Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 going Straight to Cmd.exe after scammer had access


  • This topic is locked This topic is locked
60 replies to this topic

#1 rhcomp

rhcomp

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 01 July 2017 - 07:47 AM

Hi Trying to Fix Computer for a friend that had a window pop up on screen with phone number and then rang it let them have access  then they talked about money i hung up but he did turn his computer off.. so now all he gets is windows 10 Logging in normal way  hit his name then  redirects to cmd. exe prompt C:\windows\ system32>
The attack happened on the 2017-06-23 mid afternoon if this helps
I have pulled his hard drive out and got hit data..

while looking round web I stumble upon FRST and this  forum I cant access windows at all this is all through  cmd prompt.
below is the FRST log file and the Addition and the Fixlist files is attached.. any help would be appreciated. if this could be sorted
this a new program  I not sure how to use it so help would be  very welcome.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-06-2017
Ran by Richard (administrator) on DESKTOP-NGSHFDV (01-07-2017 12:31:13)
Running from D:\Fabar
Loaded Profiles: Richard (Available Profiles: defaultuser0 & Richard)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
 
==================== Registry (Whitelisted) ====================
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{5f7765f7-9509-4b9b-9bba-7c0574b9ec6b}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{d3764c38-4d52-4c85-a3f6-78d3df433a77}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2016-07-30] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3720240877-411679040-2386219677-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Richard\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2017-06-23] (Citrix Online)
 
Chrome: 
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default [2017-06-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-14]
CHR Extension: (Chrome Media Router) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-14]
 
