Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome redirects to 4lucky4.com and more


  • This topic is locked This topic is locked
21 replies to this topic

#1 patch18AT

patch18AT

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 01:33 PM

Hello,

 

My Chrome browser seems to keep opening a new window and opening the page 4luckyf.com. I managed to get a screenshot of the pop-up here (http://tinypic.com/r/s5i5pc/9)

 

I have run deep scans using SuperAntiSpyware, Malwarebytes Anti-Malware and even Kaspersky Rescue Disc 10 and they have all showed up empty.

 

I also used AdwCleaner and thought that did the trick, but no luck. 

 

In addition to the redirect to 4luckyf.com sometimes I get pop-ups with "unseemly" pictures. Sometimes when I try to click a link the webpage will look like it's going to the link, but then it'll display what looks like an official Google page saying something like '404 serve not found' with a cartoon computer with a thermometer in its' mouth. What's odd is that if I refresh then the webpage will load.

 

Thank you for your time.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10-06-2017
Ran by Intho (administrator) on INTHO-PC (11-06-2017 04:12:05)
Running from C:\Users\Intho\Desktop
Loaded Profiles: Intho (Available Profiles: Intho)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
() C:\Program Files (x86)\QNAP\Qfinder\iSCSIAgent.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(UltimateOutsider) C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [592240 2011-01-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [DFEPApplication] => C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077880 2013-01-22] (Dell Inc.)
HKLM\...\Run: [GwxControlPanelMonitor] => C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe [4596296 2016-04-02] (UltimateOutsider)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1354712 2016-08-30] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-05-09] (Apple Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [285240 2012-11-19] (Intel Corporation)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5545328 2014-02-28] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [815512 2012-01-03] (Adobe Systems Inc.)
HKLM-x32\...\Run: [QfinderPro] => C:\Program Files (x86)\QNAP\Qfinder\QfinderPro.exe [8228664 2016-07-06] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2900314479-2681443108-623195477-1001\...\Run: [Google Update] => C:\Users\Intho\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe [601168 2017-04-30] (Google Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2016-08-16]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2016-08-16]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{16E40B00-CBC6-45FE-B4ED-ACE0659A0CCA}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{395B66A7-E0E1-44B4-BD1A-B8C36F5A292F}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKU\S-1-5-21-2900314479-2681443108-623195477-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.ninemsn.com.au/?ocid=iehp
SearchScopes: HKU\S-1-5-21-2900314479-2681443108-623195477-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-06-10] (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-01-03] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-06-10] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-01-03] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-01-03] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-2900314479-2681443108-623195477-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-05-02] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-06-10] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-06-10] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-02] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-02] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2900314479-2681443108-623195477-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Intho\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-30] (Google Inc.)
