Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot run any malware/virus programs. svcvmx.exe, vmxclient.exe


  • This topic is locked This topic is locked
20 replies to this topic

#1 1974_alane123

1974_alane123

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 02:34 PM

Hi, I am infected with the svcvmx.exe, vmxclient.exe  Trojan, and i am unable to run anything that may clean it. Downloaded FRST but cannot run that either.  What information do you need and any advice?  Acer Inspire laptop



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 14 June 2017 - 02:41 PM

Hi 1974_alane123 :)
 
My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)
 
Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
 
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/
 
If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 02:52 PM

Hi, unfortunately I cannot run this either, downloaded ok, but cannot install/run, says the Requested Resource is in user



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 14 June 2017 - 02:59 PM

If you launch the mbar.cmd file that is located inside the MBAR folder, does it work?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 03:03 PM

Unfortunately no.  Right clicked and tried run as administrator but same message resource in use



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 14 June 2017 - 03:05 PM

If you boot in Safe Mode and try to launch it normally from there, does it open?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 03:10 PM

Sorry, forgot to say, am already in safe mode, normal mode only stays working for a short time, then blue screen. In task manager now, the one item that keeps coming back is CTF Loader, windows defender may have removed some items



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 14 June 2017 - 03:17 PM

Do you have access to another computer and a USB Flash Drive by any chance?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 03:20 PM

Yes



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 14 June 2017 - 06:04 PM

Alright. On that computer, download FRST (the version for the infected computer) and copy it on your USB Flash Drive. Now, what version of Windows is the infected computer running: Windows 7, Windows 8/8.1 or Windows 10?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 06:17 PM

Windows 10



#12 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 14 June 2017 - 06:37 PM

I have to sign off for the night, will try again tomorrow afternoon



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 PM

Posted 15 June 2017 - 09:21 AM

Alright. In that case, on the other computer, use the Windows 10 Media Creation Tool to create an installation media using your USB Flash Drive.

https://www.microsoft.com/en-ca/software-download/windows10

Once done, you can copy the FRST executable USB again (since the USB will be formatted during the media creation process).

After that, plug the USB in the infected computer, and boot from it (to launch the Windows 10 install). Choose your language, keyboard and monetary format, then in the next window, click on the little "Repair your computer" at the bottom of the screen. This will bring you in the Recovery PE. From there, click on the Troubleshoot button, followed by Command Prompt.

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 15 June 2017 - 02:06 PM

Will this wipe out any saved items?



#15 1974_alane123

1974_alane123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 15 June 2017 - 03:58 PM