==================== Services (Whitelisted) ====================
 
===================== Drivers (Whitelisted) ======================
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-29 18:50 - 2017-07-01 12:31 - 00000000 ____D C:\FRST
2017-06-23 16:36 - 2017-07-01 12:30 - 02297450 _____ C:\Windows\ntbtlog.txt
2017-06-23 16:34 - 2017-06-23 16:34 - 00000000 ____D C:\Windows\pss
2017-06-23 16:16 - 2017-06-23 16:16 - 00001667 _____ C:\Users\Richard\Desktop\GoToAssist Customer.lnk
2017-06-23 16:16 - 2017-06-23 16:16 - 00000000 ____D C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2017-06-23 16:16 - 2017-06-23 16:16 - 00000000 ____D C:\Users\Richard\AppData\Local\GoToAssist Remote Support Customer
2017-06-23 16:16 - 2017-06-23 16:16 - 00000000 ____D C:\Program Files (x86)\Citrix
2017-06-23 16:15 - 2017-06-23 16:16 - 00000000 ____D C:\Users\Richard\AppData\Local\Citrix
2017-06-23 16:12 - 2017-06-23 16:12 - 00004126 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{031D9980-2A21-452C-B4B6-60D0682F00D1}
2017-06-23 15:36 - 2017-06-23 15:36 - 13111449 _____ C:\Users\Richard\Downloads\archive (8).zip
2017-06-23 15:05 - 2017-06-23 15:05 - 00524940 _____ C:\Windows\Minidump\062317-24031-01.dmp
2017-06-22 00:18 - 2017-06-22 00:18 - 00000000 ____D C:\Users\Richard\AppData\Local\ElevatedDiagnostics
2017-06-22 00:15 - 2017-06-22 00:15 - 00000661 _____ C:\Users\Richard\Downloads\audio10.diagcab
2017-06-20 20:45 - 2017-06-20 20:45 - 00743012 _____ C:\Windows\Minidump\062017-24250-01.dmp
2017-06-20 16:10 - 2017-06-20 16:10 - 00526340 _____ C:\Windows\Minidump\062017-22390-01.dmp
2017-06-20 01:37 - 2017-06-20 01:37 - 00525172 _____ C:\Windows\Minidump\062017-22859-01.dmp
2017-06-19 22:10 - 2017-06-19 22:10 - 00580500 _____ C:\Windows\Minidump\061917-20875-01.dmp
2017-06-19 19:12 - 2017-06-19 19:13 - 00524492 _____ C:\Windows\Minidump\061917-36343-01.dmp
2017-06-19 14:19 - 2017-06-19 14:19 - 00469260 _____ C:\Windows\Minidump\061917-21015-01.dmp
2017-06-18 21:59 - 2017-06-18 22:00 - 00657668 _____ C:\Windows\Minidump\061817-24609-01.dmp
2017-06-18 16:51 - 2017-06-18 16:51 - 00521804 _____ C:\Windows\Minidump\061817-23296-01.dmp
2017-06-17 23:24 - 2017-06-17 23:24 - 02642098 _____ C:\Users\Richard\Downloads\archive (7).zip
2017-06-17 23:06 - 2017-06-17 23:06 - 02642098 _____ C:\Users\Richard\Downloads\archive (6).zip
2017-06-17 23:06 - 2017-06-17 23:06 - 02642098 _____ C:\Users\Richard\Downloads\archive (5).zip
2017-06-17 23:05 - 2017-06-17 23:05 - 02642098 _____ C:\Users\Richard\Downloads\archive (4).zip
2017-06-17 23:05 - 2017-06-17 23:05 - 02642098 _____ C:\Users\Richard\Downloads\archive (3).zip
2017-06-17 23:05 - 2017-06-17 23:05 - 02642098 _____ C:\Users\Richard\Downloads\archive (2).zip
2017-06-17 11:42 - 2017-06-17 11:42 - 00000000 ____D C:\Users\Richard\Downloads\New folder
2017-06-17 11:00 - 2017-06-17 11:00 - 00352574 _____ C:\Users\Richard\Downloads\archive.zip
2017-06-17 11:00 - 2017-06-17 11:00 - 00352574 _____ C:\Users\Richard\Downloads\archive (1).zip
2017-06-16 19:09 - 2017-06-16 19:10 - 00443372 _____ C:\Windows\Minidump\061617-23312-01.dmp
2017-06-16 14:49 - 2017-06-16 14:50 - 00579380 _____ C:\Windows\Minidump\061617-23046-01.dmp
2017-06-16 09:45 - 2017-06-16 09:45 - 00583756 _____ C:\Windows\Minidump\061617-24968-01.dmp
2017-06-16 06:08 - 2017-06-16 06:09 - 00472636 _____ C:\Windows\Minidump\061617-23734-01.dmp
2017-06-16 02:31 - 2017-06-16 02:32 - 00772276 _____ C:\Windows\Minidump\061617-22515-01.dmp
2017-06-15 14:34 - 2017-06-15 14:35 - 00509100 _____ C:\Windows\Minidump\061517-34562-01.dmp
2017-06-14 22:50 - 2017-06-14 22:50 - 00000000 ____D C:\Users\Richard\AppData\Roaming\Google
2017-06-14 19:21 - 2017-06-14 19:21 - 00000000 __SHD C:\found.000
2017-06-14 07:58 - 2017-06-14 07:58 - 00470460 _____ C:\Windows\Minidump\061417-25078-01.dmp
2017-06-14 04:06 - 2017-06-14 04:06 - 00448356 _____ C:\Windows\Minidump\061417-44406-01.dmp
2017-06-14 03:58 - 2017-06-14 03:58 - 00000000 ___SD C:\Windows\UpdateAssistantV2
2017-06-14 00:20 - 2017-06-03 11:50 - 00315744 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2017-06-14 00:20 - 2017-06-03 11:06 - 02048496 _____ C:\Windows\SysWOW64\CoreUIComponents.dll
2017-06-14 00:20 - 2017-06-03 10:55 - 00780640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
2017-06-14 00:20 - 2017-06-03 10:44 - 01412640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32full.dll
2017-06-14 00:20 - 2017-06-03 10:44 - 00545944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontdrvhost.exe
2017-06-14 00:20 - 2017-06-03 10:31 - 00224256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExSMime.dll
2017-06-14 00:20 - 2017-06-03 10:31 - 00037376 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2017-06-14 00:20 - 2017-06-03 10:20 - 00755712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-06-14 00:20 - 2017-06-03 10:04 - 02006528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-06-14 00:20 - 2017-06-03 10:02 - 02997760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32kfull.sys
2017-06-14 00:20 - 2017-06-03 09:40 - 00483840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreMessaging.dll
2017-06-14 00:20 - 2017-03-04 07:16 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\puiobj.dll
2017-06-14 00:19 - 2017-06-03 11:16 - 00279904 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2017-06-14 00:19 - 2017-06-03 10:58 - 00340832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-06-14 00:19 - 2017-06-03 10:54 - 00187232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2017-06-14 00:19 - 2017-06-03 10:52 - 01021784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxPackaging.dll
2017-06-14 00:19 - 2017-06-03 10:52 - 00607072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupEngine.dll
2017-06-14 00:19 - 2017-06-03 10:52 - 00111968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupApi.dll
2017-06-14 00:19 - 2017-06-03 10:50 - 00857440 _____ (Microsoft Corporation) C:\Windows\system32\WWAHost.exe
2017-06-14 00:19 - 2017-06-03 10:50 - 00381792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBXHCI.SYS
2017-06-14 00:19 - 2017-06-03 10:49 - 20967840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2017-06-14 00:19 - 2017-06-03 10:39 - 05686272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-06-14 00:19 - 2017-06-03 10:33 - 00095232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UserDataTimeUtil.dll
2017-06-14 00:19 - 2017-06-03 10:32 - 00002560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-06-14 00:19 - 2017-06-03 10:28 - 00285184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.BlockedShutdown.dll
2017-06-14 00:19 - 2017-06-03 10:28 - 00232448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edputil.dll
2017-06-14 00:19 - 2017-06-03 10:26 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.ApplicationModel.LockScreen.dll
2017-06-14 00:19 - 2017-06-03 10:26 - 00100352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AuthBrokerUI.dll
2017-06-14 00:19 - 2017-06-03 10:22 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupShim.dll
2017-06-14 00:19 - 2017-06-03 10:22 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2017-06-14 00:19 - 2017-06-03 10:22 - 00181760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tcpipcfg.dll
2017-06-14 00:19 - 2017-06-03 10:19 - 01164288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2017-06-14 00:19 - 2017-06-03 10:16 - 00709120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CPFilters.dll
2017-06-14 00:19 - 2017-06-03 10:15 - 00886272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aadtb.dll
2017-06-14 00:19 - 2017-06-03 10:15 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\BasicRender.sys
2017-06-14 00:19 - 2017-06-03 10:12 - 00027136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fdProxy.dll
2017-06-14 00:19 - 2017-06-03 10:08 - 02643968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-06-14 00:19 - 2017-06-03 10:08 - 01221120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Audio.dll
2017-06-14 00:19 - 2017-06-03 10:05 - 01883648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Logon.dll
2017-06-14 00:19 - 2017-06-03 10:05 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hnetcfg.dll
2017-06-14 00:19 - 2017-06-03 10:04 - 00773120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchIndexer.exe
2017-06-14 00:19 - 2017-06-03 10:03 - 01988096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-06-14 00:19 - 2016-09-07 05:53 - 00118272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppointmentActivation.dll
2017-06-14 00:18 - 2017-06-03 11:11 - 01706488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2017-06-14 00:18 - 2017-06-03 10:48 - 00857952 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupEngine.dll
2017-06-14 00:18 - 2017-06-03 10:39 - 02532192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-06-14 00:18 - 2017-06-03 10:16 - 00119808 _____ (Microsoft Corporation) C:\Windows\system32\UserDataTimeUtil.dll
2017-06-14 00:18 - 2017-06-03 10:14 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\mssprxy.dll
2017-06-14 00:18 - 2017-06-03 10:07 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\MusUpdateHandlers.dll
2017-06-14 00:18 - 2017-06-03 09:54 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.Audio.dll
2017-06-14 00:18 - 2017-06-03 09:52 - 03403264 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-06-14 00:18 - 2017-06-03 09:50 - 02538496 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-06-14 00:18 - 2017-06-03 09:49 - 00903680 _____ (Microsoft Corporation) C:\Windows\system32\SearchIndexer.exe
2017-06-14 00:18 - 2017-06-03 09:48 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\wuuhext.dll
2017-06-14 00:18 - 2017-05-25 06:56 - 00038752 _____ (Microsoft Corporation) C:\Windows\system32\OOBEUpdater.exe
2017-06-14 00:17 - 2017-06-03 11:09 - 02213760 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-06-14 00:17 - 2017-06-03 10:59 - 01181024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2017-06-14 00:17 - 2017-06-03 10:59 - 00118112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2017-06-14 00:17 - 2017-06-03 10:48 - 00148832 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupApi.dll
2017-06-14 00:17 - 2017-06-03 10:45 - 22220864 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-06-14 00:17 - 2017-06-03 10:15 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\musdialoghandlers.dll
2017-06-14 00:17 - 2017-06-03 10:14 - 00238592 _____ (Microsoft Corporation) C:\Windows\system32\MusNotification.exe
2017-06-14 00:17 - 2017-06-03 10:14 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\MusNotificationUx.exe
2017-06-14 00:17 - 2017-06-03 10:07 - 00456192 _____ (Microsoft Corporation) C:\Windows\system32\puiobj.dll
2017-06-14 00:17 - 2017-06-03 09:51 - 00266752 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupSvc.dll
2017-06-14 00:17 - 2017-06-03 09:48 - 01131008 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2017-06-14 00:17 - 2017-06-03 09:48 - 00834048 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2017-06-14 00:17 - 2017-03-04 07:16 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\wpninprc.dll
2017-06-14 00:16 - 2017-06-03 10:15 - 18364928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2017-06-14 00:16 - 2017-06-03 10:09 - 00441344 _____ (Microsoft Corporation) C:\Windows\system32\netcorehc.dll
2017-06-14 00:16 - 2017-03-04 07:22 - 00822784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakradiag.dll
2017-06-14 00:16 - 2017-03-04 07:19 - 00635904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-06-14 00:15 - 2017-06-03 10:51 - 00402272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-06-14 00:15 - 2017-06-03 10:23 - 00306688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieproxy.dll