FF Plugin HKU\S-1-5-21-2900314479-2681443108-623195477-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Intho\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-30] (Google Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> file:///C:/Users/Intho/Desktop/mseinstall.exe
CHR Profile: C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default [2017-06-11]
CHR Extension: (Google Docs) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-07]
CHR Extension: (Google Drive) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-26]
CHR Extension: (Google Search) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-31]
CHR Extension: (Tampermonkey) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2016-12-20]
CHR Extension: (Facebook™ Chat Privacy) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfpgaanechfneiboempkfjghninbibjn [2016-08-01]
CHR Extension: (Google Docs Offline) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
CHR Extension: (AdBlock) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-04-14]
CHR Extension: (Unseen) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\iicapmagmhahddefgokbabbgieiogjop [2017-03-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Gmail) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-21]
StartMenuInternet: Google Chrome.DYJRD3GW3E6IIBLMVT4R3USJV4 - C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-02-26] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
R2 DFEPService; C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2280952 2013-01-22] (Dell Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [120888 2016-08-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-08-30] (Microsoft Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10884848 2017-05-23] (TeamViewer GmbH)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [271728 2014-02-28] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2016-03-26] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 anvsnddrv; C:\Windows\System32\drivers\anvsnddrv.sys [33872 2011-11-28] (AnvSoft Inc.)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28216 2012-11-19] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [60416 2016-03-26] (Microsoft Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-11 10:25 - 2017-06-11 13:54 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2017-06-11 04:12 - 2017-06-11 04:12 - 00016038 _____ C:\Users\Intho\Desktop\FRST.txt
2017-06-11 04:11 - 2017-06-11 04:12 - 00000000 ____D C:\FRST
2017-06-11 04:11 - 2017-06-11 04:11 - 02437120 _____ (Farbar) C:\Users\Intho\Desktop\FRST64.exe
2017-06-11 03:59 - 2017-06-11 04:01 - 00000000 ____D C:\AdwCleaner
2017-06-11 03:58 - 2017-06-11 03:58 - 04110280 _____ C:\Users\Intho\Desktop\adwcleaner_6.047.exe
2017-06-11 00:02 - 2017-06-11 00:02 - 00000000 ____D C:\Users\Intho\Desktop\rufus_files
2017-06-10 23:13 - 2017-06-10 23:13 - 00954488 _____ (Akeo Consulting (hxxp://akeo.ie)) C:\Users\Intho\Desktop\rufus-2.15.exe
2017-06-10 23:12 - 2017-06-10 23:27 - 321603584 _____ C:\Users\Intho\Desktop\kav_rescue_10.iso
2017-06-10 21:53 - 2017-06-10 21:53 - 00000000 ____D C:\Users\Intho\AppData\Roaming\Sun
2017-06-10 21:13 - 2017-06-10 21:13 - 00000000 ____D C:\Users\Intho\Desktop\test
2017-06-10 21:13 - 2017-06-10 21:13 - 00000000 ____D C:\Users\Intho\AppData\Roaming\21797
2017-06-08 11:39 - 2017-06-08 11:39 - 00001753 _____ C:\Users\Public\Desktop\iTunes.lnk
2017-06-08 11:39 - 2017-06-08 11:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2017-06-08 11:38 - 2017-06-08 11:39 - 00000000 ____D C:\Program Files\iTunes
2017-06-08 11:38 - 2017-06-08 11:38 - 00000000 ____D C:\Program Files\iPod
 