Got the scan log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-06-2017
Ran by SYSTEM on MININT-4NB4LCK (15-06-2017 18:24:13)
Running from d:\
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16696832 2016-11-22] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3935912 2015-08-09] (Synaptics Incorporated)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2017-05-12] (Microsoft Corporation)
HKLM-x32\...\Run: [IObit Malware Fighter] => C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe [5232928 2017-05-19] (IObit)
HKLM-x32\...\Run: [AnonymizerGadget] => C:\Users\gnasher\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [349704 2017-06-12] (Jetico ltd) <===== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\gnasher\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\gnasher\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-04-21] ()
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 1
HKLM\...\Policies\Explorer: [NoCDBurning] 1
Startup: C:\Users\gnasher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk [2017-06-13]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AdvancedSystemCareService9; C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe [452384 2016-07-25] (IObit)
S4 BlackBerry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [588024 2014-10-31] (BlackBerry Limited)
S2 Dataup; C:\Users\gnasher\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () <==== ATTENTION
S2 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [1766176 2017-05-19] (IObit)
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2960672 2016-07-20] (IObit)
S4 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [158952 2015-12-02] (McAfee, Inc.)
S3 OpenVPNService; C:\Program Files (x86)\HMA! Pro VPN\bin\openvpnserv.exe [37176 2015-03-17] (The OpenVPN Project)
S4 RIM MDNS; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [396024 2015-03-19] (Apple Inc.)
S4 RIM Tunnel Service; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [1354488 2015-03-19] (BlackBerry Limited)
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1750712 2015-06-16] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2102496 2015-06-16] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [224712 2015-07-24] (Safer-Networking Ltd.)
S2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [237736 2015-08-09] (Synaptics Incorporated)
S3 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [308088 2015-12-07] (Western Digital Technologies, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-05-12] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-05-12] (Microsoft Corporation)
S2 windowsmanagementservice; C:\Users\gnasher\AppData\Local\vegrh\rahiaps\ct.exe [689664 2017-05-30] () <==== ATTENTION
S3 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.1.6.0\WsAppService.exe [388608 2016-01-28] (Wondershare)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [49448 2016-08-18] (Advanced Micro Devices, Inc.)
S3 amdkmdag; C:\Windows\System32\DriverStore\FileRepository\c0313603.inf_amd64_fa1ab8bfadcbfd29\atikmdag.sys [36549512 2017-04-24] (Advanced Micro Devices, Inc.)
S3 amdkmdap; C:\Windows\System32\DriverStore\FileRepository\c0313603.inf_amd64_fa1ab8bfadcbfd29\atikmpag.sys [520072 2017-04-24] (Advanced Micro Devices, Inc.)
S3 athr; C:\Windows\System32\drivers\athw10x.sys [4317112 2017-01-17] (Qualcomm Atheros Communications, Inc.)
S3 AthrSdSrv; C:\Windows\system32\DRIVERS\athrsd.sys [48760 2012-11-30] (Qualcomm Atheros, Inc.)
S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [110088 2017-03-31] (Advanced Micro Devices)
S3 blackberryncm; C:\Windows\System32\drivers\blackberryncm6_AMD64.sys [25088 2014-09-08] (BlackBerry)
S0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [80160 2013-09-03] () <==== ATTENTION
S3 DSI_SiUSBXp_3_1; C:\Windows\system32\drivers\DSI_SiUSBXp_3_1.sys [16384 2007-09-06] (Silicon Laboratories)
S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2015-09-12] (Enigma Software Group USA, LLC.)