2017-06-14 00:15 - 2017-06-03 10:15 - 19414016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-06-14 00:15 - 2017-06-03 10:08 - 12187648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-06-14 00:15 - 2017-06-03 10:08 - 00691200 _____ (Microsoft Corporation) C:\Windows\system32\ieproxy.dll
2017-06-14 00:15 - 2017-06-03 10:06 - 03664384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-06-14 00:15 - 2017-06-03 10:04 - 06042624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2017-06-14 00:15 - 2017-06-03 10:00 - 23677440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-06-14 00:15 - 2017-06-03 09:56 - 13091840 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-06-14 00:15 - 2017-06-03 09:53 - 08125440 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2017-06-14 00:15 - 2017-06-03 09:50 - 04744704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-06-14 00:15 - 2017-06-03 09:49 - 01845248 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-06-14 00:15 - 2017-06-03 09:49 - 01513472 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2017-06-14 00:14 - 2017-06-03 11:08 - 07783256 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-06-14 00:14 - 2017-06-03 11:01 - 02681200 _____ C:\Windows\system32\CoreUIComponents.dll
2017-06-14 00:14 - 2017-06-03 10:53 - 00404824 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-06-14 00:14 - 2017-06-03 10:51 - 02187104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-06-14 00:14 - 2017-06-03 10:48 - 01112416 _____ (Microsoft Corporation) C:\Windows\system32\AppxPackaging.dll
2017-06-14 00:14 - 2017-06-03 10:18 - 22569984 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2017-06-14 00:14 - 2017-06-03 10:11 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\cloudAP.dll
2017-06-14 00:14 - 2017-06-03 10:10 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.BlockedShutdown.dll
2017-06-14 00:14 - 2017-06-03 10:09 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\NetworkBindingEngineMigPlugin.dll
2017-06-14 00:14 - 2017-06-03 10:03 - 00932864 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-06-14 00:14 - 2017-06-03 10:01 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\efscore.dll
2017-06-14 00:14 - 2017-06-03 09:52 - 00975872 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-06-14 00:14 - 2017-06-03 09:49 - 02691072 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Logon.dll
2017-06-14 00:14 - 2017-06-03 09:49 - 02475520 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-06-14 00:14 - 2017-06-03 09:46 - 01121280 _____ (Microsoft Corporation) C:\Windows\system32\aadtb.dll
2017-06-14 00:13 - 2017-06-03 11:14 - 00379232 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2017-06-14 00:13 - 2017-06-03 10:59 - 00764392 _____ (Microsoft Corporation) C:\Windows\system32\CoreMessaging.dll
2017-06-14 00:13 - 2017-06-03 10:44 - 01600624 _____ (Microsoft Corporation) C:\Windows\system32\sppobjs.dll
2017-06-14 00:13 - 2017-06-03 10:40 - 01566552 _____ (Microsoft Corporation) C:\Windows\system32\gdi32full.dll
2017-06-14 00:13 - 2017-06-03 10:40 - 00628552 _____ (Microsoft Corporation) C:\Windows\system32\fontdrvhost.exe
2017-06-14 00:13 - 2017-06-03 10:22 - 07217152 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-06-14 00:13 - 2017-06-03 10:08 - 00324608 _____ (Microsoft Corporation) C:\Windows\system32\Windows.ApplicationModel.LockScreen.dll
2017-06-14 00:13 - 2017-06-03 09:52 - 02510848 _____ (Microsoft Corporation) C:\Windows\system32\NetworkMobileSettings.dll
2017-06-14 00:13 - 2017-06-03 09:52 - 00886784 _____ (Microsoft Corporation) C:\Windows\system32\CPFilters.dll
2017-06-14 00:13 - 2017-06-03 09:49 - 03615744 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2017-06-14 00:13 - 2017-06-03 09:49 - 02318848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-06-14 00:13 - 2017-06-03 09:49 - 00351744 _____ (Microsoft Corporation) C:\Windows\system32\hnetcfg.dll
2017-06-14 00:13 - 2017-06-03 09:48 - 01490432 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-06-14 00:12 - 2017-06-03 11:50 - 00192856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aepic.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 01564512 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 01214816 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00629088 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00544096 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00335712 _____ (Microsoft Corporation) C:\Windows\system32\dcntel.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00334176 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00233824 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00136032 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00136024 _____ (Microsoft Corporation) C:\Windows\system32\ImplatSetup.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00096608 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-06-14 00:12 - 2017-06-03 11:14 - 00034648 _____ (Microsoft Corporation) C:\Windows\system32\DeviceCensus.exe
2017-06-14 00:12 - 2017-06-03 11:11 - 00128864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tm.sys
2017-06-14 00:12 - 2017-06-03 10:49 - 00624048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-06-14 00:12 - 2017-06-03 10:49 - 00509280 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2017-06-14 00:12 - 2017-06-03 10:48 - 01100128 _____ (Microsoft Corporation) C:\Windows\system32\hvix64.exe
2017-06-14 00:12 - 2017-06-03 10:48 - 00989024 _____ (Microsoft Corporation) C:\Windows\system32\hvax64.exe
2017-06-14 00:12 - 2017-06-03 10:39 - 00455520 _____ (Microsoft Corporation) C:\Windows\system32\securekernel.exe
2017-06-14 00:12 - 2017-06-03 10:16 - 00002560 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-06-14 00:12 - 2017-06-03 10:14 - 00045056 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2017-06-14 00:12 - 2017-06-03 10:10 - 00252928 _____ (Microsoft Corporation) C:\Windows\system32\edputil.dll
2017-06-14 00:12 - 2017-06-03 10:10 - 00117760 _____ (Microsoft Corporation) C:\Windows\system32\AuthBrokerUI.dll
2017-06-14 00:12 - 2017-06-03 10:09 - 00489472 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupShim.dll
2017-06-14 00:12 - 2017-06-03 10:08 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-06-14 00:12 - 2017-06-03 10:07 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\HNetCfgClient.dll
2017-06-14 00:12 - 2017-06-03 10:06 - 00198144 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2017-06-14 00:12 - 2017-06-03 09:58 - 00064512 _____ (Microsoft Corporation) C:\Windows\system32\fdProxy.dll
2017-06-14 00:12 - 2017-06-03 09:51 - 01418240 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2017-06-14 00:12 - 2017-06-03 07:08 - 00080078 _____ C:\Windows\system32\normidna.nls
2017-06-13 20:10 - 2017-06-13 20:10 - 00008435 _____ C:\Users\Richard\Downloads\v33i9l59w04y237sj39izi510tg76ng9up7s6am43.zip
2017-06-13 20:10 - 2017-06-13 20:10 - 00008435 _____ C:\Users\Richard\Downloads\v33i9l59w04y237sj39izi510tg76ng9up7s6am43 (1).zip
2017-06-13 15:11 - 2017-06-13 15:11 - 00494172 _____ C:\Windows\Minidump\061317-37984-01.dmp
2017-06-13 13:11 - 2017-06-13 13:12 - 00500052 _____ C:\Windows\Minidump\061317-40578-01.dmp
2017-06-13 03:45 - 2017-06-13 03:45 - 00769604 _____ C:\Windows\Minidump\061317-23765-01.dmp
2017-06-12 16:07 - 2017-06-12 16:07 - 00472028 _____ C:\Windows\Minidump\061217-22812-01.dmp
2017-06-11 21:36 - 2017-06-11 21:37 - 00548076 _____ C:\Windows\Minidump\061117-23281-01.dmp
2017-06-11 18:02 - 2017-06-11 18:02 - 00331072 _____ C:\Users\Richard\Downloads\DH2A1215.jpeg
2017-06-11 18:02 - 2017-06-11 18:02 - 00331072 _____ C:\Users\Richard\Downloads\DH2A1215 (2).jpeg
2017-06-11 18:02 - 2017-06-11 18:02 - 00331072 _____ C:\Users\Richard\Downloads\DH2A1215 (1).jpeg
2017-06-11 17:59 - 2017-06-11 17:59 - 00117434 _____ C:\Users\Richard\Downloads\DH2A1288.jpeg
2017-06-11 17:58 - 2017-06-11 17:58 - 00171591 _____ C:\Users\Richard\Downloads\DH2A1314.jpeg
2017-06-11 17:57 - 2017-06-11 17:57 - 00221543 _____ C:\Users\Richard\Downloads\DH2A1331.jpeg
2017-06-11 17:55 - 2017-06-11 17:55 - 00179575 _____ C:\Users\Richard\Downloads\DH2A1356.jpeg
2017-06-11 17:55 - 2017-06-11 17:55 - 00179575 _____ C:\Users\Richard\Downloads\DH2A1356 (2).jpeg
2017-06-11 17:55 - 2017-06-11 17:55 - 00179575 _____ C:\Users\Richard\Downloads\DH2A1356 (1).jpeg
2017-06-11 17:54 - 2017-06-11 17:54 - 00168530 _____ C:\Users\Richard\Downloads\DH2A1369.jpeg
2017-06-10 20:37 - 2017-06-10 20:37 - 00492396 _____ C:\Windows\Minidump\061017-19750-01.dmp
2017-06-10 18:21 - 2017-06-10 18:21 - 00526868 _____ C:\Windows\Minidump\061017-23296-01.dmp
2017-06-10 16:16 - 2017-06-10 16:16 - 00494540 _____ C:\Windows\Minidump\061017-21687-01.dmp
2017-06-09 13:17 - 2017-06-09 13:22 - 566378439 _____ C:\Users\Richard\Downloads\wetransfer-02da57 (1).zip
2017-06-09 12:08 - 2017-06-09 12:13 - 566378439 _____ C:\Users\Richard\Downloads\wetransfer-02da57.zip
2017-06-09 11:43 - 2017-06-09 11:47 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba  (3).zip
2017-06-09 10:42 - 2017-06-09 10:46 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba  (2).zip
2017-06-09 10:33 - 2017-06-09 10:38 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba  (1).zip
2017-06-09 10:27 - 2017-06-09 10:31 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba .zip
2017-06-01 15:31 - 2017-06-01 15:31 - 00000000 ____D C:\Users\Richard\Downloads\Berlin
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-01 12:29 - 2017-03-18 08:48 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-06-29 17:18 - 2017-03-18 01:07 - 00005596 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-23 16:35 - 2017-03-18 08:48 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-23 16:35 - 2017-03-18 08:01 - 00524288 _____ C:\Windows\system32\config\BBI
2017-06-23 16:35 - 2017-03-18 01:05 - 00000000 ____D C:\Users\Richard
2017-06-23 15:14 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\AppReadiness
2017-06-23 15:05 - 2017-03-23 00:24 - 449347787 _____ C:\Windows\MEMORY.DMP
2017-06-23 15:05 - 2017-03-23 00:24 - 00000000 ____D C:\Windows\Minidump
2017-06-23 13:46 - 2017-03-18 08:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-23 11:37 - 2017-03-18 01:58 - 00000000 ____D C:\Users\Richard\AppData\Local\ClassicShell
2017-06-16 10:10 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\rescache
2017-06-14 20:10 - 2017-03-24 11:24 - 00000000 ____D C:\Users\Richard\AppData\Roaming\vlc
2017-06-14 11:45 - 2017-03-18 08:47 - 00357931 ____N C:\Windows\Minidump\061417-39515-01.dmp
2017-06-14 04:13 - 2017-03-18 01:06 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-06-14 04:07 - 2017-03-18 08:20 - 00000000 ____D C:\Windows\INF
2017-06-14 04:06 - 2017-03-18 08:47 - 00194192 _____ C:\Windows\system32\FNTCACHE.DAT
2017-06-14 03:58 - 2017-03-18 08:24 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-06-14 03:58 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\system32\appraiser
2017-06-14 03:58 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\ShellExperiences
2017-06-14 01:08 - 2017-03-18 08:03 - 00000000 ____D C:\Windows\CbsTemp
2017-06-13 21:33 - 2017-03-18 01:17 - 00003294 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-06-13 21:33 - 2017-03-18 01:12 - 00002376 _____ C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-06-13 21:33 - 2017-03-18 01:12 - 00000000 ___RD C:\Users\Richard\OneDrive
2017-06-13 19:57 - 2017-03-18 12:50 - 00000000 ____D C:\Windows\system32\MRT
2017-06-13 19:53 - 2017-03-18 12:50 - 133627792 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-06-13 18:50 - 2017-03-18 01:27 - 00000000 ____D C:\Users\Richard\AppData\Local\Comms
2017-06-03 07:36 - 2017-03-18 08:27 - 00835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-06-03 07:36 - 2017-03-18 08:27 - 00177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-14 11:24
 