2017-06-07 12:09 - 2017-06-07 12:18 - 00000000 ____D C:\Users\Intho\Desktop\LiangShanMountain
2017-06-07 12:08 - 2017-06-07 12:18 - 00000000 ____D C:\Users\Intho\Desktop\JongQuy
2017-06-07 12:04 - 2017-06-07 12:16 - 00000000 ____D C:\Users\Intho\Desktop\Sacrifice
2017-06-07 12:03 - 2017-06-07 12:08 - 00000000 ____D C:\Users\Intho\Desktop\Yang Gentlemen
2017-06-06 21:27 - 2017-06-06 21:28 - 00000000 ____D C:\Users\Intho\Desktop\Kaspersky
2017-06-03 00:24 - 2017-06-03 00:24 - 00143742 _____ C:\Users\Intho\Desktop\Work Order - 1-5 Park Ave Waitara.pdf
2017-06-01 15:28 - 2017-06-01 15:28 - 00362019 _____ C:\Users\Intho\Desktop\TAYLOR, Intho IFA APS6 Manus 2017 -110 sent to Intho 1.6.pdf
2017-06-01 04:36 - 2017-06-11 00:22 - 00000400 __RSH C:\ProgramData\ntuser.pol
2017-06-01 04:27 - 2017-06-01 04:27 - 00000000 ____D C:\Users\Intho\To USB
2017-05-28 03:46 - 2017-05-28 03:46 - 00000000 ____D C:\Users\Intho\AppData\Roaming\Plcore
2017-05-28 03:19 - 2017-06-10 22:45 - 00000000 ____D C:\Users\Intho\AppData\Roaming\DVDFab10
2017-05-28 03:19 - 2017-05-28 03:19 - 00001922 _____ C:\Users\Intho\Desktop\DVDFab 10.lnk
2017-05-28 03:19 - 2017-05-28 03:19 - 00000087 _____ C:\Users\Intho\AppData\Roaming\1de0de73-de3e-46c6-81b0-f6455f081644
2017-05-28 03:19 - 2017-05-28 03:19 - 00000000 ____D C:\Users\Intho\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDFab 10
2017-05-28 03:19 - 2017-05-28 03:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDFab 10
2017-05-28 03:18 - 2017-05-28 03:48 - 00000000 ____D C:\Users\Intho\Documents\DVDFab10
2017-05-28 03:18 - 2017-05-28 03:19 - 00000000 ____D C:\Program Files (x86)\DVDFab 10
2017-05-28 02:56 - 2017-05-28 02:56 - 00000824 _____ C:\Users\Intho\Desktop\HandBrake.lnk
2017-05-28 02:56 - 2017-05-28 02:56 - 00000000 ____D C:\Users\Intho\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HandBrake
2017-05-28 02:56 - 2017-05-28 02:56 - 00000000 ____D C:\Users\Intho\AppData\Roaming\HandBrake Team
2017-05-27 20:04 - 2017-06-04 22:00 - 00000000 ____D C:\Users\Intho\Desktop\MiaLuang
2017-05-20 11:09 - 2017-06-07 10:52 - 00000000 ____D C:\Users\Intho\Desktop\MuenKhonLaPharkPhar
2017-05-16 17:45 - 2017-04-18 01:37 - 00026112 _____ (Microsoft Corporation) C:\Windows\system32\oleres.dll
2017-05-16 17:45 - 2017-04-18 01:12 - 00026112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleres.dll
2017-05-16 17:44 - 2017-04-28 11:14 - 05547240 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-05-16 17:44 - 2017-04-28 11:14 - 00706792 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2017-05-16 17:44 - 2017-04-28 11:14 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2017-05-16 17:44 - 2017-04-28 11:14 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-05-16 17:44 - 2017-04-28 11:14 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-05-16 17:44 - 2017-04-28 11:11 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2017-05-16 17:44 - 2017-04-28 11:10 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 11:09 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:36 - 04000488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2017-05-16 17:44 - 2017-04-28 10:36 - 03945192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2017-05-16 17:44 - 2017-04-28 10:34 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:19 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2017-05-16 17:44 - 2017-04-28 10:19 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2017-05-16 17:44 - 2017-04-28 10:19 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2017-05-16 17:44 - 2017-04-28 10:18 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-05-16 17:44 - 2017-04-28 10:15 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2017-05-16 17:44 - 2017-04-28 10:14 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2017-05-16 17:44 - 2017-04-28 10:12 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-05-16 17:44 - 2017-04-28 10:11 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-05-16 17:44 - 2017-04-28 10:11 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-05-16 17:44 - 2017-04-28 10:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-05-16 17:44 - 2017-04-28 10:10 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2017-05-16 17:44 - 2017-04-28 10:10 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-05-16 17:44 - 2017-04-28 10:08 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2017-05-16 17:44 - 2017-04-28 10:08 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2017-05-16 17:44 - 2017-04-28 10:08 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2017-05-16 17:44 - 2017-04-28 10:08 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2017-05-16 17:44 - 2017-04-28 10:07 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2017-05-16 17:44 - 2017-04-28 10:07 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:07 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:07 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-05-16 17:44 - 2017-04-28 10:07 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-05-16 17:44 - 2017-04-27 00:59 - 03220992 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-05-16 17:44 - 2017-04-22 01:34 - 01133568 _____ (Microsoft Corporation) C:\Windows\system32\cdosys.dll