S1 HWiNFO32; C:\WINDOWS\SysWOW64\drivers\HWiNFO64A.SYS [27552 2016-07-17] (REALiX™)
S1 IMFCameraProtect; C:\WINDOWS\system32\drivers\IMFCameraProtect.sys [44096 2017-03-29] (IObit.com)
S3 IMFDownProtect; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win10_amd64\IMFDownProtect.sys [39288 2017-03-05] (IObit.com)
S3 IMFFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\Drivers\win10_amd64\IMFFilter.sys [40440 2017-02-15] (IObit)
S3 IMFForceDelete; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win10_amd64\IMFForceDelete.sys [33600 2017-02-15] (IObit.com)
S3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-01-09] (Acer Incorporated)
S3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [37448 2015-12-02] (McAfee, Inc.)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [15704 2013-01-09] (Acer Incorporated)
S3 RegFilter; C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win10_amd64\regfilter.sys [52792 2017-02-15] (IObit.com)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [79872 2014-05-06] (BlackBerry Limited)
S3 rimvndis; C:\Windows\System32\Drivers\rimvndis6_AMD64.sys [18432 2015-03-19] (BlackBerry Limited)
S3 RimVSerPort; C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [28400 2013-06-13] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [31984 2013-06-13] (Synaptics Incorporated)
S3 Trufos; C:\Windows\System32\DRIVERS\TRUFOS.sys [520032 2016-12-05] (BitDefender S.R.L.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-15 18:24 - 2017-06-15 18:24 - 00000000 ____D C:\FRST
2017-06-15 18:22 - 2017-06-15 18:22 - 00000000 _____ C:\Recovery.txt
2017-06-15 12:47 - 2017-06-15 12:47 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2017-06-15 11:10 - 2017-06-15 11:10 - 00000000 ____D C:\ESD
2017-06-15 11:09 - 2017-06-15 11:09 - 00000000 ___HD C:\$Windows.~WS
2017-06-15 11:09 - 2017-06-15 11:09 - 00000000 ____D C:\Windows\Panther
2017-06-15 11:09 - 2017-06-15 11:09 - 00000000 ____D C:\$WINDOWS.~BT
2017-06-14 11:25 - 2017-06-14 11:26 - 01663672 _____ (Malwarebytes) C:\Users\gnasher\Desktop\JRT.exe
2017-06-14 11:19 - 2017-06-14 11:19 - 00000000 ____D C:\Users\gnasher\Desktop\mbar
2017-06-14 11:10 - 2017-06-14 11:10 - 02438656 _____ (Farbar) C:\Users\gnasher\Desktop\FRST64.exe
2017-06-13 14:33 - 2017-06-13 14:33 - 00000000 ____D C:\Windows\pss
2017-06-13 14:21 - 2017-06-13 14:31 - 00004160 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{CB5EF2C4-4054-48F0-B28E-1F5302DE24BC}
2017-06-13 14:16 - 2017-06-13 14:17 - 00881904 _____ (Plumbytes Software) C:\Users\terri_000\Downloads\antimalwaresetup.exe
2017-06-13 14:09 - 2017-06-13 14:10 - 00412004 _____ C:\Windows\Minidump\061317-36453-01.dmp
2017-06-13 14:04 - 2017-06-13 14:09 - 573323716 _____ C:\Windows\MEMORY.DMP
2017-06-13 14:04 - 2017-06-13 14:05 - 00412012 _____ C:\Windows\Minidump\061317-31437-01.dmp
2017-06-13 13:45 - 2017-06-13 13:46 - 00412100 _____ C:\Windows\Minidump\061317-31281-01.dmp
2017-06-13 13:32 - 2017-06-13 13:33 - 00000000 ____D C:\Program Files\ntuserlitelist
2017-06-13 13:32 - 2017-06-13 13:32 - 00000000 ____D C:\Users\terri_000\AppData\Roaming\Macromedia
2017-06-13 13:31 - 2017-06-13 13:31 - 00003284 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-06-13 13:28 - 2017-06-13 13:28 - 00000000 ____D C:\Users\terri_000\AppData\Roaming\Skype
2017-06-13 13:25 - 2017-06-13 13:26 - 00411860 _____ C:\Windows\Minidump\061317-36171-01.dmp
2017-06-13 13:18 - 2017-06-13 13:19 - 00411940 _____ C:\Windows\Minidump\061317-31515-01.dmp
2017-06-13 13:08 - 2017-06-13 13:08 - 00000000 _____ C:\Windows\Minidump\061317-33921-01.dmp
2017-06-13 12:45 - 2017-06-13 12:45 - 00412004 _____ C:\Windows\Minidump\061317-36609-01.dmp
2017-06-13 12:37 - 2017-06-13 12:38 - 00411860 _____ C:\Windows\Minidump\061317-34093-01.dmp
2017-06-13 11:35 - 2017-06-13 11:35 - 00003242 _____ C:\Windows\System32\Tasks\{96005F68-1B52-4509-9058-955F62945B00}
2017-06-13 11:26 - 2017-06-13 14:09 - 00000000 ____D C:\Windows\Minidump
