Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ASWMBR tool says csrsrv.dll **INFECTED** Win32:Aluroot-B [Rtk]


  • This topic is locked This topic is locked
6 replies to this topic

#1 Pete501

Pete501

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 27 April 2017 - 12:27 PM

I have been getting this warning since sometime last year. ASWMBR avast tool shows csrsrv.dll is infected with win32:aluroot-B RTK.  the tool picks up any copies of csrsrv.dll that are on the computers hard disk as infected. any copies I make of csrsrv I make are shown as infected as are any copies of the file in the windows folders such as winsxs folders. I have checked with every anti virus tool I can think of and none show csrsrv.dll as infected. checking the file by sending it to virustotal shows it as not infected. I wonder if this is a false positive?

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-04-2017
Ran by fred (administrator) on FRED-PC (27-04-2017 18:02:42)
Running from C:\Users\fred\Desktop
Loaded Profiles: fred (Available Profiles: fred & furryfriend)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Comodo\IceDragon\icedragon.exe" -osint -url "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(COMODO) C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avguard.exe
(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 11\cbVSCService11.exe
(Comodo) C:\Program Files\Comodo\Chromodo\chromodo_updater.exe
() C:\Program Files\Comodo\COMODO Programs Manager\CPMservice.exe
(COMODO) C:\Program Files\Comodo\COMODO Secure Shopping\csssrv.exe
(Comodo) C:\Program Files\Comodo\Dragon\dragon_updater.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
(Foxit Software Inc.) C:\Program Files\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe
() C:\Program Files\Comodo\IceDragon\icedragon_updater.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(COMODO) C:\Program Files\Comodo\COMODO Internet Security\cavwp.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avshadow.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(COMODO) C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(COMODO) C:\Program Files\Comodo\COMODO Internet Security\cis.exe
(COMODO) C:\Program Files\Comodo\COMODO Internet Security\cmdvirth.exe
(Comodo Inc.) C:\Program Files\Comodo\IceDragon\icedragon.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\osk.exe
(COMODO) C:\Program Files\Comodo\COMODO Internet Security\cis.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [EaseUs Watch] => C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe [70728 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM\...\Run: [EaseUs Tray] => C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe [1372232 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\Antivirus\avgnt.exe [912768 2017-04-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [63432 2017-03-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1390272 2017-04-22] (COMODO)
HKLM\...\Run: [vdcss] => C:\Program Files\COMODO\COMODO Secure Shopping\vdcss.exe [7690424 2017-04-01] (COMODO)
HKU\S-1-5-18\...\RunOnce: [osk.exe] => C:\Windows\system32\osk.exe [646144 2015-01-21] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{63D52C3A-F8BC-42AF-B75C-97A4E8A04AE1}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2335456119-2382438828-3088478136-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2335456119-2382438828-3088478136-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2335456119-2382438828-3088478136-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://uk.yahoo.com/?fr=fpc-comodo&type=33090001005_hp_sp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2335456119-2382438828-3088478136-1000 -> DefaultScope {0AA24E16-07B3-4694-8357-3C21ACC5F516} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=comodo&hsimp=yhs-com_chrome&type=33090001005_ds_sp&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2335456119-2382438828-3088478136-1000 -> {0AA24E16-07B3-4694-8357-3C21ACC5F516} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=comodo&hsimp=yhs-com_chrome&type=33090001005_ds_sp&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2335456119-2382438828-3088478136-1000 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
BHO: IeUrlFilter Class -> {2DD257A3-5028-41AE-A1E7-A12F76A08893} -> C:\Program Files\COMODO\COMODO Secure Shopping\cssbho32.dll [2017-04-01] (COMODO)

FireFox:
========
FF DefaultProfile: 3mntzwho.default
FF DefaultProfile: ydvn6lfk.default
FF ProfilePath: C:\Users\fred\AppData\Roaming\Mozilla\Firefox\Profiles\3mntzwho.default [2017-04-27]
FF Extension: (NoScript) - C:\Users\fred\AppData\Roaming\Mozilla\Firefox\Profiles\3mntzwho.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-03-27]
FF Extension: (WOT) - C:\Users\fred\AppData\Roaming\Mozilla\Firefox\Profiles\3mntzwho.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2016-06-21]
FF Extension: (Adblock Plus) - C:\Users\fred\AppData\Roaming\Mozilla\Firefox\Profiles\3mntzwho.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-28]
FF ProfilePath: C:\Users\fred\AppData\Roaming\Comodo\IceDragon\Profiles\ydvn6lfk.default [2017-04-27]
FF DefaultSearchEngine: Comodo\IceDragon\Profiles\ydvn6lfk.default -> Yahoo! GB
FF Homepage: Comodo\IceDragon\Profiles\ydvn6lfk.default -> hxxps://uk.yahoo.com/?fr=fp-comodo&type=25050004003_id_hp
FF Extension: (NoScript) - C:\Users\fred\AppData\Roaming\Comodo\IceDragon\Profiles\ydvn6lfk.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-04-23]
FF Extension: (WOT) - C:\Users\fred\AppData\Roaming\Comodo\IceDragon\Profiles\ydvn6lfk.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2016-07-06]
FF Extension: (Adblock Plus) - C:\Users\fred\AppData\Roaming\Comodo\IceDragon\Profiles\ydvn6lfk.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-28]
FF Extension: (DragAndDrop) - C:\Program Files\Comodo\IceDragon\browser\features\DnD@comodo.com [2017-01-06] [not signed]
FF Extension: (COMODO SecureBox) - C:\Program Files\Comodo\IceDragon\browser\features\@csb [2017-01-06] [not signed]
FF ProfilePath: C:\Users\fred\AppData\Roaming\Comodo\CSS\User Data-icedragon1 [2017-04-25]
FF DefaultSearchEngine: Comodo\CSS\User Data-icedragon1 -> Yahoo! GB
FF Homepage: Comodo\CSS\User Data-icedragon1 -> hxxps://uk.yahoo.com/?fr=fp-comodo&type=25050004003_id_hp
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-06-01] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-06-01] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-06-01] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2016-06-01] (Foxit Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)

