thanks again for helping me !

I will await your instructons and leave my laptop alone in the meanwhile ...   :o )

 

Cheers,

JF

 

Hi Jean!

 

That's nice to hear. I rarely see posts like yours :0)

 

Which part of country did you visit? And regarding the chance of crossing each other on the street, it is very small :P

 

I have created the topic and awaiting instructor approval. Will get back to you in some time :)

 

 

Have a nice day!

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#6 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 02 April 2017 - 09:45 AM

Hi Jean!

 

 

I am still working on this case with my instructor. Please hold on a bit for further instructions.

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#7 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 02 April 2017 - 01:15 PM

Hi Jean-Francois ^_^,

 

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only that tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and that may have been the route the malware used to infect your computer. Do not use any P2P software until we conclude your topic.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

Let's begin!

 

Going over your logs I noticed that you have utorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

 

We Need to Diagnose a Possible Problem with WGA
This may be preventing you from installing that service pack.

  • Please download MGADiag and save it to your desktop.
  • Double click the mgadiag.png  icon on your desktop.
  • Click Continue
  • Click Copy
  • Go to Start -> Run and type in "Notepad"
  • Go to Edit -> Paste in notepad.
  • x out all of the numbers and letters in the line beginning with "Windows Product Key:"
  • Copy and paste that log here.

 

Now, since you have run tools like RKill and ComboFix, could you please upload the log files? The log files for ComboFix and RKill would be in the same folder (Combofix.txt and rkill.txt) from where the executable was run.

 

For the Kaspersky report, please perform another scan and then export the scan results by following this guide - https://support.kaspersky.com/12740#block3

Once you reach Step 3, simply click on the "Export" button and save the log file. Then upload the log file with your next post. If you can get the results of the previous scan in which Kaspersky detected "HEUR:Trojan-Downloader.Script.Generic", please attach or paste them with your next post as well.

 

 

Have a nice day!

 

-Pranav

 

Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#8 The Durango Kid

The Durango Kid
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 02 April 2017 - 08:37 PM

Hello Pranav,

I'm glad to hear from you !

When I was in India, I was in Bengalore most of the time ...  At the end of my stay, I went to Goa for 2 weeks, to see the beach and the ocean ...  :o)

To answer your questions/ requests:
------------------------------------------------

First, thank you again for helping me, it is really appreciated ...

 

Yes, I have uTorrent installed, but I almost never use it (it's sometimes the only way I can download something I need).  I have been wondering about the risk involved when using torrents ...  I was thinking that maybe if I scan the downloaded file before running it I would be safe ?  Is that the case, or you can get infected DURING the download as well, via the connection (even before running the downloaded file) ?

 

Pasted below is the MGADiag.exe output.

 

I have also attached the log files from RKill and ComboFix.

 

As you requested, I just ran another full scan with Kaspersky (5th scan since the infection) and predictively, the scan found and successfully eradicated "HEUR:Trojan-Downloader.Script.Generic", 80 times ...  So to resume, in the first scan Kaspersky was unsuccessful in eradicating 2 of the 4 threats detected.  For the following scans, all the threats founds (10, 20, 40, and 80 today) were "successfully" removed ...  I have attached the log files of all 5 scans I performed since the infection.

-------------------------------------------------------------------------

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-*****-*****-*****
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {F1E931A8-4F8C-47B0-B59A-24D6190BFEB2}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_ldr.170209-0600
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F1E931A8-4F8C-47B0-B59A-24D6190BFEB2}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3904156222-3458198690-710301323</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Precision M6400                 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A13</Version><SMBIOSVersion major="2" minor="4"/><Date>20130605000000.000000+000</Date></BIOS><HWID>08A13E07018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>E. South America Standard Time(GMT-03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>M09    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows® 7, Professional edition
Description: Windows Operating System - Windows® 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7601.0000-2972014
Installation ID: 007445270750349583909533789384670342799546869472282422
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 4/2/2017 7:28:52 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 2:9:2017 20:41
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: MgAAAAEAAwABAAEAAQABAAAAAgABAAEAln0KH86chiHqeeC64LzS46IFyMs+P/M7Rso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
  ACPI Table Name OEMID Value OEMTableID Value
  APIC   DELL    M09   
  FACP   DELL    M09   
  HPET   DELL    M09   
  MCFG   DELL    M09   
  ____   DELL    M09   
  ASF!   DELL    M09   
  TCPA     
  SLIC   DELL    M09   
  SSDT   PmRef  CpuPm

-------------------------------------------------------------------------

Attached Files



#9 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 03 April 2017 - 04:02 PM

Hi Jean!
 
Bangalore has got too much traffic. Goa is a nice place. Went there during last Christmas and it was awesome!
 
Regarding utorrent, please avoid using it during the cleanup process at all costs.
 
 
Download attached fixlist.txt file and save it to the Desktop.
 