==================== End of FRST.txt ============================


thanks in Advance
Chris

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 02 July 2017 - 08:58 PM

Greetings rhcomp and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. It appears you are able to boot into Safe Mode, is that correct? Assuming so please do this in Safe Mode.
 

Boot Mode: Safe Mode (minimal)


===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
CloseProcesses:
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000
EndRegedit:
cmd: sfc /scannow
CMD: findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >> "%userprofile%\desktop\sfcdetails.txt"
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 03 July 2017 - 03:52 AM

Hi Gary.. 

Mine name is Chris

 

I am Unable to to get to safe.  or not the normal way. when I log into windows  under Richards login it goes straight to  command prompt this is where i am running FRST

i ran the fixlog but writing  the command in the FRST box.   looking at fixlog box nothing was fixed.

when I rebooted the same this happened when booting into 10  log in page come up you either click on name or leave it goes to Command Prompt... there is no access to windows safe mode either....

Fixlog file attached...

 

Hope this Helps. I appreciate  you help

 

regards

 

Chris

 

 

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 03 July 2017 - 10:22 AM

Hi Chris.

Once you get to the command prompt do this.

===================================================

Launching a Program Utilizing Task Manager

--------------------
  • Hit Ctrl + Alt + Del at the same time then select Start Task Manager
  • Select File, then New Task (Run...)
  • Type the following into the Open: box then click OK

explorer.exe

  • Please let me know if you get the Desktop
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 03 July 2017 - 12:11 PM

Hi Gary 

Yes I get a desktop 

attached is photo  I get this message if I do something

 

 

Thanks

 

Chris

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 03 July 2017 - 04:06 PM

Thank you Chris.

Please attempt this.

===================================================

Activating Hidden Administrator Account

-------------------
  • Go through the same process again to get to the Desktop
  • Click Start, type cmd, right click on cmd above and select Run as Administrator
  • Type the following at the command prompt and hit Enter:

net user administrator /active:yes

  • You should see The command completed successfully
  • Hit Ctrl + Alt + Del at the same time and select Sign Out
  • On the login screen that will be presented you will see an option to log in as Administrator
  • Attempt to log into the Administrator account and check the computer performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 03 July 2017 - 05:10 PM

Hi Gary ..

 

it was going so well go the Administrator login  up in windows but after a while after clicking the log in page i go the same display as I go the original fault  attached picture of what it show now... 

 

Chris

PS writing this page from another computer..

 

Attached Files



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 03 July 2017 - 06:00 PM

Thanks Chris.

Please do this.

===================================================

Rkill

-------------------
  • On a clean computer download all 3 Rkill files and save them onto a USB device

rkill.scr
rkill.com
rkill.exe

  • Insert you USB device into the running compromised computer
  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Using Windows Explorer navigate to and double-click on any Rkill icon to launch the program. Try another one(s) if it won't run.
  • Note: You may have to run Rkill a few times before it is successful.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • Monitor your computer behavior
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Rkill log
  • Computer behavior?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 04 July 2017 - 03:41 AM

Hi Gary

 

I have run RKill about 6 times does not have done anything  the system is still running in the same state  booting to cmd prompt.