Chrome:
=======
CHR HKU\S-1-5-21-2335456119-2382438828-3088478136-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hcjjaajflhellmcfcecojihhmdbjmmlm] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files\Avira\Antivirus\avmailc7.exe [1119712 2017-04-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\Antivirus\sched.exe [488920 2017-04-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\Antivirus\avguard.exe [488920 2017-04-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\Antivirus\avwebg7.exe [1520680 2017-04-27] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [349096 2017-03-27] (Avira Operations GmbH & Co. KG)
R2 cbVSCService11; C:\Program Files\Cobian Backup 11\cbVSCService11.exe [67584 2017-04-09] (CobianSoft, Luis Cobian) [File not signed]
R2 ChromodoUpdater; C:\Program Files\Comodo\Chromodo\chromodo_updater.exe [2273424 2016-11-28] (Comodo)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [8152448 2017-04-22] (COMODO)
R3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2080448 2017-04-22] (COMODO)
R2 CPMService; C:\Program Files\Comodo\COMODO Programs Manager\CPMService.exe [105792 2015-01-21] ()
R2 csssrv; C:\Program Files\COMODO\COMODO Secure Shopping\csssrv.exe [2305720 2017-04-01] (COMODO)
R2 DragonUpdater; C:\Program Files\Comodo\Dragon\dragon_updater.exe [2273432 2017-03-27] (Comodo)
R2 EaseUS Agent; C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe [68168 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R2 FoxitReaderService; C:\Program Files\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe [1647808 2016-08-01] (Foxit Software Inc.)
R2 Guard Agent; C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe [23624 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R2 IceDragonUpdater; C:\Program Files\Comodo\IceDragon\icedragon_updater.exe [4295320 2016-12-20] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2015-01-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119264 2017-03-21] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [142320 2017-03-21] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [35840 2017-03-21] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [59000 2017-03-27] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [46072 2017-03-21] (Avira Operations GmbH & Co. KG)
R1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [35064 2016-01-14] (Windows ® Win 7 DDK provider)
R1 cmdcss; C:\Windows\system32\drivers\cmdcss.sys [95976 2017-04-01] (COMODO)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [27504 2017-03-28] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [662864 2017-03-28] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [53344 2017-03-28] (COMODO)
R0 cumon; C:\Windows\System32\drivers\cumon.sys [178744 2011-09-05] (Windows ® Win 7 DDK provider)
R1 epp; C:\EEK\bin32\epp.sys [105248 2017-04-22] (Emsisoft Ltd)
R0 EUBAKUP; C:\Windows\System32\drivers\eubakup.sys [51272 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [41544 2017-01-23] () [File not signed]
R1 EUDSKACS; C:\Windows\system32\drivers\eudskacs.sys [15944 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R1 EUFDDISK; C:\Windows\system32\drivers\EuFdDisk.sys [186952 2017-01-23] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R0 Evdd; C:\Windows\System32\drivers\evdd.sys [17520 2011-09-05] ()
R0 hotcore3; C:\Windows\System32\DRIVERS\hotcore3.sys [27408 2017-04-09] (Paragon Software Group)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [104816 2017-03-28] (COMODO)
R1 UimBus; C:\Windows\System32\DRIVERS\UimBus.sys [95280 2017-04-09] ()
R1 Uim_DEVIM; C:\Windows\System32\DRIVERS\uim_devim.sys [20528 2017-04-09] ()
R1 Uim_IM; C:\Windows\System32\DRIVERS\uim_im.sys [541104 2017-04-09] ()
R1 uzexotmx; C:\Windows\system32\Drivers\uzexotmx.sys [11264 2017-04-27] () [File not signed]
R1 uzk3njm1; C:\Windows\system32\Drivers\uzk3njm1.sys [11264 2017-04-22] () [File not signed]
S3 zmaxpa; C:\Program Files\Comodo\COMODO Internet Security\ccekrnl.dat [408440 2017-03-29] (COMODO)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\Users\fred\AppData\Local\Temp\catchme.sys [X] <==== ATTENTION
S3 rootrepeal; \??\C:\Windows\system32\drivers\rootrepeal.sys [X]
S1 SASDIFSV; \??\C:\Users\fred\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [X] <==== ATTENTION
S1 SASKUTIL; \??\C:\Users\fred\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [X] <==== ATTENTION
S3 WinRing0_1_2_0; \??\C:\Users\fred\AppData\Local\Temp\tmp5BE5.tmp [X] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-27 18:02 - 2017-04-27 18:04 - 00014812 _____ C:\Users\fred\Desktop\FRST.txt
2017-04-27 18:00 - 2017-04-27 18:02 - 00000000 ____D C:\FRST
2017-04-27 17:57 - 2017-04-27 17:57 - 21094400 _____ C:\Users\fred\Desktop\27_04_2017_17_57_13.sdb
2017-04-27 17:57 - 2017-04-27 17:57 - 01768448 _____ (Farbar) C:\Users\fred\Desktop\FRST.exe
2017-04-27 16:52 - 2017-04-27 16:52 - 00003301 _____ C:\Users\fred\Desktop\aswMBR.txt
2017-04-27 16:52 - 2017-04-27 16:52 - 00000512 _____ C:\Users\fred\Desktop\MBR.dat
2017-04-27 15:46 - 2017-04-27 15:46 - 00001882 _____ C:\Users\fred\Desktop\update.bat - Shortcut (2).lnk
2017-04-26 21:18 - 2017-04-26 21:18 - 00000355 _____ C:\Users\furryfriend\Desktop\Computer - Shortcut.lnk
