Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit


  • This topic is locked This topic is locked
15 replies to this topic

#1 Alan316

Alan316

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 13 April 2017 - 02:19 PM

Hi,
I believe my pc is infected with a rootkit. Gmer and oshi unhooker show many hooks, also on the kernel. Iexplorer starts and opens 4 processes, but browsing doesn't work.


Thanks.

BC AdBot (Login to Remove)

 


#2 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 14 April 2017 - 06:33 AM

Does anyone know if this is an indication for kernel infection? http://imgur.com/a/oloYO

#3 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 14 April 2017 - 06:36 AM

Oops, correct url: http://imgur.com/a/oIoYO

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 AM

Posted 15 April 2017 - 08:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

We need more information.


Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#5 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 17 April 2017 - 12:04 PM

MBAM: 0 threats

ADWCleaner: 0 threats.

 

Farbar64: attached.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 AM

Posted 17 April 2017 - 01:02 PM



Nothing suspicious was found in your logs.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
HKLM-x32\...\RunOnceEx\@UnHackMe: [1] => C:\PROGRA~2\UnHackMe\Unhackme.exe /p Partizan
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S3 aswArKrn; \??\C:\Users\Alan\AppData\Local\Temp\aswArKrn.sys [X] <==== ATTENTION
U3 pxldrpob; \??\C:\Users\Alan\AppData\Local\Temp\pxldrpob.sys [X] <==== ATTENTION
Task: {0FE70B74-6ED0-4978-9545-4067EEE7C318} - \JumpingBytes\PureSyncVSS -> No File <==== ATTENTION
Task: {5DFCC7F5-F172-4CF1-BA33-A91B2E2545F9} - \Safer-Networking\Spybot - Search and Destroy\Scan the system -> No File <==== ATTENTION
Task: {C14941CB-BFD2-4455-B7FA-FB7A49B968A6} - \Safer-Networking\Spybot - Search and Destroy\Refresh immunization -> No File <==== ATTENTION
Task: {D054AF2E-D302-48A2-A055-8A49B3690401} - \Safer-Networking\Spybot - Search and Destroy\Check for updates -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


    Please let me know what problem persists with this computer other than the hooks you are seeing.


#7 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 17 April 2017 - 02:07 PM

attached it all

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 AM

Posted 18 April 2017 - 07:06 AM

Your logs are clean.

Malwarebytes Anti-Rootkit

Please download [url=https://www.malwarebytes.com/antirootkit

Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

Let me know what problems you are having with this computer.

#9 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 22 April 2017 - 05:19 PM

Hi again. I scanned the pc with mbar and nothing was detected.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 AM

Posted 23 April 2017 - 07:03 AM

What is the problem with running the computer?

#11 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 23 April 2017 - 10:21 AM

Strange behavior, like: waking up in the night multiple times, changed settings, most used recent application was "snipping tool" several times, I disabled it, but every time it was re enabled eventually, many kernel hooks like I explained in the first and 3rd post, process hacker which keeps mentioning "mbam service deleted" "mbam service created" multiple times on a day, svchost.exe connecting to strange domains. :)



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 AM

Posted 23 April 2017 - 12:17 PM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#13 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 23 April 2017 - 12:52 PM

last time I sacnned with roguekiller, it did find nothing, I'll rescan now.

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/23/2017 07:50:46 PM in x64 mode.
Windows Version: Windows 10 Pro

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * agp440 [Missing Service]
 * COMSysApp [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * WdBoot [Missing Service]
 * WdFilter [Missing Service]
 * WdNisDrv [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
  0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
  0.0.0.0 media.opencandy.com
  0.0.0.0 cdn.opencandy.com
  0.0.0.0 tracking.opencandy.com
  0.0.0.0 api.opencandy.com
  0.0.0.0 api.recommendedsw.com
  0.0.0.0 installer.betterinstaller.com
  0.0.0.0 installer.filebulldog.com
  0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
  0.0.0.0 inno.bisrv.com
  0.0.0.0 nsis.bisrv.com
  0.0.0.0 cdn.file2desktop.com
  0.0.0.0 cdn.goateastcach.us
  0.0.0.0 cdn.guttastatdk.us
  0.0.0.0 cdn.inskinmedia.com
  0.0.0.0 cdn.insta.oibundles2.com
  0.0.0.0 cdn.insta.playbryte.com
  0.0.0.0 cdn.llogetfastcach.us

  20 out of 36 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 04/23/2017 07:51:08 PM
Execution time: 0 hours(s), 0 minute(s), and 22 seconds(s)
 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:59 AM

Posted 24 April 2017 - 07:25 AM

Wireshark is a fake anti-malware application.
I only see the program in the Instdalled list.