 

rkill.txt  attached

 

thanks for your help 

 

Chris

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/04/2017 09:22:36 AM in x64 mode. (Safe Mode)
Windows Version: Windows 10 Home

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Ancillary Function Driver for Winsock (AFD) is not Running.
   Startup Type set to: System

 * Base Filtering Engine (BFE) is not Running.
   Startup Type set to: Automatic

 * DHCP Client (Dhcp) is not Running.
   Startup Type set to: Automatic

 * DNS Client (Dnscache) is not Running.
   Startup Type set to: Automatic

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

 * Windows Firewall (MpsSvc) is not Running.
   Startup Type set to: Automatic

 * NetBT (NetBT) is not Running.
   Startup Type set to: System

 * Network Store Interface Service (nsi) is not Running.
   Startup Type set to: Automatic

 * NSI Proxy Service Driver (nsiproxy) is not Running.
   Startup Type set to: System

 * NetIO Legacy TDI Support Driver (tdx) is not Running.
   Startup Type set to: System

 * NetIO Legacy TDI Support Driver (WinDefend) is not Running.
   Startup Type set to: System

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * agp440 [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 07/04/2017 09:25:27 AM
Execution time: 0 hours(s), 2 minute(s), and 50 seconds(s)
 

Attached Files


Edited by Oh My!, 04 July 2017 - 08:50 AM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 04 July 2017 - 09:13 AM

Thank you Chris.

At the command prompt type the following hit Enter. Tell me what the Service line says.

sc query rpcss
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 04 July 2017 - 12:14 PM

just run this  there is no service line

 

but have included photo of what did show.

 

 

Attached Files



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 04 July 2017 - 12:21 PM

Thank you, I meant (Service) State line. :thumbsup2:

Please delete FRST from your desktop, download a fresh version, then run another scan. Copy/paste both reports in your reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 04 July 2017 - 01:43 PM

Hi Gary.

Both logs are here , 

will be here for another 20mins but heading out for  the evening will look when i get back . currently 19:42 UK time