2017-04-26 15:53 - 2017-04-26 15:53 - 00000000 ____D C:\Users\Public\Documents\HostsMan Backups
2017-04-26 15:32 - 2011-05-17 09:27 - 00016118 _____ C:\Users\furryfriend\Desktop\DHtmlHeader.html
2017-04-26 08:08 - 2017-04-26 08:10 - 00628536 _____ C:\TDSSKiller.3.1.0.15_26.04.2017_08.08.03_log.txt
2017-04-26 08:04 - 2017-04-26 08:05 - 00004542 _____ C:\TDSSKiller.3.1.0.15_26.04.2017_08.04.59_log.txt
2017-04-26 07:59 - 2017-04-26 07:59 - 00000000 ____D C:\Users\fred\Desktop\New folder
2017-04-26 02:11 - 2017-04-26 02:11 - 00386311 _____ C:\Users\fred\Desktop\svcjost detection.html
2017-04-25 22:27 - 2017-04-25 22:27 - 156549592 _____ C:\Users\fred\Desktop\t3sigs.vdb
2017-04-25 21:24 - 2017-04-25 21:24 - 21950024 _____ C:\Users\fred\Desktop\RogueKiller(1).exe
2017-04-25 21:04 - 2017-04-25 21:04 - 00015770 _____ C:\Users\fred\Desktop\csrsrv connecting sets off comodo secure shopping  alert.htm
2017-04-25 20:50 - 2017-04-01 06:53 - 00263352 _____ (COMODO) C:\Windows\system32\cmdkbdcss32.dll
2017-04-25 20:50 - 2017-04-01 06:52 - 00338560 _____ (COMODO) C:\Windows\system32\cssguard32.dll
2017-04-25 20:50 - 2017-04-01 06:52 - 00095976 _____ (COMODO) C:\Windows\system32\Drivers\cmdcss.sys
2017-04-25 20:50 - 2017-04-01 06:52 - 00041376 _____ (COMODO) C:\Windows\system32\csscsr32.dll
2017-04-25 20:41 - 2017-04-25 20:41 - 00031192 _____ C:\Users\fred\Desktop\Comodo Internet Security Release Notes.htm
2017-04-25 20:41 - 2017-04-25 20:41 - 00000000 ____D C:\Users\fred\Desktop\Comodo Internet Security Release Notes_files
2017-04-25 19:30 - 2017-04-27 15:32 - 00011264 _____ C:\Windows\system32\Drivers\uzexotmx.sys
2017-04-25 00:58 - 2017-04-25 00:58 - 00000000 __SHD C:\found.000
2017-04-24 22:43 - 2017-04-27 17:58 - 00569824 _____ C:\Windows\system32\Drivers\fvstore.dat
2017-04-24 22:43 - 2017-04-24 22:43 - 00000000 ___HD C:\VTRoot
2017-04-24 22:29 - 2017-04-24 22:30 - 00000000 ____D C:\Users\fred\Desktop\old windows stuff
2017-04-23 20:38 - 2015-07-14 21:25 - 226607624 _____ (COMODO) C:\Users\fred\Desktop\cispremium_installer_6100_08.exe
2017-04-23 17:50 - 2017-04-25 20:43 - 00001224 _____ C:\Users\Public\Desktop\COMODO Internet Security.lnk
2017-04-23 17:48 - 2017-03-27 18:28 - 00346320 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-04-23 17:48 - 2017-03-25 20:39 - 20284416 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-04-23 17:48 - 2017-03-25 20:07 - 04604416 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-04-23 17:48 - 2017-03-25 20:06 - 13654016 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-04-23 17:48 - 2017-03-25 19:55 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-04-23 17:48 - 2017-03-25 19:52 - 02289152 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-04-23 17:48 - 2017-03-25 19:51 - 01313280 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-04-23 17:48 - 2017-03-25 19:48 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-04-23 17:48 - 2017-03-25 19:47 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-04-23 17:48 - 2017-03-25 19:47 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-04-23 17:48 - 2017-03-25 19:47 - 00103936 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-04-23 17:48 - 2017-03-25 19:47 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00693248 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-04-23 17:48 - 2017-03-25 19:46 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-04-23 17:48 - 2017-03-25 19:45 - 00689664 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-04-23 17:48 - 2017-03-25 19:45 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-04-23 17:48 - 2017-03-25 19:45 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-04-23 17:48 - 2017-03-25 19:45 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-04-23 17:48 - 2017-03-25 19:45 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-04-23 17:48 - 2017-03-25 19:45 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-04-23 17:48 - 2017-03-25 19:45 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-04-23 17:48 - 2017-03-25 19:45 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-04-23 17:48 - 2017-03-25 19:44 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-04-23 17:48 - 2017-03-25 19:44 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-04-23 17:48 - 2017-03-25 18:19 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-04-23 17:48 - 2017-03-25 18:06 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-04-23 17:48 - 2017-03-25 17:57 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-04-23 17:48 - 2017-03-25 17:27 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-04-23 17:48 - 2017-03-24 23:41 - 00306688 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-04-23 17:48 - 2017-03-22 16:24 - 02953216 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2017-04-23 17:48 - 2017-03-22 16:24 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2017-04-23 17:48 - 2017-03-22 16:20 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2017-04-23 17:48 - 2017-03-22 16:06 - 02091520 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-04-23 17:48 - 2017-03-22 16:05 - 00573440 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2017-04-23 17:48 - 2017-03-22 16:05 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2017-04-23 17:48 - 2017-03-22 16:05 