Remove this program in bold via the Control Panel > Programs > Programs and Features.

Wireshark 2.2.6 (64-bit) (HKLM-x32\...\Wireshark) (Version: 2.2.6 - The Wireshark developer community, hxxps://www.wireshark.org)

===

Normalliy I would see these 2 entries in the FRST log.

O2 - BHO: ADC PlugIn - {149256D5-E103-4523-BB43-2CFB066839D6} - C:\Program Files\adc_w32.dll
O23 - Service: Adobe Update Service (AdbUpd) - Unknown owner - C:\Program Files\svchost.exe

They are not found in you case.

Check and if present delete the files in bold.
C:\Program Files\adc_w32.dll
C:\Program Files\svchost.exe <- make sure that you only delete this file located in the Program Files folder.

===

Restart the computer normally.


If the proglem persists run this search.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
Wireshark
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#15 Alan316

Alan316
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 28 April 2017 - 07:59 AM

Hi,

 

program files contains only folders.

I was using wireshark to monitor internet traffic, to find connections from malware.

 

Now again a setting has changed by itself, which is the power config setting 'sleep after x minutes' it has been changed to never.

 

I discovered mod_frst.exe in c:\windows

virustotal says it is a trojan. https://virustotal.com/en/file/20bd1cbb6ce3188e53d51f2e8fd1fe79e3df7e3e9805401a3914f4ce9c19395d/analysis/

 

This is the full contents of the folder, can you see anything suspicious?

 