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-07-2017 01
Ran by Administrator (administrator) on DESKTOP-NGSHFDV (04-07-2017 19:20:56)
Running from D:\
Loaded Profiles: Administrator (Available Profiles: defaultuser0 & Richard & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2017-04-28] (Microsoft Corporation)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163800 2016-07-30] (IvoSoft)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1251\g2ax_winlogonx64.dll (Citrix Systems, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{5f7765f7-9509-4b9b-9bba-7c0574b9ec6b}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{d3764c38-4d52-4c85-a3f6-78d3df433a77}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2016-07-30] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1251\g2ax_service.exe [607240 2017-06-23] (Citrix Systems, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-28] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-04-28] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 NETJME; C:\Windows\System32\drivers\NETJME.sys [137728 2016-07-16] (JMicron Technology Corp.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-04 09:11 - 2017-07-04 09:25 - 00005674 _____ C:\Users\Administrator\Desktop\Rkill.txt
2017-07-03 22:48 - 2017-07-04 09:20 - 00000000 ____D C:\Users\Administrator\AppData\Local\ClassicShell
2017-07-03 22:48 - 2017-07-03 22:48 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ClassicShell
2017-07-03 22:48 - 2017-07-03 22:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Packages
2017-07-03 22:47 - 2017-07-03 22:47 - 00000000 ____D C:\Users\Administrator\AppData\Local\TileDataLayer
2017-07-03 22:47 - 2017-07-03 22:47 - 00000000 ____D C:\Users\Administrator\AppData\Local\ConnectedDevicesPlatform
2017-07-03 22:36 - 2017-07-03 22:50 - 00000000 ____D C:\Users\Administrator
2017-07-03 22:36 - 2017-07-03 22:36 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2017-07-03 22:36 - 2017-07-03 22:36 - 00000000 _SHDL C:\Users\Administrator\My Documents
2017-07-03 22:36 - 2017-07-03 22:36 - 00000000 _SHDL C:\Users\Administrator\Documents\My Videos
2017-07-03 22:36 - 2017-07-03 22:36 - 00000000 _SHDL C:\Users\Administrator\Documents\My Pictures
2017-07-03 22:36 - 2017-07-03 22:36 - 00000000 _SHDL C:\Users\Administrator\Documents\My Music
2017-07-03 18:03 - 2017-07-03 22:35 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2017-06-29 18:50 - 2017-07-04 19:20 - 00000000 ____D C:\FRST
2017-06-23 16:36 - 2017-07-04 19:09 - 03583952 _____ C:\Windows\ntbtlog.txt
2017-06-23 16:34 - 2017-06-23 16:34 - 00000000 ____D C:\Windows\pss
2017-06-23 16:16 - 2017-06-23 16:16 - 00001667 _____ C:\Users\Richard\Desktop\GoToAssist Customer.lnk
2017-06-23 16:16 - 2017-06-23 16:16 - 00000000 ____D C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2017-06-23 16:16 - 2017-06-23 16:16 - 00000000 ____D C:\Users\Richard\AppData\Local\GoToAssist Remote Support Customer
2017-06-23 16:16 - 2017-06-23 16:16 - 00000000 ____D C:\Program Files (x86)\Citrix
2017-06-23 16:15 - 2017-06-23 16:16 - 00000000 ____D C:\Users\Richard\AppData\Local\Citrix
2017-06-23 16:12 - 2017-06-23 16:12 - 00004126 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{031D9980-2A21-452C-B4B6-60D0682F00D1}
2017-06-23 15:36 - 2017-06-23 15:36 - 13111449 _____ C:\Users\Richard\Downloads\archive (8).zip
2017-06-23 15:05 - 2017-06-23 15:05 - 00524940 _____ C:\Windows\Minidump\062317-24031-01.dmp
2017-06-22 00:18 - 2017-06-22 00:18 - 00000000 ____D C:\Users\Richard\AppData\Local\ElevatedDiagnostics
2017-06-22 00:15 - 2017-06-22 00:15 - 00000661 _____ C:\Users\Richard\Downloads\audio10.diagcab
2017-06-20 20:45 - 2017-06-20 20:45 - 00743012 _____ C:\Windows\Minidump\062017-24250-01.dmp
2017-06-20 16:10 - 2017-06-20 16:10 - 00526340 _____ C:\Windows\Minidump\062017-22390-01.dmp
2017-06-20 01:37 - 2017-06-20 01:37 - 00525172 _____ C:\Windows\Minidump\062017-22859-01.dmp
2017-06-19 22:10 - 2017-06-19 22:10 - 00580500 _____ C:\Windows\Minidump\061917-20875-01.dmp
2017-06-19 19:12 - 2017-06-19 19:13 - 00524492 _____ C:\Windows\Minidump\061917-36343-01.dmp
2017-06-19 14:19 - 2017-06-19 14:19 - 00469260 _____ C:\Windows\Minidump\061917-21015-01.dmp
2017-06-18 21:59 - 2017-06-18 22:00 - 00657668 _____ C:\Windows\Minidump\061817-24609-01.dmp
2017-06-18 16:51 - 2017-06-18 16:51 - 00521804 _____ C:\Windows\Minidump\061817-23296-01.dmp
2017-06-17 23:24 - 2017-06-17 23:24 - 02642098 _____ C:\Users\Richard\Downloads\archive (7).zip
2017-06-17 23:06 - 2017-06-17 23:06 - 02642098 _____ C:\Users\Richard\Downloads\archive (6).zip
2017-06-17 23:06 - 2017-06-17 23:06 - 02642098 _____ C:\Users\Richard\Downloads\archive (5).zip
2017-06-17 23:05 - 2017-06-17 23:05 - 02642098 _____ C:\Users\Richard\Downloads\archive (4).zip
2017-06-17 23:05 - 2017-06-17 23:05 - 02642098 _____ C:\Users\Richard\Downloads\archive (3).zip
2017-06-17 23:05 - 2017-06-17 23:05 - 02642098 _____ C:\Users\Richard\Downloads\archive (2).zip
2017-06-17 11:42 - 2017-06-17 11:42 - 00000000 ____D C:\Users\Richard\Downloads\New folder
2017-06-17 11:00 - 2017-06-17 11:00 - 00352574 _____ C:\Users\Richard\Downloads\archive.zip
2017-06-17 11:00 - 2017-06-17 11:00 - 00352574 _____ C:\Users\Richard\Downloads\archive (1).zip
2017-06-16 19:09 - 2017-06-16 19:10 - 00443372 _____ C:\Windows\Minidump\061617-23312-01.dmp
2017-06-16 14:49 - 2017-06-16 14:50 - 00579380 _____ C:\Windows\Minidump\061617-23046-01.dmp
2017-06-16 09:45 - 2017-06-16 09:45 - 00583756 _____ C:\Windows\Minidump\061617-24968-01.dmp
2017-06-16 06:08 - 2017-06-16 06:09 - 00472636 _____ C:\Windows\Minidump\061617-23734-01.dmp
2017-06-16 02:31 - 2017-06-16 02:32 - 00772276 _____ C:\Windows\Minidump\061617-22515-01.dmp
2017-06-15 14:34 - 2017-06-15 14:35 - 00509100 _____ C:\Windows\Minidump\061517-34562-01.dmp
2017-06-14 22:50 - 2017-06-14 22:50 - 00000000 ____D C:\Users\Richard\AppData\Roaming\Google
2017-06-14 19:21 - 2017-06-14 19:21 - 00000000 __SHD C:\found.000
2017-06-14 07:58 - 2017-06-14 07:58 - 00470460 _____ C:\Windows\Minidump\061417-25078-01.dmp
2017-06-14 04:06 - 2017-06-14 04:06 - 00448356 _____ C:\Windows\Minidump\061417-44406-01.dmp
2017-06-14 03:58 - 2017-06-14 03:58 - 00000000 ___SD C:\Windows\UpdateAssistantV2
2017-06-14 00:20 - 2017-06-03 11:50 - 00315744 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2017-06-14 00:20 - 2017-06-03 11:06 - 02048496 _____ C:\Windows\SysWOW64\CoreUIComponents.dll
2017-06-14 00:20 - 2017-06-03 10:55 - 00780640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
2017-06-14 00:20 - 2017-06-03 10:44 - 01412640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32full.dll
2017-06-14 00:20 - 2017-06-03 10:44 - 00545944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontdrvhost.exe
2017-06-14 00:20 - 2017-06-03 10:31 - 00224256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExSMime.dll
2017-06-14 00:20 - 2017-06-03 10:31 - 00037376 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2017-06-14 00:20 - 2017-06-03 10:20 - 00755712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-06-14 00:20 - 2017-06-03 10:04 - 02006528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-06-14 00:20 - 2017-06-03 10:02 - 02997760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32kfull.sys
2017-06-14 00:20 - 2017-06-03 09:40 - 00483840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreMessaging.dll
2017-06-14 00:20 - 2017-03-04 07:16 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\puiobj.dll
2017-06-14 00:19 - 2017-06-03 11:16 - 00279904 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2017-06-14 00:19 - 2017-06-03 10:58 - 00340832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-06-14 00:19 - 2017-06-03 10:54 - 00187232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2017-06-14 00:19 - 2017-06-03 10:52 - 01021784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxPackaging.dll
2017-06-14 00:19 - 2017-06-03 10:52 - 00607072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupEngine.dll
2017-06-14 00:19 - 2017-06-03 10:52 - 00111968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupApi.dll
2017-06-14 00:19 - 2017-06-03 10:50 - 00857440 _____ (Microsoft Corporation) C:\Windows\system32\WWAHost.exe
2017-06-14 00:19 - 2017-06-03 10:50 - 00381792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBXHCI.SYS
2017-06-14 00:19 - 2017-06-03 10:49 - 20967840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2017-06-14 00:19 - 2017-06-03 10:39 - 05686272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-06-14 00:19 - 2017-06-03 10:33 - 00095232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UserDataTimeUtil.dll
2017-06-14 00:19 - 2017-06-03 10:32 - 00002560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-06-14 00:19 - 2017-06-03 10:28 - 00285184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.BlockedShutdown.dll
2017-06-14 00:19 - 2017-06-03 10:28 - 00232448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edputil.dll