2017-05-16 17:44 - 2017-04-22 01:15 - 00805376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2017-05-16 17:44 - 2017-04-18 01:37 - 02065408 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2017-05-16 17:44 - 2017-04-18 01:37 - 00876544 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2017-05-16 17:44 - 2017-04-18 01:37 - 00512000 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2017-05-16 17:44 - 2017-04-18 01:37 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\comcat.dll
2017-05-16 17:44 - 2017-04-18 01:12 - 01417728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2017-05-16 17:44 - 2017-04-18 01:12 - 00581632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2017-05-16 17:44 - 2017-04-18 00:54 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comcat.dll
2017-05-16 17:44 - 2017-04-13 01:32 - 01483776 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2017-05-16 17:44 - 2017-04-13 01:32 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2017-05-16 17:44 - 2017-04-13 01:32 - 00190976 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2017-05-16 17:44 - 2017-04-13 01:32 - 00141824 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2017-05-16 17:44 - 2017-04-13 01:26 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2017-05-16 17:44 - 2017-04-13 01:25 - 01176064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2017-05-16 17:44 - 2017-04-13 01:25 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2017-05-16 17:44 - 2017-04-13 01:25 - 00106496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2017-05-16 17:44 - 2017-04-08 01:34 - 00986856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-05-16 17:44 - 2017-04-08 01:34 - 00265448 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-05-16 17:44 - 2017-04-08 01:30 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-05-16 17:44 - 2017-04-08 01:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2017-05-16 17:44 - 2017-04-08 01:22 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2017-05-16 17:44 - 2017-04-06 00:55 - 00460800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-05-16 17:44 - 2017-04-06 00:55 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-05-16 17:44 - 2017-04-06 00:55 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-05-16 17:44 - 2017-04-05 01:34 - 01895656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-05-16 17:44 - 2017-04-05 01:34 - 00377576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-05-16 17:44 - 2017-04-05 01:34 - 00287976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2017-05-16 17:44 - 2017-04-05 00:53 - 00496128 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2017-05-16 17:44 - 2017-04-05 00:53 - 00117760 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2017-05-16 17:41 - 2017-03-23 01:32 - 03165184 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2017-05-16 17:41 - 2017-03-23 01:32 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2017-05-16 17:41 - 2017-03-23 01:32 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2017-05-16 17:41 - 2017-03-23 01:30 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2017-05-16 17:41 - 2017-03-23 01:24 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2017-05-16 17:41 - 2017-03-23 01:17 - 02651136 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-05-16 17:41 - 2017-03-23 01:15 - 00709120 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2017-05-16 17:41 - 2017-03-23 01:15 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2017-05-16 17:41 - 2017-03-23 01:15 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2017-05-16 17:41 - 2017-03-23 01:15 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2017-05-16 17:41 - 2017-03-23 01:15 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2017-05-16 17:41 - 2017-03-23 01:15 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2017-05-16 17:41 - 2017-03-23 01:05 - 00573440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2017-05-16 17:41 - 2017-03-23 01:05 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2017-05-16 17:41 - 2017-03-23 01:05 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2017-05-16 17:41 - 2017-03-23 01:05 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2017-05-16 17:41 - 2017-03-11 02:35 - 00382696 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2017-05-16 17:41 - 2017-03-11 02:31 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2017-05-16 17:41 - 2017-03-11 02:31 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2017-05-16 17:41 - 2017-03-11 02:31 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2017-05-16 17:41 - 2017-03-11 02:31 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2017-05-16 17:41 - 2017-03-11 02:27 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2017-05-16 17:41 - 2017-03-11 02:20 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2017-05-16 17:41 - 2017-03-11 02:19 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2017-05-16 17:41 - 2017-03-11 02:19 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2017-05-16 17:41 - 2017-03-11 01:53 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2017-05-16 17:41 - 2017-03-08 02:30 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2017-05-16 17:41 - 2017-03-08 02:17 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\asycfilt.dll