2017-06-12 12:05 - 2017-06-12 12:05 - 00002494 _____ C:\Windows\System32\Tasks\Uninstaller_SkipUac_gnasher
2017-06-12 12:05 - 2017-06-12 12:05 - 00000300 _____ C:\Windows\Tasks\Uninstaller_SkipUac_gnasher.job
2017-06-12 12:01 - 2017-06-12 12:01 - 00006610 _____ C:\Windows\TEMPcoral.vbs
2017-06-12 11:37 - 2017-06-12 12:07 - 00000000 ____D C:\Users\gnasher\AppData\Local\llssoft
2017-06-12 11:36 - 2017-06-12 12:57 - 00000000 ____D C:\Users\gnasher\AppData\Local\ntuserlitelist
2017-06-12 11:35 - 2017-06-12 11:35 - 00021504 _____ C:\Users\gnasher\AppData\Local\leloex.dll
2017-06-12 11:35 - 2017-06-12 11:35 - 00002048 _____ C:\Users\gnasher\AppData\Local\uninstallro.exe
2017-06-12 11:35 - 2017-06-12 11:35 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\c
2017-06-12 11:35 - 2017-06-12 11:35 - 00000000 ____D C:\Users\gnasher\AppData\Local\vegrh
2017-06-12 11:35 - 2017-06-12 11:35 - 00000000 ____D C:\Users\gnasher\AppData\Local\heokta
2017-06-12 11:33 - 2017-06-12 11:35 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\AGData
2017-06-12 11:33 - 2017-06-12 11:33 - 00003394 _____ C:\Windows\System32\Tasks\AGProxyCheck
2017-06-04 13:18 - 2017-06-14 12:38 - 00000000 ____D C:\Users\gnasher\Desktop\Backup
2017-06-04 12:38 - 2017-06-07 15:20 - 00000000 ____D C:\Program Files (x86)\FonePaw
2017-06-04 05:53 - 2017-06-07 15:17 - 00000000 ____D C:\Program Files (x86)\Jihosoft
2017-06-03 13:06 - 2017-06-03 13:07 - 00000000 ____D C:\Users\gnasher\Desktop\Ireland 2017
2017-06-03 12:57 - 2017-06-03 12:57 - 00000000 ____D C:\Users\terri_000\AppData\LocalLow\AMD
2017-06-03 12:43 - 2017-06-03 12:43 - 00000000 ____D C:\Users\terri_000\AppData\LocalLow\IObit
2017-06-03 12:42 - 2017-06-03 12:42 - 00000000 ____D C:\Users\terri_000\AppData\Local\Wondershare
2017-06-03 12:41 - 2017-06-03 12:42 - 00000000 ____D C:\Users\terri_000\AppData\Local\PackageStaging
2017-06-03 12:41 - 2017-06-03 12:41 - 00000000 ____D C:\Users\terri_000\AppData\Roaming\ProductData
2017-06-03 12:40 - 2017-06-03 12:57 - 00002338 _____ C:\Users\terri_000\Desktop\Google Chrome.lnk
2017-06-03 12:40 - 2017-06-03 12:40 - 00000000 ____D C:\Users\terri_000\AppData\Local\Google
2017-06-03 12:22 - 2017-06-03 12:23 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\Tenorshare iOS Data Recovery
2017-05-25 11:33 - 2016-01-19 11:45 - 00000232 _____ C:\Windows\SysWOW64\dllhost.exe.config
2017-05-24 11:53 - 2017-06-03 12:09 - 00000000 ____D C:\Users\gnasher\Documents\Wondershare Dr.Fone for iOS
2017-05-24 11:50 - 2017-06-04 04:00 - 00000000 ____D C:\Program Files (x86)\Wondershare
2017-05-24 11:50 - 2017-06-04 04:00 - 00000000 ____D C:\Program Files (x86)\Dr.Fone_Temp
2017-05-24 11:50 - 2017-05-24 11:52 - 00000000 ____D C:\ProgramData\Wondershare
2017-05-23 13:34 - 2016-11-07 12:11 - 00191552 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2017-05-23 13:34 - 2016-11-07 12:11 - 00191040 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2017-05-23 13:34 - 2016-11-07 12:11 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-05-23 13:26 - 2017-05-23 13:26 - 00000000 ____D C:\Users\gnasher\.jmc
2017-05-23 13:26 - 2017-05-23 13:26 - 00000000 ____D C:\Users\gnasher\.eclipse
2017-05-23 13:19 - 2017-05-23 13:19 - 00000600 _____ C:\Users\gnasher\AppData\Roaming\winscp.rnd
2017-05-23 13:19 - 2017-05-23 13:19 - 00000600 _____ C:\Users\gnasher\AppData\Local\PUTTY.RND
2017-05-23 13:17 - 2017-05-23 13:17 - 01095080 _____ (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2017-05-23 13:17 - 2017-05-23 13:17 - 00973736 _____ (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2017-05-23 13:16 - 2017-05-23 14:01 - 00000000 ____D C:\Program Files\Java
2017-05-23 13:16 - 2016-11-07 12:11 - 00908352 _____ (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2017-05-23 13:16 - 2016-11-07 12:11 - 00826432 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2017-05-23 13:16 - 2016-11-07 12:11 - 00268864 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2017-05-17 06:02 - 2017-05-17 06:02 - 00125952 _____ C:\Users\gnasher\AppData\Local\report