2017-06-14 00:19 - 2017-06-03 10:26 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.ApplicationModel.LockScreen.dll
2017-06-14 00:19 - 2017-06-03 10:26 - 00100352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AuthBrokerUI.dll
2017-06-14 00:19 - 2017-06-03 10:22 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupShim.dll
2017-06-14 00:19 - 2017-06-03 10:22 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2017-06-14 00:19 - 2017-06-03 10:22 - 00181760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tcpipcfg.dll
2017-06-14 00:19 - 2017-06-03 10:19 - 01164288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2017-06-14 00:19 - 2017-06-03 10:16 - 00709120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CPFilters.dll
2017-06-14 00:19 - 2017-06-03 10:15 - 00886272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aadtb.dll
2017-06-14 00:19 - 2017-06-03 10:15 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\BasicRender.sys
2017-06-14 00:19 - 2017-06-03 10:12 - 00027136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fdProxy.dll
2017-06-14 00:19 - 2017-06-03 10:08 - 02643968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-06-14 00:19 - 2017-06-03 10:08 - 01221120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Audio.dll
2017-06-14 00:19 - 2017-06-03 10:05 - 01883648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Logon.dll
2017-06-14 00:19 - 2017-06-03 10:05 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hnetcfg.dll
2017-06-14 00:19 - 2017-06-03 10:04 - 00773120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchIndexer.exe
2017-06-14 00:19 - 2017-06-03 10:03 - 01988096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-06-14 00:19 - 2016-09-07 05:53 - 00118272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppointmentActivation.dll
2017-06-14 00:18 - 2017-06-03 11:11 - 01706488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2017-06-14 00:18 - 2017-06-03 10:48 - 00857952 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupEngine.dll
2017-06-14 00:18 - 2017-06-03 10:39 - 02532192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-06-14 00:18 - 2017-06-03 10:16 - 00119808 _____ (Microsoft Corporation) C:\Windows\system32\UserDataTimeUtil.dll
2017-06-14 00:18 - 2017-06-03 10:14 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\mssprxy.dll
2017-06-14 00:18 - 2017-06-03 10:07 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\MusUpdateHandlers.dll
2017-06-14 00:18 - 2017-06-03 09:54 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.Audio.dll
2017-06-14 00:18 - 2017-06-03 09:52 - 03403264 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-06-14 00:18 - 2017-06-03 09:50 - 02538496 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-06-14 00:18 - 2017-06-03 09:49 - 00903680 _____ (Microsoft Corporation) C:\Windows\system32\SearchIndexer.exe
2017-06-14 00:18 - 2017-06-03 09:48 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\wuuhext.dll
2017-06-14 00:18 - 2017-05-25 06:56 - 00038752 _____ (Microsoft Corporation) C:\Windows\system32\OOBEUpdater.exe
2017-06-14 00:17 - 2017-06-03 11:09 - 02213760 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-06-14 00:17 - 2017-06-03 10:59 - 01181024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2017-06-14 00:17 - 2017-06-03 10:59 - 00118112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2017-06-14 00:17 - 2017-06-03 10:48 - 00148832 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupApi.dll
2017-06-14 00:17 - 2017-06-03 10:45 - 22220864 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-06-14 00:17 - 2017-06-03 10:15 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\musdialoghandlers.dll
2017-06-14 00:17 - 2017-06-03 10:14 - 00238592 _____ (Microsoft Corporation) C:\Windows\system32\MusNotification.exe
2017-06-14 00:17 - 2017-06-03 10:14 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\MusNotificationUx.exe
2017-06-14 00:17 - 2017-06-03 10:07 - 00456192 _____ (Microsoft Corporation) C:\Windows\system32\puiobj.dll
2017-06-14 00:17 - 2017-06-03 09:51 - 00266752 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupSvc.dll
2017-06-14 00:17 - 2017-06-03 09:48 - 01131008 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2017-06-14 00:17 - 2017-06-03 09:48 - 00834048 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2017-06-14 00:17 - 2017-03-04 07:16 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\wpninprc.dll
2017-06-14 00:16 - 2017-06-03 10:15 - 18364928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2017-06-14 00:16 - 2017-06-03 10:09 - 00441344 _____ (Microsoft Corporation) C:\Windows\system32\netcorehc.dll
2017-06-14 00:16 - 2017-03-04 07:22 - 00822784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakradiag.dll
2017-06-14 00:16 - 2017-03-04 07:19 - 00635904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-06-14 00:15 - 2017-06-03 10:51 - 00402272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-06-14 00:15 - 2017-06-03 10:23 - 00306688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieproxy.dll
2017-06-14 00:15 - 2017-06-03 10:15 - 19414016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-06-14 00:15 - 2017-06-03 10:08 - 12187648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-06-14 00:15 - 2017-06-03 10:08 - 00691200 _____ (Microsoft Corporation) C:\Windows\system32\ieproxy.dll
2017-06-14 00:15 - 2017-06-03 10:06 - 03664384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-06-14 00:15 - 2017-06-03 10:04 - 06042624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2017-06-14 00:15 - 2017-06-03 10:00 - 23677440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-06-14 00:15 - 2017-06-03 09:56 - 13091840 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-06-14 00:15 - 2017-06-03 09:53 - 08125440 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2017-06-14 00:15 - 2017-06-03 09:50 - 04744704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-06-14 00:15 - 2017-06-03 09:49 - 01845248 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2017-06-14 00:15 - 2017-06-03 09:49 - 01513472 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2017-06-14 00:14 - 2017-06-03 11:08 - 07783256 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-06-14 00:14 - 2017-06-03 11:01 - 02681200 _____ C:\Windows\system32\CoreUIComponents.dll
2017-06-14 00:14 - 2017-06-03 10:53 - 00404824 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-06-14 00:14 - 2017-06-03 10:51 - 02187104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-06-14 00:14 - 2017-06-03 10:48 - 01112416 _____ (Microsoft Corporation) C:\Windows\system32\AppxPackaging.dll
2017-06-14 00:14 - 2017-06-03 10:18 - 22569984 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2017-06-14 00:14 - 2017-06-03 10:11 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\cloudAP.dll
2017-06-14 00:14 - 2017-06-03 10:10 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.BlockedShutdown.dll
2017-06-14 00:14 - 2017-06-03 10:09 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\NetworkBindingEngineMigPlugin.dll
2017-06-14 00:14 - 2017-06-03 10:03 - 00932864 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-06-14 00:14 - 2017-06-03 10:01 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\efscore.dll
2017-06-14 00:14 - 2017-06-03 09:52 - 00975872 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-06-14 00:14 - 2017-06-03 09:49 - 02691072 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Logon.dll
2017-06-14 00:14 - 2017-06-03 09:49 - 02475520 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2017-06-14 00:14 - 2017-06-03 09:46 - 01121280 _____ (Microsoft Corporation) C:\Windows\system32\aadtb.dll
2017-06-14 00:13 - 2017-06-03 11:14 - 00379232 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2017-06-14 00:13 - 2017-06-03 10:59 - 00764392 _____ (Microsoft Corporation) C:\Windows\system32\CoreMessaging.dll
2017-06-14 00:13 - 2017-06-03 10:44 - 01600624 _____ (Microsoft Corporation) C:\Windows\system32\sppobjs.dll
2017-06-14 00:13 - 2017-06-03 10:40 - 01566552 _____ (Microsoft Corporation) C:\Windows\system32\gdi32full.dll
2017-06-14 00:13 - 2017-06-03 10:40 - 00628552 _____ (Microsoft Corporation) C:\Windows\system32\fontdrvhost.exe
2017-06-14 00:13 - 2017-06-03 10:22 - 07217152 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-06-14 00:13 - 2017-06-03 10:08 - 00324608 _____ (Microsoft Corporation) C:\Windows\system32\Windows.ApplicationModel.LockScreen.dll
2017-06-14 00:13 - 2017-06-03 09:52 - 02510848 _____ (Microsoft Corporation) C:\Windows\system32\NetworkMobileSettings.dll
2017-06-14 00:13 - 2017-06-03 09:52 - 00886784 _____ (Microsoft Corporation) C:\Windows\system32\CPFilters.dll
2017-06-14 00:13 - 2017-06-03 09:49 - 03615744 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2017-06-14 00:13 - 2017-06-03 09:49 - 02318848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-06-14 00:13 - 2017-06-03 09:49 - 00351744 _____ (Microsoft Corporation) C:\Windows\system32\hnetcfg.dll