2017-05-16 17:41 - 2017-03-08 00:05 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2017-05-16 17:41 - 2017-03-04 11:27 - 01574912 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2017-05-16 17:41 - 2017-03-04 11:27 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\mfmjpegdec.dll
2017-05-16 17:41 - 2017-03-04 11:14 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2017-05-16 17:41 - 2017-03-04 11:14 - 00077312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfmjpegdec.dll
2017-05-16 17:39 - 2017-02-11 02:32 - 00803328 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2017-05-16 17:39 - 2017-02-11 02:17 - 00628736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2017-05-16 17:39 - 2017-02-11 00:33 - 01251328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-05-16 17:39 - 2017-02-10 02:32 - 00040960 _____ (Microsoft Corporation) C:\Windows\system32\WcsPlugInService.dll
2017-05-16 17:39 - 2017-02-10 02:31 - 00625664 _____ (Microsoft Corporation) C:\Windows\system32\mscms.dll
2017-05-16 17:39 - 2017-02-10 02:31 - 00250880 _____ (Microsoft Corporation) C:\Windows\system32\icm32.dll
2017-05-16 17:39 - 2017-02-10 02:14 - 00481792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2017-05-16 17:39 - 2017-02-10 02:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icm32.dll
2017-05-16 17:39 - 2017-02-10 01:51 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WcsPlugInService.dll
2017-05-16 17:39 - 2017-02-10 00:06 - 01648128 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-05-16 17:39 - 2017-02-10 00:06 - 01180160 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-05-16 17:39 - 2017-02-07 02:14 - 00733696 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-05-16 17:39 - 2017-01-14 04:00 - 00976896 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-05-16 17:39 - 2017-01-14 04:00 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2017-05-16 17:39 - 2017-01-14 03:45 - 00741888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-05-16 17:39 - 2017-01-14 03:45 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2017-05-16 17:39 - 2017-01-12 04:01 - 01887744 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2017-05-16 17:39 - 2017-01-12 04:01 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2017-05-16 17:39 - 2017-01-12 03:43 - 01241088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2017-05-16 17:39 - 2017-01-12 03:43 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2017-05-16 17:39 - 2016-11-21 00:07 - 00467392 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-05-16 17:39 - 2016-10-08 23:06 - 00633296 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2017-05-12 23:04 - 2017-05-12 23:04 - 01684879 _____ C:\Users\Intho\Desktop\12004540_SP69007_Consolidated_Bylaws_May_2017.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-11 04:10 - 2009-07-14 14:45 - 00020880 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-11 04:10 - 2009-07-14 14:45 - 00020880 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-11 04:06 - 2009-07-14 15:13 - 00006396 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-11 04:02 - 2014-04-23 03:48 - 00000266 _____ C:\Windows\Tasks\AutoKMS.job
2017-06-11 04:02 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-11 03:55 - 2014-04-23 01:18 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-06-11 03:55 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\inf
2017-06-10 22:47 - 2014-04-23 01:17 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-10 22:47 - 2014-04-23 01:07 - 00000000 ____D C:\Users\Intho\Documents\Registry Backups
2017-06-10 22:21 - 2014-04-23 00:48 - 00000000 ____D C:\Users\Intho\AppData\Roaming\vlc
2017-06-10 22:00 - 2014-04-23 01:57 - 00000000 ____D C:\ProgramData\Oracle
2017-06-10 21:53 - 2014-11-20 23:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-06-10 21:52 - 2014-11-20 23:48 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-06-10 21:52 - 2014-11-20 23:48 - 00000000 ____D C:\Program Files (x86)\Java
2017-06-10 21:50 - 2014-04-23 15:44 - 00000000 ____D C:\Users\Intho\AppData\Roaming\HandBrake
2017-06-07 23:51 - 2009-07-14 15:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-06-06 21:25 - 2017-02-01 22:00 - 00000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-06-06 21:25 - 2014-04-23 02:09 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2017-06-02 00:23 - 2014-04-23 03:35 - 00000000 ____D C:\Users\Intho\AppData\Roaming\dvdcss
2017-06-01 04:36 - 2009-07-14 13:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-06-01 04:36 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-06-01 04:27 - 2014-04-23 00:20 - 00000000 ____D C:\Users\Intho
2017-05-31 06:45 - 2014-04-23 00:36 - 00565416 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-05-30 07:49 - 2014-07-12 16:01 - 00000000 ____D C:\Users\Intho\Documents\Park Ave
2017-05-28 02:56 - 2014-04-23 15:43 - 00000000 ____D C:\Program Files\Handbrake
2017-05-20 08:43 - 2014-04-23 00:40 - 00002388 _____ C:\Users\Intho\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-05-20 00:15 - 2014-12-11 21:41 - 00000000 ____D C:\Users\Intho\AppData\Roaming\TeamViewer
2017-05-19 19:31 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\rescache
2017-05-16 17:48 - 2009-07-14 14:45 - 00345976 _____ C:\Windows\system32\FNTCACHE.DAT
2017-05-16 17:47 - 2009-07-14 15:32 - 00000000 ____D C:\Program Files\DVD Maker
2017-05-12 00:44 - 2014-05-03 11:59 - 00000000 ____D C:\Users\Intho\AppData\Local\ElevatedDiagnostics
 