 Volume in drive C has no label.
 Volume Serial Number is AA0A-E8CE

 Directory of C:\Windows

11-04-2017  15:03    <DIR>          %LOCALAPPDATA%
28-04-2017  15:45    <DIR>          .
28-04-2017  15:45    <DIR>          ..
16-07-2016  13:47    <DIR>          addins
02-04-2017  14:33    <DIR>          appcompat
02-04-2017  01:33    <DIR>          AppPatch
28-04-2017  13:40    <DIR>          AppReadiness
02-04-2017  01:33    <DIR>          bcastdvr
16-07-2016  13:42            61.440 bfsvc.exe
16-07-2016  13:47    <DIR>          Boot
16-07-2016  13:47    <DIR>          Branding
23-04-2017  14:02    <DIR>          CbsTemp
11-04-2017  03:00    <DIR>          CSC
16-07-2016  13:47    <DIR>          Cursors
13-04-2017  14:02    <DIR>          debug
16-07-2016  13:47    <DIR>          diagnostics
20-11-2016  20:04    <DIR>          DigitalLocker
05-04-2017  21:56             9.971 DirectX.log
01-04-2017  20:27             4.056 DtcInstall.log
16-07-2016  13:47    <DIR>          ELAMBKUP
20-11-2016  20:04    <DIR>          en-US
04-03-2017  09:03         4.674.360 explorer.exe
16-07-2016  13:47    <DIR>          GameBarPresenceWriter
16-07-2016  13:47    <DIR>          Globalization
20-11-2016  20:04    <DIR>          Help
28-03-2017  07:14           975.872 HelpPane.exe
16-07-2016  13:42            18.432 hh.exe
20-11-2016  20:04    <DIR>          IME
12-04-2017  17:10    <DIR>          ImmersiveControlPanel
20-04-2017  12:45    <DIR>          INF
16-07-2016  13:47    <DIR>          InfusedApps
16-07-2016  13:47    <DIR>          InputMethod
16-07-2016  13:47    <DIR>          L2Schemas
14-04-2017  16:10    <DIR>          LiveKernelReports
13-04-2017  13:15    <DIR>          Logs
20-11-2016  20:40             1.342 lsasetup.log
16-07-2016  13:42            43.131 mib.bin
27-04-2017  23:41    <DIR>          Microsoft.NET
16-07-2016  13:47    <DIR>          Migration
14-04-2017  16:10    <DIR>          Minidump
20-11-2016  20:41    <DIR>          MiracastView
16-11-2015  20:32           919.040 mod_frst.exe
16-07-2016  13:47    <DIR>          ModemLogs
04-08-2004  00:56         1.392.671 msvbvm60.dll
05-01-2002  03:40           487.424 msvcp70.dll
05-01-2002  03:37           344.064 msvcr70.dll
16-07-2016  13:43           243.200 notepad.exe
02-04-2017  02:43             3.466 ntbtlog.txt
10-04-2017  13:16    <DIR>          OCR
16-07-2016  13:47    <DIR>          Offline Web Pages
13-04-2017  13:15    <DIR>          Panther
16-07-2016  13:47    <DIR>          Performance
17-04-2017  20:41            42.334 PFRO.log
16-07-2016  13:47    <DIR>          PLA
12-04-2017  17:10    <DIR>          PolicyDefinitions
28-04-2017  15:43    <DIR>          Prefetch
02-04-2017  01:33    <DIR>          PrintDialog
16-07-2016  13:43            33.882 Professional.xml
12-04-2017  17:10    <DIR>          Provisioning
18-07-2015  08:08             2.187 Q783987.log
04-03-2017  08:18           320.512 regedit.exe
16-07-2016  13:47    <DIR>          Registration
20-11-2016  20:31    <DIR>          RemotePackages
14-04-2017  21:23    <DIR>          rescache
16-07-2016  13:47    <DIR>          Resources
25-04-2017  09:37             1.702 Sandboxie.ini
16-07-2016  13:47    <DIR>          SchCache
16-07-2016  13:47    <DIR>          schemas
20-11-2016  20:31    <DIR>          security
20-11-2016  20:41    <DIR>          ServiceProfiles
02-04-2017  01:33    <DIR>          servicing
16-07-2016  13:49    <DIR>          Setup
20-04-2017  15:43            18.149 setupact.log
01-04-2017  20:26               103 setuperr.log
12-04-2017  17:10    <DIR>          ShellExperiences
20-11-2016  20:11    <DIR>          SKB
18-04-2017  12:16    <DIR>          SoftwareDistribution
16-07-2016  13:47    <DIR>          Speech
16-07-2016  13:47    <DIR>          Speech_OneCore
20-11-2016  20:11           130.560 splwow64.exe
16-07-2016  13:47    <DIR>          System
16-07-2016  13:45               219 system.ini
28-04-2017  15:06    <DIR>          System32
20-11-2016  20:35    <DIR>          SystemApps
16-07-2016  13:47    <DIR>          SystemResources
24-04-2017  14:14    <DIR>          SysWOW64
16-07-2016  13:47    <DIR>          TAPI
17-04-2017  18:25    <DIR>          Tasks
28-04-2017  16:01    <DIR>          Temp
28-04-2017  15:53             1.400 TmRkb.log
16-07-2016  13:47    <DIR>          tracing
16-07-2016  13:47    <DIR>          twain_32
16-07-2016  13:43            66.560 twain_32.dll
01-04-2017  21:49            23.112 Tweaking.com - Simple System Tweaker Setup Log.txt
13-04-2017  20:10               207 tweaking.com-regbackup-ALAN-Windows-10-Pro-(64-bit).dat
11-04-2017  01:46               207 tweaking.com-regbackup-DESKTOP-KSPNB47-Windows-10-Pro-(64-bit).dat
16-07-2016  13:47    <DIR>          Vss
16-07-2016  13:47    <DIR>          Web
16-07-2016  13:45                92 win.ini
16-07-2016  13:42               670 WindowsShell.Manifest
28-04-2017  15:01               275 WindowsUpdate.log
16-07-2016  13:42            10.240 winhlp32.exe
13-04-2017  19:02                85 wininit.ini
23-04-2017  14:01    <DIR>          WinSxS
16-07-2016  13:43           316.640 WMSysPr9.prx
16-07-2016  13:42            11.264 write.exe
              35 File(s)     10.158.869 bytes
              71 Dir(s)  12.512.317.440 bytes free

 

hidden files:

 

 Volume in drive C has no label.
 Volume Serial Number is AA0A-E8CE

 Directory of C:\Windows

20-11-2016  20:31    <DIR>          BitLockerDiscoveryVolumeContents
25-04-2017  18:07    <DIR>          Installer
14-04-2017  21:47               (2) winstart.bat
01-04-2017  21:45                 4 wisefs.dat
               2 File(s)              6 bytes
               2 Dir(s)  12.513.009.664 bytes free


 


Edited by Alan316, 28 April 2017 - 09:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users