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2017-04-23 17:48 - 2017-03-22 16:05 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2017-04-23 17:48 - 2017-03-22 16:05 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2017-04-23 17:48 - 2017-03-22 16:05 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2017-04-23 17:48 - 2017-03-22 16:05 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2017-04-23 17:48 - 2017-03-14 16:23 - 00730344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-04-23 17:48 - 2017-03-14 16:23 - 00218856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-04-23 17:48 - 2017-03-14 16:17 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2017-04-23 17:48 - 2017-03-10 17:27 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2017-04-23 17:48 - 2017-03-10 17:19 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2017-04-23 17:48 - 2017-03-10 17:19 - 00026112 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2017-04-23 17:48 - 2017-03-10 17:19 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2017-04-23 17:48 - 2017-03-10 16:54 - 02400256 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-04-23 17:48 - 2017-03-10 16:53 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2017-04-23 17:48 - 2017-03-08 21:10 - 00805376 _____ (Microsoft Corporation) C:\Windows\system32\cdosys.dll
2017-04-23 17:48 - 2017-03-08 05:26 - 04000488 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2017-04-23 17:48 - 2017-03-08 05:26 - 03945192 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-04-23 17:48 - 2017-03-08 05:26 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-04-23 17:48 - 2017-03-08 05:26 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-04-23 17:48 - 2017-03-08 05:24 - 01310528 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 01416192 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00872448 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00294400 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00261120 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00171008 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-04-23 17:48 - 2017-03-08 05:22 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00644096 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 05:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 04:58 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2017-04-23 17:48 - 2017-03-08 04:58 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2017-04-23 17:48 - 2017-03-08 04:58 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2017-04-23 17:48 - 2017-03-08 04:58 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2017-04-23 17:48 - 2017-03-08 04:57 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-04-23 17:48 - 2017-03-08 04:56 - 00271360 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2017-04-23 17:48 - 2017-03-08 04:55 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2017-04-23 17:48 - 2017-03-08 04:54 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-04-23 17:48 - 2017-03-08 04:54 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-04-23 17:48 - 2017-03-08 04:54 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-04-23 17:48 - 2017-03-08 04:53 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2017-04-23 17:48 - 2017-03-08 04:53 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-04-23 17:48 - 2017-03-08 04:53 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-04-23 17:48 - 2017-03-08 04:53 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-04-23 17:48 - 2017-03-08 04:53 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 04:53 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 04:53 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-04-23 17:48 - 2017-03-08 04:53 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-04-23 17:48 - 2017-03-07 17:17 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2017-04-23 17:48 - 2017-03-07 16:06 - 02746880 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2017-04-23 17:48 - 2017-03-07 16:06 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2017-04-23 17:48 - 2017-03-07 16:06 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2017-04-23 17:48 - 2017-03-04 02:14 - 01329664 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2017-04-23 17:48 - 2017-03-04 02:14 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\mfmjpegdec.dll
2017-04-23 17:48 - 2017-02-14 17:19 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2017-04-23 17:48 - 2017-02-11 17:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-04-23 17:48 - 2017-02-09 17:14 - 00575488 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2017-04-23 17:48 - 2017-02-09 17:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00922432 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00066400 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00022368 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2017-04-23 17:48 - 2017-01-18 16:35 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2017-04-23 17:47 - 2017-03-25 19:47 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-04-22 22:09 - 2017-04-22 22:09 - 00000000 ____D C:\DrWeb Quarantine
2017-04-22 17:05 - 2017-04-22 17:05 - 00000000 ____D C:\ProgramData\Comodo Downloader