==================== Files in the root of some directories =======
 
2017-05-28 03:19 - 2017-05-28 03:19 - 0000087 _____ () C:\Users\Intho\AppData\Roaming\1de0de73-de3e-46c6-81b0-f6455f081644
2016-05-11 16:44 - 2016-05-11 16:44 - 0000600 _____ () C:\Users\Intho\AppData\Local\PUTTY.RND
2014-04-23 01:48 - 2014-04-23 01:48 - 0007605 _____ () C:\Users\Intho\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
2017-06-10 21:50 - 2017-06-10 21:50 - 0739904 _____ (Oracle Corporation) C:\Users\Intho\AppData\Local\Temp\jre-8u131-windows-au.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-03 14:04
 
==================== End of FRST.txt ============================

Attached Files


Edited by patch18AT, 10 June 2017 - 01:51 PM.


BC AdBot (Login to Remove)

 


#2 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 01:40 PM

Sorry, please delete the other thread as it is a duplicate. Thank you.

 

Mod Edit:  Deleted, thanks :) - Hamluis.


Edited by hamluis, 10 June 2017 - 01:43 PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 10 June 2017 - 02:36 PM

Hi patch18AT :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few to review your logs and get back at you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 10 June 2017 - 02:45 PM

Please uninstall the Unseen extension in Google Chrome. Once done, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 02:54 PM

Hi Aura,

 

Thanks so much for your time. As per your request:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 10-06-2017
Ran by Intho (11-06-2017 05:52:19) Run:1
Running from C:\Users\Intho\Desktop
Loaded Profiles: Intho (Available Profiles: Intho)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction <======= ATTENTION
 
Toolbar: HKU\S-1-5-21-2900314479-2681443108-623195477-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
 
CHR HomePage: Default -> file:///C:/Users/Intho/Desktop/mseinstall.exe
CHR Extension: (Unseen) - C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\iicapmagmhahddefgokbabbgieiogjop [2017-03-20]
StartMenuInternet: Google Chrome.DYJRD3GW3E6IIBLMVT4R3USJV4 - C:\Users\Intho\AppData\Local\Google\Chrome\Application\chrome.exe
 
Task: {C614E03A-5CDF-465C-9FBE-4C3EC37AC1BC} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
 
C:\ProgramData\ntuser.pol
C:\Users\Intho\AppData\Roaming\21797
C:\Users\Intho\AppData\Roaming\1de0de73-de3e-46c6-81b0-f6455f081644
C:\Windows\AutoKMS
 
Hosts:
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-2900314479-2681443108-623195477-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
HKLM\Software\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found. 
Chrome HomePage => not found.
C:\Users\Intho\AppData\Local\Google\Chrome\User Data\Default\Extensions\iicapmagmhahddefgokbabbgieiogjop => not found
HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome.DYJRD3GW3E6IIBLMVT4R3USJV4\shell\open\command\\Default => value restored successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{C614E03A-5CDF-465C-9FBE-4C3EC37AC1BC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C614E03A-5CDF-465C-9FBE-4C3EC37AC1BC} => key removed successfully
C:\Windows\System32\Tasks\AutoKMS => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
C:\Windows\Tasks\AutoKMS.job => moved successfully
C:\ProgramData\ntuser.pol => moved successfully
C:\Users\Intho\AppData\Roaming\21797 => moved successfully
C:\Users\Intho\AppData\Roaming\1de0de73-de3e-46c6-81b0-f6455f081644 => moved successfully
C:\Windows\AutoKMS => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15231639 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 1650 B
Edge => 0 B
Chrome => 252924496 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83519 B
systemprofile32 => 67163 B
LocalService => 66228 B
NetworkService => 96622 B
Intho => 75158395 B
 
RecycleBin => 6855250182 B
EmptyTemp: => 6.7 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 05:52:40 ====


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 10 June 2017 - 03:00 PM

Now let's see if JRT find anything.

iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 03:06 PM

JRT Log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 7 Ultimate x64 
Ran by Intho (Administrator) on Sun 11/06/2017 at  6:03:38.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 11/06/2017 at  6:06:18.88
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 10 June 2017 - 03:11 PM

Alright.

Are you still getting redirected?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 03:12 PM

Admittedly I haven't tried surfing since just in case!

 

Is there a way for me to recreate it aside from surfing?



#10 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 03:14 PM

I have browsed around a few websites and so far so good.


Edited by patch18AT, 10 June 2017 - 03:15 PM.


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 10 June 2017 - 03:20 PM

Another suggestion I would give you is to drop the Adblock extension, and use uBlock Origin instead. Way better.

https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

Continue browsing with that setup and let me know how it goes.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 03:21 PM

Excellent, I'll give the uBlock a go.

 

I'll keep browsing and report back to you if there are any dramas. I am also trying out Internet Explorer at the same time - just in case.



#13 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 10 June 2017 - 03:29 PM

Out of curiosity, is it ok for an average user to go ahead and install/run JRT before speaking with a Malware specialist?



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 10 June 2017 - 03:47 PM

JRT, AdwCleaner, Malwarebytes, etc. can all be used without supervision. Tools that requires manual fixes, such as FRST, ComboFix, OTL, etc. should only be ran under the advice of a trained malware removal expert.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 patch18AT

patch18AT
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:40 PM

Posted 11 June 2017 - 07:01 AM

Hello Aura,

 

After a full day of browsing it seems like the redirects are no longer happening.

 

Thank you so much!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users