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Once you complete the above step, the system will reboot. Please try scanning again using Kaspersky and see if you are still seeing these many threats. If you are still seeing those threats, please follow the below instructions -
 

We need to monitor a folder with ProcessMonitor:
 
  • Download Process Monitor by Mark Russinovich and Bryce Cogswell and save it to your Desktop
  • Extract ProcessMonitor.zip to a folder, double-click on ProcMon.exe
  • Agree to the Software Terms to run the application
  • Click on File, then uncheck Capture Events
  • Click on Edit, then Clear Display
  • Click on Filter, then Filter...
  • From the first drop down, select Path
  • From the second drop down, select Is
  • In the third drop down, copy and paste the following text:
C:\Windows\temp
  • In the fourth drop down, select Include
  • Click Add and the filter should appear on the list
  • Click Apply then Ok to save your changes
  • Click on File, then Check Capture Events
  • Note: at this point ProcessMonitor is actively monitoring the folder and recording any action within it.  Depending on how often or how many processes access a folder, this log can grow very quickly so be careful running this tool over long periods of time.  More information can be found at the TechNet page
  • Once you have the information you need, click on File, then uncheck Capture Events
  • Click on File, then Save...
Note: The information can be saved in .PML (ProcessMonitor), .CSV (comma-separated values), or .XML (eXtensible mark-up language)
  • Select the Events to save: Events displayed using current filter and Check Also include profiling events
  • Select the Format: Native Process Monitor Format (PML)
  • For Path: click the Elipsis (...) to the right of the text box
  • Click on Desktop on the left, name the log ProcessMonitor.PML, click Save
  • Click Ok to Save the document, then close ProcessMonitor
 
 
Make sure that you ZIP up the file before uploading anywhere because it might be large. Once compressed, upload it to Dropbox/OneDrive and share the link over here.
 
 
Let me know how it goes!
 
 
Have a nice day!
 
 
-Pranav

 

Attached Files


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#10 The Durango Kid

The Durango Kid
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 04 April 2017 - 07:05 PM

Hello Pranav,

 

I ran FRST64.exe with the provided fixlist.txt.  After the reboot, I ran a Kaspersky scan and the result is that Kaspersky found nothing !...  (so I did not do the additional steps with Process monitor).

 

So it looks like I'm clean now !  Wow, you guys rock ! ...  I can not thank you enough ! ...  You, Lawrence Abrams and all the folks at Bleeping ...  What you guys are doing is invaluable ! ...  I will put you in my prayers ...    :)   ...

 

I have been fighting a chronic disease in the past few years, so I have though a lot about life and death, and what life is really about, what really matters while we're here ...  I came to the conclusion that most of what we do or worry over is not important, and that life is really about human relationships, and love.  But then, we're human beings, not angels, and love is not so easy to give, or receive ...  So what's left, realistically ?  One thing:  Helping each other ...   :)

 

As you requested, I've included Fixlog.txt ...  I guess you use that to confirm that all is good ?  Let me know if additional steps are required ...

 

Cheers,
JF

Attached Files



#11 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 07 April 2017 - 02:11 PM

Hi JF!

 

 

Sorry to hear about the chronic disease :(

Helping people around is probably the best feeling. 

 

I have just posted to my instructor about the next response. I got delayed because of the work :(

 

 

Glad to hear that the problem hasn't resurfaced till now. Hang on tight, we are still some steps away before we declare you clean :)

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#12 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 08 April 2017 - 02:29 AM

Hi JF!

 

 

Thanks for the kind words mate. Yes, helping others is the best feeling! The fixlog looks good as well. Glad to hear that the problem did not reoccur  :)

 

I'd like you to scan your machine with ESET OnlineScan:
  • Check qy7AMI8.jpg (if available) and click on the ePL5oyv.jpg button.
  • It is recommended to turn off your antivirus program. Click on the E5rfZI9.png button to see which antivirus is currently enabled:
 
c4VVzVO.png
  • Turn off your antivirus program. See here how to do this.
  • Check the option beside: Enable detection of potentially unwanted applications.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Scan archives
Enable Anti-Stealth Technology
  • Click on the Change button and select only Operating memory, Autostart locations and drive C:\ to be scanned.
 
yKulboi.jpg
  • Push the dtoGjAL.png button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8L8IBHJ.png
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
imxEgHt.png
  • Push thecRhRYZ8.png button and save the file to your desktop using a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Push the 9IjfdXq.png button.
  • Check the box beside RHzfZB1.png to uninstall the application when closed.
  • Push Vc3btaC.png and the close the application clicking the X in upper right corner.

 

Let me know how it goes!

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#13 The Durango Kid

The Durango Kid
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 08 April 2017 - 12:08 PM

Hello Pranav,

 

I ran the scan as instructed with the ESET Online Scanner and no threats were found (so there was no text file produced) ...

Let me know if you would like me to perform other steps, or if you think I'm good to go ...

 

Cheers,
JF



#14 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 09 April 2017 - 02:34 AM

Hi JF!

 

Glad to hear that no threats were detected. I would now like you to run a small registry fix. Please follow the below instructions -

 

Download attached fixlist.txt file and save it to the Desktop.
 
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
 

I want another FRST scan to make sure that everything is perfect. In order to do so, please delete the older FRST.txt and Addition.txt and then follow the instructions. Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce logs called FRST.txt and Addition.txt in the same directory the tool is run from.
  • Please copy and paste the logs back here.
 
 
Have a nice day!
 
-Pranav

Attached Files


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#15 The Durango Kid

The Durango Kid
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 09 April 2017 - 10:09 AM

Hello Pranav,

 

I performed the steps with FRST64.exe ...  Output txt files are attached.

Let me know how it goes.

 

Cheers,

JF

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users