2017-04-22 17:00 - 2017-04-27 17:59 - 00000000 ____D C:\ProgramData\Shared Space
2017-04-22 16:56 - 2011-09-05 16:13 - 00023872 _____ (COMODO Security Solutions Inc.) C:\Windows\system32\cpmnat.exe
2017-04-22 16:47 - 2017-04-21 22:30 - 74104832 _____ (COMODO) C:\Users\fred\Desktop\cispremium_only_installer.exe
2017-04-22 14:19 - 2017-04-23 18:58 - 00000000 ____D C:\Users\fred\Desktop\portable progs and some antimal log 2016
2017-04-22 14:00 - 2017-04-27 17:56 - 01474832 _____ C:\Windows\system32\Drivers\sfi.dat
2017-04-22 13:47 - 2017-04-22 13:47 - 00013101 _____ C:\Users\fred\Desktop\CisReport_x86_v10.0.1.6209_20170422-134703.zip
2017-04-22 13:26 - 2017-04-22 13:26 - 02853048 _____ (COMODO) C:\ProgramData\cisEF3E.exe
2017-04-22 02:29 - 2017-04-22 02:29 - 00000000 ____D C:\T3scan
2017-04-22 02:22 - 2017-04-22 02:27 - 01412798 _____ C:\TDSSKiller.3.1.0.15_22.04.2017_02.22.41_log.txt
2017-04-22 02:16 - 2017-04-22 02:16 - 00004542 _____ C:\TDSSKiller.3.1.0.15_22.04.2017_02.16.29_log.txt
2017-04-22 01:37 - 2017-04-26 22:25 - 00000000 ____D C:\Users\fred\Desktop\New folder (2)
2017-04-19 21:11 - 2017-04-19 21:11 - 00001138 _____ C:\Users\fred\Desktop\NoVirusThanks Anti-Rootkit (Free Edition).lnk
2017-04-19 21:11 - 2017-04-19 21:11 - 00000174 _____ C:\Users\fred\Desktop\avz_log.txt
2017-04-19 21:11 - 2017-04-19 21:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NoVirusThanks
2017-04-19 21:11 - 2017-04-19 21:11 - 00000000 ____D C:\Program Files\NoVirusThanks
2017-04-11 22:32 - 2017-04-11 22:32 - 00000000 ____D C:\ProgramData\rmbwizard
2017-04-09 16:51 - 2017-04-22 13:59 - 00000000 ____D C:\Program Files\Cobian Backup 11
2017-04-09 16:51 - 2017-04-09 16:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-04-09 16:44 - 2017-04-09 16:44 - 00000000 ____D C:\ProgramData\managecapsule
2017-04-09 16:27 - 2017-04-09 16:27 - 00000000 ____D C:\ProgramData\launcher
2017-04-09 16:19 - 2017-04-16 20:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Paragon Backup and Recovery™ 14 Free
2017-04-09 16:19 - 2017-04-09 16:19 - 00027408 _____ (Paragon Software Group) C:\Windows\system32\Drivers\hotcore3.sys
2017-04-09 16:19 - 2017-04-09 16:19 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_blockmounter_01_09_00.Wdf
2017-04-09 16:18 - 2017-04-09 16:18 - 00000000 ____D C:\Program Files\Paragon Software
2017-04-09 16:11 - 2017-04-09 16:11 - 00000000 ____D C:\Users\fred\AppData\Local\Downloaded Installations
2017-04-09 16:09 - 2017-04-09 16:09 - 00000000 ____D C:\ProgramData\explauncher
2017-04-09 11:03 - 2017-04-09 16:04 - 00000112 ___RH C:\Users\fred\Documents\Stinger.opt
2017-04-09 10:50 - 2017-04-08 20:48 - 19709440 ____N (Luis Cobian, CobianSoft) C:\Users\fred\Documents\cbSetup.exe
2017-04-09 10:45 - 2017-04-08 20:48 - 387937232 ____N C:\Users\fred\Documents\br14-free_eng.exe
2017-04-09 10:45 - 2017-04-08 20:48 - 15880592 ____N (McAfee Inc) C:\Users\fred\Documents\stinger32.exe
2017-04-09 10:45 - 2017-04-08 20:48 - 05659546 ____N (Swearware) C:\Users\fred\Documents\ComboFix.exe
2017-04-09 10:45 - 2017-04-08 20:48 - 03068832 ____N C:\Users\fred\Documents\BR14Free_en_manual.pdf
2017-04-09 10:45 - 2017-04-08 20:48 - 02942120 ____N (COMODO) C:\Users\fred\Documents\cpsp_installer.exe
2017-04-09 10:45 - 2017-04-08 20:48 - 00067742 ____N C:\Users\fred\Documents\Paragon Backup & Recovery Free Edition - Download & User Manu.htm
2017-04-05 07:01 - 2017-04-22 23:31 - 00044008 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2017-04-05 07:01 - 2017-04-22 23:30 - 00733456 _____ (COMODO) C:\Windows\system32\guard32.dll
2017-04-05 06:56 - 2017-04-22 23:26 - 00363200 _____ (COMODO) C:\Windows\system32\cmdvrt32.dll
2017-04-05 06:56 - 2017-04-22 23:26 - 00194752 _____ (COMODO) C:\Windows\system32\cmdshim32.dll
2017-04-01 10:34 - 2017-04-01 10:34 - 00000000 ____D C:\Users\furryfriend\AppData\Roaming\Avira
2017-03-28 21:33 - 2017-03-28 21:33 - 00104816 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2017-03-28 21:32 - 2017-03-28 21:32 - 00662864 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2017-03-28 21:32 - 2017-03-28 21:32 - 00053344 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2017-03-28 21:32 - 2017-03-28 21:32 - 00027504 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2017-03-28 01:55 - 2017-03-28 01:55 - 00002606 _____ C:\Users\fred\Documents\aswMBR.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-27 17:26 - 2016-11-28 03:49 - 00000000 ____D C:\Users\fred\AppData\LocalLow\Mozilla
2017-04-27 17:25 - 2009-07-14 05:34 - 00027920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-27 17:25 - 2009-07-14 05:34 - 00027920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-04-27 17:16 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-27 17:14 - 2015-01-21 22:48 - 00007878 _____ C:\Windows\CUAppUsage.Dat
2017-04-27 15:40 - 2015-01-21 21:50 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-27 15:26 - 2015-01-21 21:50 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-04-27 15:26 - 2013-09-09 22:05 - 00000000 ____D C:\EEK
2017-04-27 14:14 - 2015-01-27 22:52 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-04-27 13:47 - 2017-03-27 03:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2017-04-27 13:32 - 2016-08-01 11:51 - 00000000 ____D C:\ProgramData\Foxit Software