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-15 12:50 - 2016-07-15 22:04 - 01572864 _____ C:\Windows\System32\config\BBI
2017-06-15 12:45 - 2016-09-16 16:21 - 00000000 ____D C:\Windows\System32\SleepStudy
2017-06-14 15:39 - 2015-09-10 12:48 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\vlc
2017-06-14 13:44 - 2014-12-16 03:57 - 00000000 ____D C:\Users\gnasher\Desktop\Utilities
2017-06-14 13:44 - 2014-06-17 02:56 - 00000000 ____D C:\Users\gnasher\Desktop\MS Office
2017-06-13 23:53 - 2016-09-12 16:46 - 00000000 ____D C:\Users\gnasher\tY2dnCetXPedPlnV
2017-06-13 23:53 - 2016-09-12 13:52 - 00000000 ____D C:\Users\gnasher\OeV5GsQGJM3gATVk
2017-06-13 14:56 - 2014-08-28 12:36 - 00000000 ____D C:\Users\gnasher\Documents\Vuze Downloads
2017-06-13 14:35 - 2016-09-16 17:05 - 00000006 _____ C:\Windows\Tasks\SA.DAT
2017-06-13 14:34 - 2017-04-30 12:13 - 00000000 ____D C:\Windows\AppReadiness
2017-06-13 14:32 - 2016-09-16 16:31 - 00000000 ____D C:\users\gnasher
2017-06-13 14:08 - 2015-09-13 10:11 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\Azureus
2017-06-13 13:31 - 2015-12-10 16:50 - 00000000 ____D C:\Users\terri_000\AppData\Local\Packages
2017-06-13 13:31 - 2014-06-15 13:28 - 00000000 __RDO C:\Users\terri_000\OneDrive
2017-06-13 13:30 - 2017-04-17 05:30 - 00000000 ____D C:\Users\terri_000\AppData\Local\ConnectedDevicesPlatform
2017-06-13 12:41 - 2016-09-16 16:31 - 00000000 ____D C:\users\terri_000
2017-06-13 12:25 - 2016-05-03 14:25 - 00000000 ____D C:\ProgramData\System
2017-06-13 11:51 - 2016-07-16 03:47 - 00000000 ____D C:\Windows\LiveKernelReports
2017-06-13 11:28 - 2016-07-16 03:45 - 00000000 ____D C:\Windows\INF
2017-06-12 11:07 - 2016-11-20 13:03 - 05705728 _____ C:\Windows\System32\config\DRIVERS.iodefrag.bak
2017-06-12 11:07 - 2016-10-05 12:17 - 98091008 _____ C:\Windows\System32\config\SOFTWARE.iodefrag.bak
2017-06-12 11:07 - 2016-10-05 12:17 - 00364544 _____ C:\Windows\System32\config\DEFAULT.iodefrag.bak
2017-06-12 11:07 - 2016-10-05 12:17 - 00110592 _____ C:\Windows\System32\config\SAM.iodefrag.bak
2017-06-12 11:07 - 2016-10-05 12:17 - 00036864 _____ C:\Windows\System32\config\SECURITY.iodefrag.bak
2017-06-11 14:22 - 2017-04-16 13:08 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\.minecraft
2017-06-11 14:21 - 2016-08-20 15:06 - 00000000 ____D C:\Users\gnasher\Desktop\HP
2017-06-11 14:06 - 2016-11-09 16:34 - 00000000 ____D C:\ProgramData\Apple
2017-06-10 13:39 - 2017-05-06 05:05 - 00000000 ____D C:\Users\gnasher\AppData\Roaming\Kodi
2017-06-09 11:57 - 2016-02-29 14:50 - 00000000 ____D C:\ProgramData\ProductData
2017-06-08 11:29 - 2016-07-16 03:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-06 13:22 - 2015-09-08 12:03 - 00001143 _____ C:\Users\Public\Desktop\VLC media player.lnk
2017-06-04 03:41 - 2016-11-01 15:33 - 00000000 ____D C:\Users\Public\Documents\iSunshare iTunes Password Genius
2017-06-03 12:50 - 2015-12-25 06:40 - 00000000 ____D C:\Users\terri_000\AppData\Roaming\Apple Computer
2017-06-03 12:43 - 2017-04-17 05:30 - 00000000 ____D C:\Users\terri_000\AppData\Roaming\IObit
2017-06-03 12:41 - 2015-12-10 17:01 - 00000000 ____D C:\Users\terri_000\AppData\Local\AMD
2017-06-03 12:40 - 2014-06-05 21:23 - 00000000 ___RD C:\Users\Public\AccountPictures
2017-05-24 14:22 - 2015-11-26 17:33 - 00000000 ____D C:\Program Files (x86)\iTunes
2017-05-23 14:08 - 2015-08-30 09:43 - 00002644 _____ C:\Windows\System32\PerfStringBackup.INI
2017-05-23 14:01 - 2015-09-13 10:07 - 00000000 ____D C:\Program Files (x86)\Java
2017-05-23 13:52 - 2016-07-03 04:38 - 00000000 ____D C:\Users\gnasher\Desktop\emperor
2017-05-23 13:50 - 2014-06-16 00:49 - 00000000 ____D C:\Users\gnasher\Desktop\Media
2017-05-23 13:44 - 2015-08-30 09:41 - 00000000 ____D C:\Users\gnasher\AppData\Local\Packages
2017-05-23 12:19 - 2016-01-06 12:37 - 00000000 ____D C:\Users\gnasher\AppData\Local\ElevatedDiagnostics
2017-05-17 03:04 - 2016-02-29 14:50 - 00000000 ____D C:\ProgramData\IObit

Files to move or delete:
====================
C:\Users\gnasher\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
C:\Users\gnasher\RegSvcs.exe

Some files in TEMP:
====================
2017-06-13 12:34 - 2017-06-13 14:08 - 0035680 _____ () C:\Users\gnasher\AppData\Local\Temp\i4jdel0.exe
2017-06-06 13:18 - 2017-06-06 13:19 - 30950664 _____ () C:\Users\gnasher\AppData\Local\Temp\vlc-2.2.6-win32.exe

==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2017-05-12 06:32] - [2017-05-12 06:32] - 0673792 _____ (Microsoft Corporation) B2151FE002A8D3F41E2DF935F260E3A8

C:\Windows\System32\wininit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0304240 _____ (Microsoft Corporation) 99A19C9A74E2F9820E501DCE77F84F70

C:\Windows\explorer.exe
[2017-05-12 06:32] - [2017-05-12 06:32] - 4674360 _____ (Microsoft Corporation) 679D17F8CDB938C7100D7A647953677E

C:\Windows\SysWOW64\explorer.exe
[2017-05-12 06:32] - [2017-05-12 06:32] - 4312248 _____ (Microsoft Corporation) 6E46F7CBC16009E381015C69F4FA22B1

C:\Windows\System32\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0044496 _____ (Microsoft Corporation) 36F670D89040709013F6A460176767EC

C:\Windows\SysWOW64\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0038792 _____ (Microsoft Corporation) 1F8434DD4907C832E6E90D6298EAB85B

C:\Windows\System32\services.exe
[2017-05-12 06:32] - [2017-05-12 06:32] - 0453536 _____ (Microsoft Corporation) 9A3B47CD17283B299311013AD3D21D26

C:\Windows\System32\User32.dll
[2016-12-27 12:11] - [2016-12-27 12:11] - 1461200 _____ (Microsoft Corporation) C46EA86BF0E7C96235E9064CBAD6ED26

C:\Windows\SysWOW64\User32.dll
[2016-12-27 12:11] - [2016-12-27 12:11] - 1435896 _____ (Microsoft Corporation) 4BEC594A3D4AEAFAC400D88F7E328C7B

C:\Windows\System32\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0033280 _____ (Microsoft Corporation) C1B1FFC800BE2F31EB2CF8CB40629C69

C:\Windows\SysWOW64\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0027648 _____ (Microsoft Corporation) FA900E6CCCF0A429D5B720C6F0E2274B

C:\Windows\System32\rpcss.dll
[2017-05-12 06:31] - [2017-05-12 06:31] - 0890368 _____ (Microsoft Corporation) 4A7015195E49A3BA7DB967B277B21E9D

C:\Windows\System32\dnsapi.dll
[2017-03-15 15:09] - [2017-03-15 15:09] - 0646688 _____ (Microsoft Corporation) 2813C62F5BE7FAF0A1C5CC37E5C2F25D

C:\Windows\SysWOW64\dnsapi.dll
[2017-03-15 15:09] - [2017-03-15 15:09] - 0497416 _____ (Microsoft Corporation) AA86DC342B4ED1C1F839C3BC8AEA64B1

C:\Windows\System32\Drivers\volsnap.sys
[2016-07-16 03:42] - [2016-07-16 03:42] - 0391520 _____ (Microsoft Corporation) BF2546583BB75F01DDA60A7921DFB230

 

safeboot: Network => The system is configured to boot to Safe Mode <===== ATTENTION

==================== Association (Whitelisted) =============

==================== Restore Points =========================

Restore point date: 2017-06-13 17:15

==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 5573.01 MB
Available physical RAM: 4802.7 MB
Total Virtual: 5573.01 MB
Available Virtual: 4828.69 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:681.57 GB) (Free:586.56 GB) NTFS
Drive d: (ESD-USB) (Removable) (Total:29.5 GB) (Free:26.09 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: CC8419CC)

Partition: GPT.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 29.5 GB) (Disk ID: 289C4AC6)
Partition 1: (Active) - (Size=29.5 GB) - (Type=0C)

LastRegBack: 2017-06-03 11:04

==================== End of FRST.txt ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users