2017-04-27 07:48 - 2017-01-24 19:51 - 00000000 ____D C:\Windows\Microsoft Antimalware
2017-04-27 02:47 - 2017-01-16 23:37 - 00000000 ____D C:\RescueCD Logs
2017-04-26 16:35 - 2015-01-21 16:40 - 00000000 ____D C:\Users\fred\AppData\Roaming\Comodo
2017-04-26 16:25 - 2015-01-06 10:51 - 00000000 ____D C:\ProgramData\Comodo
2017-04-26 16:21 - 2016-03-31 18:52 - 00000000 ____D C:\ProgramData\TEMP
2017-04-26 16:21 - 2016-03-31 18:51 - 00000000 ____D C:\Program Files\SpywareBlaster
2017-04-26 15:19 - 2017-02-03 01:39 - 00000000 ____D C:\Users\furryfriend\Desktop\030217 csrsvc dll info aswmbr fp maybee plus anti mal spybot
2017-04-26 15:18 - 2017-01-24 03:09 - 00000000 ____D C:\Users\furryfriend\Desktop\antimal antirkit dloads plus win def offline 240117
2017-04-26 15:16 - 2015-03-11 15:25 - 00000000 ____D C:\Users\furryfriend\AppData\Roaming\Comodo
2017-04-26 07:57 - 2016-03-17 17:03 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2017-04-25 23:31 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2017-04-25 22:30 - 2016-04-12 16:15 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-04-25 21:08 - 2016-03-17 17:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-04-25 20:50 - 2015-01-06 10:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
2017-04-25 20:50 - 2015-01-06 10:52 - 00000000 ____D C:\Program Files\Comodo
2017-04-25 19:48 - 2015-01-27 22:40 - 00000000 ____D C:\Users\fred\Desktop\mbar
2017-04-25 10:26 - 2015-01-06 10:13 - 00000000 ____D C:\Users\fred
2017-04-24 23:04 - 2016-06-10 14:14 - 00000000 ____D C:\Users\fred\AppData\Local\CrashDumps
2017-04-24 08:51 - 2009-07-14 05:33 - 00286472 _____ C:\Windows\system32\FNTCACHE.DAT
2017-04-23 17:33 - 2009-07-14 05:53 - 00032608 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-04-23 00:10 - 2016-12-19 13:04 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2017-04-22 23:36 - 2009-07-14 03:04 - 22840891 _____ C:\Windows\system32\Drivers\etc\HOSTS.bak
2017-04-22 23:10 - 2016-03-17 14:48 - 00011264 _____ C:\Windows\system32\Drivers\uzk3njm1.sys
2017-04-22 17:09 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\inf
2017-04-22 17:07 - 2015-01-22 14:35 - 00000000 ____D C:\Users\furryfriend
2017-04-22 13:59 - 2015-02-24 01:25 - 00000000 ____D C:\Program Files\WinRAR
2017-04-22 13:59 - 2015-01-21 16:18 - 00000000 ____D C:\Program Files\AnVir Task Manager Pro
2017-04-22 13:59 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\registration
2017-04-22 10:52 - 2015-01-07 10:32 - 145733648 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-04-22 02:14 - 2017-01-21 01:31 - 00000000 ____D C:\Program Files\RogueKiller
2017-04-22 01:46 - 2017-01-21 01:31 - 00001005 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-04-22 01:46 - 2017-01-21 01:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-04-19 21:44 - 2016-11-20 11:56 - 00000000 ____D C:\Users\fred\Documents\RootRepeal
2017-04-19 21:03 - 2016-03-16 17:55 - 00002028 _____ C:\Users\fred\Desktop\avz.exe - Shortcut (2).lnk
2017-04-19 03:00 - 2017-01-15 02:41 - 00000000 ____D C:\Users\fred\Documents\antimalwr rescue disks avk de web kvrt and many others downloaded 15012017
2017-04-19 02:46 - 2016-11-20 11:55 - 00000000 ____D C:\Users\fred\Documents\new debug downloads 17th nov 16
2017-04-18 18:27 - 2009-07-14 05:52 - 00000000 ____D C:\Windows\Offline Web Pages
2017-04-17 11:39 - 2009-07-14 01:58 - 00039424 _____ (Hewlett-Packard Company) C:\Windows\system32\hpf3lw73.dll
2017-04-16 20:28 - 2016-03-23 17:29 - 00000000 ____D C:\Program Files\WinMHR
2017-04-16 20:28 - 2015-01-21 21:49 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2017-04-14 21:07 - 2016-03-23 17:30 - 00000000 ____D C:\Users\fred\AppData\Local\WinMHR
2017-04-14 19:47 - 2015-01-21 21:56 - 00000000 ____D C:\Program Files\HitmanPro
2017-04-14 14:37 - 2015-01-07 13:22 - 00000000 ____D C:\Windows\Minidump
2017-04-09 16:19 - 2015-08-21 12:34 - 00541104 _____ C:\Windows\system32\Drivers\uim_im.sys
2017-04-09 16:19 - 2015-08-21 12:34 - 00426672 _____ C:\Windows\system32\Drivers\UimFIO.sys
2017-04-09 16:19 - 2015-08-21 12:34 - 00095280 _____ C:\Windows\system32\Drivers\UimBus.sys
2017-04-09 16:19 - 2015-08-21 12:34 - 00020528 _____ C:\Windows\system32\Drivers\uim_devim.sys
2017-04-09 16:18 - 2015-08-21 12:34 - 01837296 _____ (Microsoft Corporation) C:\Windows\system32\WudfUpdate_01009.dll
2017-04-09 16:18 - 2015-08-21 12:34 - 01662640 _____ (Paragon Software Group) C:\Windows\system32\vimsdk.dll
2017-04-09 16:18 - 2015-08-21 12:34 - 01461992 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoinstaller01009.dll
2017-04-09 16:18 - 2015-08-21 12:34 - 00723120 _____ (Paragon Software Group) C:\Windows\system32\Vim.RWBlock.dll
2017-04-09 16:18 - 2015-08-21 12:34 - 00071856 _____ (Paragon Software Group) C:\Windows\system32\vimbase.dll
2017-04-01 10:26 - 2015-12-02 14:19 - 02967122 _____ C:\Windows\ntbtlog.txt
2017-03-31 01:41 - 2017-01-24 04:01 - 00000000 ____D C:\Users\fred\Documents\antimal antirkit dloads plus win def offline 240117
2017-03-30 09:56 - 2015-05-04 20:15 - 00000000 ____D C:\Users\fred\Documents\fusebundle gen
2017-03-30 09:21 - 2016-11-26 20:45 - 00000000 ____D C:\Users\fred\Documents\aerunt
2017-03-30 08:58 - 2016-03-26 19:10 - 00000000 ____D C:\Users\fred\Documents\portable progs and some antimal log 2016

==================== Files in the root of some directories =======

2016-03-08 16:42 - 2016-11-16 18:02 - 0007606 _____ () C:\Users\fred\AppData\Local\resmon.resmoncfg
2017-04-22 13:26 - 2017-04-22 13:26 - 2853048 _____ (COMODO) C:\ProgramData\cisEF3E.exe

Files to move or delete:
====================
C:\ProgramData\cisEF3E.exe


Some files in TEMP:
====================
2017-04-25 21:11 - 2017-03-08 05:24 - 1310528 _____ (Microsoft Corporation) C:\Users\fred\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-04-25 07:31

==================== End of FRST.txt ============================

 

Attached File  Addition.txt   59.63KB   3 downloads



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:31 AM

Posted 27 April 2017 - 07:20 PM

Greetings Pete501 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.



===================================================

Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the Antivirus programs currently on your computer, even if only one is running. You can uninstall the program(s) via Add/Remove Programs, or Programs and Features in the Control Panel.
 

Avira Antivirus
COMODO Antivirus


===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CloseProcesses:
2017-04-25 00:58 - 2017-04-25 00:58 - 00000000 __SHD C:\found.000
File: C:\ProgramData\cis4767.exe
File: C:\ProgramData\cisEF3E.exe
File: C:\Windows\system32\Drivers\uzk3njm1.sys
File: C:\Windows\system32\Drivers\uzexotmx.sys
cmd: type "C:\Users\fred\Desktop\aswMBR.txt"
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Antivirus uninstall?
  • Fixlog

Edited by Oh My!, 27 April 2017 - 07:38 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Pete501

Pete501
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 28 April 2017 - 07:29 AM

Thankyou for your reply and your help. Ok i have uninstalled avira antivirus which rebooted the computer and uninstalled without incident. I uninstalled avira using the programs and features section in the control panel. I ran FRST.exe from the desktop with the fixlist.txt file on the desktop. the computer rebooted and produced the fixlog.txt file below.

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 27-04-2017
Ran by fred (28-04-2017 13:06:49) Run:1
Running from C:\Users\fred\Desktop
Loaded Profiles: fred (Available Profiles: fred & furryfriend)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CloseProcesses:
2017-04-25 00:58 - 2017-04-25 00:58 - 00000000 __SHD C:\found.000
File: C:\ProgramData\cis4767.exe
File: C:\ProgramData\cisEF3E.exe
File: C:\Windows\system32\Drivers\uzk3njm1.sys
File: C:\Windows\system32\Drivers\uzexotmx.sys
cmd: type "C:\Users\fred\Desktop\aswMBR.txt"
*****************

Processes closed successfully.
C:\found.000 => moved successfully

========================= File: C:\ProgramData\cis4767.exe ========================

"C:\ProgramData\cis4767.exe" => not found.
====== End of File: ======


========================= File: C:\ProgramData\cisEF3E.exe ========================

File is digitally signed
MD5: 78F578B9AF1849EDE69DBAEE2D489F88
Creation and modification date: 2017-04-22 13:26 - 2017-04-22 13:26
Size: 2853048
Attributes: ----A
Company Name: COMODO
Internal Name:
Original Name:
Product: COMODO Internet Security
Description: COMODO Internet Security
File Version: 8, 4, 0, 5165
Product Version: 8, 4, 0, 5165
Copyright: 2005-2016 COMODO. All rights reserved.

====== End of File: ======


========================= File: C:\Windows\system32\Drivers\uzk3njm1.sys ========================

File not signed
MD5: D565AD44C6C4D934AFAD3CA4196B09AA
Creation and modification date: 2016-03-17 14:48 - 2017-04-22 23:10
Size: 0011264
Attributes: ----A
Company Name:
Internal Name: avzrkm.sys
Original Name: avzrkm.sys
Product: AVZ Monitoring Driver
Description: AVZ Monitoring Driver
File Version: 1, 3, 0, 0
Product Version: 1, 3, 0, 0
Copyright: Zaitsev Oleg, Copyright © 2004-2006

====== End of File: ======


========================= File: C:\Windows\system32\Drivers\uzexotmx.sys ========================

File not signed
MD5: D565AD44C6C4D934AFAD3CA4196B09AA
Creation and modification date: 2017-04-25 19:30 - 2017-04-27 15:32
Size: 0011264
Attributes: ----A
Company Name:
Internal Name: avzrkm.sys
Original Name: avzrkm.sys
Product: AVZ Monitoring Driver
Description: AVZ Monitoring Driver
File Version: 1, 3, 0, 0
Product Version: 1, 3, 0, 0
Copyright: Zaitsev Oleg, Copyright © 2004-2006

====== End of File: ======


========= type "C:\Users\fred\Desktop\aswMBR.txt" =========

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2017-04-27 16:29:20
-----------------------------
16:29:20.464    OS Version: Windows 6.1.7601 Service Pack 1
16:29:20.464    Number of processors: 2 586 0xF06
16:29:20.464    ComputerName: FRED-PC  UserName: fred
16:29:21.853    Initialize success
16:29:21.853    VM: initialized successfully
16:29:21.853    VM: Intel CPU supported
16:29:23.148    VM: supported disk I/O ataport.SYS
16:32:54.934    AVAST engine defs: 17030301
16:37:28.402    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4
16:37:28.402    Disk 0 Vendor: TOSHIBA_DT01ACA050 MS1OA7C0 Size: 476940MB BusType: 11
16:37:28.496    VM: Disk 0 MBR read successfully
16:37:28.496    Disk 0 MBR scan
16:37:28.511    Disk 0 Windows 7 default MBR code
16:37:28.527    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 2048
16:37:28.527    Disk 0 default boot code
16:37:28.543    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS       476216 MB offset 206848
16:37:28.558    Disk 0 scanning sectors +975498930
16:37:28.636    Disk 0 scanning C:\Windows\system32\drivers
16:37:46.592    Service scanning
16:38:18.525    Modules scanning
16:38:18.525    Disk 0 trace - called modules:
16:38:18.556    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
16:38:18.556    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862b53e8]
16:38:18.556    3 CLASSPNP.SYS[895bf59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-4[0x861da040]
16:38:19.211    AVAST engine scan C:\Windows
16:38:23.564    AVAST engine scan C:\Windows\system32
16:38:43.953    File: C:\Windows\system32\csrsrv.dll  **INFECTED** Win32:Aluroot-B [Rtk]
16:41:53.431    AVAST engine scan C:\Windows\system32\drivers
16:42:09.671    AVAST engine scan C:\Users\fred
16:44:44.048    File: C:\Users\fred\Desktop\portable progs and some antimal log 2016\csrsrv.dll  **INFECTED** Win32:Aluroot-B [Rtk]
16:44:51.505    File: C:\Users\fred\Desktop\portable progs and some antimal log 2016\x86_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.19160_none_cb545b0503cc1fd3_csrsrv.dll_f50da7f9  **INFECTED** Win32:Aluroot-B [Rtk]
16:45:35.872    File: C:\Users\fred\Documents\csrsrv.dll  **INFECTED** Win32:Aluroot-B [Rtk]
16:45:35.950    File: C:\Users\fred\Documents\csrsvc.dll  **INFECTED** Win32:Aluroot-B [Rtk]
16:47:05.042    File: C:\Users\fred\Documents\portable progs and some antimal log 2016\csrsrv.dll  **INFECTED** Win32:Aluroot-B [Rtk]
16:47:12.654    File: C:\Users\fred\Documents\portable progs and some antimal log 2016\x86_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.19160_none_cb545b0503cc1fd3_csrsrv.dll_f50da7f9  **INFECTED** Win32:Aluroot-B [Rtk]
16:47:50.438    File: C:\Users\fred\Documents\x86_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.19160_none_cb545b0503cc1fd3_csrsrv.dll_f50da7f9  **INFECTED** Win32:Aluroot-B [Rtk]
16:48:02.106    AVAST engine scan C:\ProgramData
16:49:11.449    Disk 0 statistics 2844515/0/274 @ 3.97 MB/s
16:49:11.464    Scan finished successfully
16:52:30.692    Disk 0 MBR has been saved successfully to "C:\Users\fred\Desktop\MBR.dat"
16:52:30.739    The log file has been saved successfully to "C:\Users\fred\Desktop\aswMBR.txt"


aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2017-04-28 09:36:03
-----------------------------
09:36:03.545    OS Version: Windows 6.1.7601 Service Pack 1
09:36:03.545    Number of processors: 2 586 0xF06
09:36:03.545    ComputerName: FRED-PC  UserName: fred
09:36:04.512    Initialize success
09:36:04.887    VM: initialized successfully
09:36:04.934    VM: Intel CPU supported
09:36:06.930    VM: supported disk I/O ataport.SYS
09:36:59.331    AVAST engine defs: 17030301
09:37:04.136    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4
09:37:04.136    Disk 0 Vendor: TOSHIBA_DT01ACA050 MS1OA7C0 Size: 476940MB BusType: 11
09:37:04.463    VM: Disk 0 MBR read successfully
09:37:04.463    Disk 0 MBR scan
09:37:04.479    Disk 0 Windows 7 default MBR code
09:37:04.526    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 2048
09:37:04.588    Disk 0 default boot code
09:37:04.635    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS       476216 MB offset 206848
09:37:04.713    Disk 0 scanning sectors +975498930
09:37:05.040    Disk 0 scanning C:\Windows\system32\drivers
09:37:34.821    Service scanning
09:38:01.840    Modules scanning
09:38:01.840    Disk 0 trace - called modules:
09:38:01.856    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
09:38:01.856    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862b6040]
09:38:01.871    3 CLASSPNP.SYS[893da59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-4[0x861da040]
09:38:02.511    AVAST engine scan C:\
09:38:04.960    File: C:\csrsrv.dll  **INFECTED** Win32:Aluroot-B [Rtk]
10:06:47.952    File: C:\Ne\csrsrv.dll  **INFECTED** Win32:Aluroot-B [Rtk]
10:06:48.092    File: C:\Ne\sus.dll  **INFECTED** Win32:Aluroot-B [Rtk]
10:07:34.237    Disk 0 statistics 544537/0/274 @ 0.15 MB/s
10:07:34.237    Scan stopped
10:07:41.632    Disk 0 MBR has been saved successfully to "C:\Users\fred\Desktop\MBR.dat"
10:07:41.647    The log file has been saved successfully to "C:\Users\fred\Desktop\aswMBR.txt"



========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 13:06:49 ====



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:31 AM

Posted 28 April 2017 - 09:51 AM

Greetings and thank you for all the information.

That is a false positive and your computer is clean. If you would like, you can report the false positive to Avast.

Are there any other concerns you have?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Pete501

Pete501
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 28 April 2017 - 12:36 PM

Thank you for the help and the time you have spent on this gary. its great to know that my computer is clean. I dont have any other concerns about the computer its running fine. I had scanned it with a couple of rescue disks, malwarebytes and emsisoft emergency kit in the past which all came up clean. it was just that aswmbr had been showing csrsrv.dll as infected for a long time (6 months or more). I thought that other people would have been getting the same detection and that avast would have fixed aswmbr to remove the false positive.  thanks again its great to know that my computer is fine :thumbup2:  I will report the false positive to avast.


Edited by Pete501, 28 April 2017 - 12:38 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:31 AM

Posted 28 April 2017 - 02:49 PM

I would have followed up on it as well. That is a troubling repeated (false) detection.

It is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and we will now remove the tools used and logs created during our steps. Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmarks in:

Remove disinfection tools
Create registry backup
Purge system restore

  • Click Run
===================================================

You may delete any additional programs or logs on your computer which were not automatically removed by Delfix. Simply delete the log files or desktop icons. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:31 AM

Posted 28 April 2017 - 02:50 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users