2017-06-14 00:13 - 2017-06-03 09:48 - 01490432 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-06-14 00:12 - 2017-06-03 11:50 - 00192856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aepic.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 01564512 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 01214816 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00629088 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00544096 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00335712 _____ (Microsoft Corporation) C:\Windows\system32\dcntel.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00334176 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00233824 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00136032 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00136024 _____ (Microsoft Corporation) C:\Windows\system32\ImplatSetup.dll
2017-06-14 00:12 - 2017-06-03 11:14 - 00096608 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-06-14 00:12 - 2017-06-03 11:14 - 00034648 _____ (Microsoft Corporation) C:\Windows\system32\DeviceCensus.exe
2017-06-14 00:12 - 2017-06-03 11:11 - 00128864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tm.sys
2017-06-14 00:12 - 2017-06-03 10:49 - 00624048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-06-14 00:12 - 2017-06-03 10:49 - 00509280 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2017-06-14 00:12 - 2017-06-03 10:48 - 01100128 _____ (Microsoft Corporation) C:\Windows\system32\hvix64.exe
2017-06-14 00:12 - 2017-06-03 10:48 - 00989024 _____ (Microsoft Corporation) C:\Windows\system32\hvax64.exe
2017-06-14 00:12 - 2017-06-03 10:39 - 00455520 _____ (Microsoft Corporation) C:\Windows\system32\securekernel.exe
2017-06-14 00:12 - 2017-06-03 10:16 - 00002560 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-06-14 00:12 - 2017-06-03 10:14 - 00045056 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2017-06-14 00:12 - 2017-06-03 10:10 - 00252928 _____ (Microsoft Corporation) C:\Windows\system32\edputil.dll
2017-06-14 00:12 - 2017-06-03 10:10 - 00117760 _____ (Microsoft Corporation) C:\Windows\system32\AuthBrokerUI.dll
2017-06-14 00:12 - 2017-06-03 10:09 - 00489472 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupShim.dll
2017-06-14 00:12 - 2017-06-03 10:08 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-06-14 00:12 - 2017-06-03 10:07 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\HNetCfgClient.dll
2017-06-14 00:12 - 2017-06-03 10:06 - 00198144 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2017-06-14 00:12 - 2017-06-03 09:58 - 00064512 _____ (Microsoft Corporation) C:\Windows\system32\fdProxy.dll
2017-06-14 00:12 - 2017-06-03 09:51 - 01418240 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2017-06-14 00:12 - 2017-06-03 07:08 - 00080078 _____ C:\Windows\system32\normidna.nls
2017-06-13 20:10 - 2017-06-13 20:10 - 00008435 _____ C:\Users\Richard\Downloads\v33i9l59w04y237sj39izi510tg76ng9up7s6am43.zip
2017-06-13 20:10 - 2017-06-13 20:10 - 00008435 _____ C:\Users\Richard\Downloads\v33i9l59w04y237sj39izi510tg76ng9up7s6am43 (1).zip
2017-06-13 15:11 - 2017-06-13 15:11 - 00494172 _____ C:\Windows\Minidump\061317-37984-01.dmp
2017-06-13 13:11 - 2017-06-13 13:12 - 00500052 _____ C:\Windows\Minidump\061317-40578-01.dmp
2017-06-13 03:45 - 2017-06-13 03:45 - 00769604 _____ C:\Windows\Minidump\061317-23765-01.dmp
2017-06-12 16:07 - 2017-06-12 16:07 - 00472028 _____ C:\Windows\Minidump\061217-22812-01.dmp
2017-06-11 21:36 - 2017-06-11 21:37 - 00548076 _____ C:\Windows\Minidump\061117-23281-01.dmp
2017-06-11 18:02 - 2017-06-11 18:02 - 00331072 _____ C:\Users\Richard\Downloads\DH2A1215.jpeg
2017-06-11 18:02 - 2017-06-11 18:02 - 00331072 _____ C:\Users\Richard\Downloads\DH2A1215 (2).jpeg
2017-06-11 18:02 - 2017-06-11 18:02 - 00331072 _____ C:\Users\Richard\Downloads\DH2A1215 (1).jpeg
2017-06-11 17:59 - 2017-06-11 17:59 - 00117434 _____ C:\Users\Richard\Downloads\DH2A1288.jpeg
2017-06-11 17:58 - 2017-06-11 17:58 - 00171591 _____ C:\Users\Richard\Downloads\DH2A1314.jpeg
2017-06-11 17:57 - 2017-06-11 17:57 - 00221543 _____ C:\Users\Richard\Downloads\DH2A1331.jpeg
2017-06-11 17:55 - 2017-06-11 17:55 - 00179575 _____ C:\Users\Richard\Downloads\DH2A1356.jpeg
2017-06-11 17:55 - 2017-06-11 17:55 - 00179575 _____ C:\Users\Richard\Downloads\DH2A1356 (2).jpeg
2017-06-11 17:55 - 2017-06-11 17:55 - 00179575 _____ C:\Users\Richard\Downloads\DH2A1356 (1).jpeg
2017-06-11 17:54 - 2017-06-11 17:54 - 00168530 _____ C:\Users\Richard\Downloads\DH2A1369.jpeg
2017-06-10 20:37 - 2017-06-10 20:37 - 00492396 _____ C:\Windows\Minidump\061017-19750-01.dmp
2017-06-10 18:21 - 2017-06-10 18:21 - 00526868 _____ C:\Windows\Minidump\061017-23296-01.dmp
2017-06-10 16:16 - 2017-06-10 16:16 - 00494540 _____ C:\Windows\Minidump\061017-21687-01.dmp
2017-06-09 13:17 - 2017-06-09 13:22 - 566378439 _____ C:\Users\Richard\Downloads\wetransfer-02da57 (1).zip
2017-06-09 12:08 - 2017-06-09 12:13 - 566378439 _____ C:\Users\Richard\Downloads\wetransfer-02da57.zip
2017-06-09 11:43 - 2017-06-09 11:47 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba  (3).zip
2017-06-09 10:42 - 2017-06-09 10:46 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba  (2).zip
2017-06-09 10:33 - 2017-06-09 10:38 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba  (1).zip
2017-06-09 10:27 - 2017-06-09 10:31 - 545438973 _____ C:\Users\Richard\Downloads\Frank Turba - Frank Turba .zip
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-04 19:13 - 2017-03-18 01:07 - 00005596 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-04 19:09 - 2017-03-18 08:48 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-07-03 22:33 - 2017-03-18 01:58 - 00000000 ____D C:\Users\Richard\AppData\Local\ClassicShell
2017-07-01 12:33 - 2017-03-18 08:20 - 00000000 ____D C:\Windows\INF
2017-06-23 16:35 - 2017-03-18 08:48 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-23 16:35 - 2017-03-18 08:01 - 00524288 _____ C:\Windows\system32\config\BBI
2017-06-23 16:35 - 2017-03-18 01:05 - 00000000 ____D C:\Users\Richard
2017-06-23 15:14 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\AppReadiness
2017-06-23 15:05 - 2017-03-23 00:24 - 449347787 _____ C:\Windows\MEMORY.DMP
2017-06-23 15:05 - 2017-03-23 00:24 - 00000000 ____D C:\Windows\Minidump
2017-06-23 13:46 - 2017-03-18 08:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-16 10:10 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\rescache
2017-06-14 20:10 - 2017-03-24 11:24 - 00000000 ____D C:\Users\Richard\AppData\Roaming\vlc
2017-06-14 11:45 - 2017-03-18 08:47 - 00357931 ____N C:\Windows\Minidump\061417-39515-01.dmp
2017-06-14 04:13 - 2017-03-18 01:06 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-06-14 04:06 - 2017-03-18 08:47 - 00194192 _____ C:\Windows\system32\FNTCACHE.DAT
2017-06-14 03:58 - 2017-03-18 08:24 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-06-14 03:58 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\system32\appraiser
2017-06-14 03:58 - 2017-03-18 08:24 - 00000000 ____D C:\Windows\ShellExperiences
2017-06-14 01:08 - 2017-03-18 08:03 - 00000000 ____D C:\Windows\CbsTemp
2017-06-13 21:33 - 2017-03-18 01:17 - 00003294 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-06-13 21:33 - 2017-03-18 01:12 - 00002376 _____ C:\Users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-06-13 21:33 - 2017-03-18 01:12 - 00000000 ___RD C:\Users\Richard\OneDrive
2017-06-13 19:57 - 2017-03-18 12:50 - 00000000 ____D C:\Windows\system32\MRT
2017-06-13 19:53 - 2017-03-18 12:50 - 133627792 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-06-13 18:50 - 2017-03-18 01:27 - 00000000 ____D C:\Users\Richard\AppData\Local\Comms
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-14 11:24
 
==================== End of FRST.txt ============================
 
Additions LOG
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-07-2017 01
Ran by Administrator (04-07-2017 19:22:46)
Running from D:\
Windows 10 Home Version 1607 (X64) (2017-03-18 00:02:17)
Boot Mode: Safe Mode (minimal)
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3720240877-411679040-2386219677-500 - Administrator - Enabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-3720240877-411679040-2386219677-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-3720240877-411679040-2386219677-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-3720240877-411679040-2386219677-501 - Limited - Disabled)
Richard (S-1-5-21-3720240877-411679040-2386219677-1001 - Administrator - Enabled) => C:\Users\Richard
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Citrix Online Launcher (HKLM-x32\...\{97C200CA-BF24-41B9-B111-A7E47F8FD57E}) (Version: 1.0.456 - Citrix)
Classic Shell (HKLM\...\{383BB30A-B4A7-4666-9A83-22CFA8640097}) (Version: 4.3.0 - IvoSoft)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.110 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
GoToAssist Customer 3.1.0.1251 (HKLM-x32\...\GoToAssist Express Customer) (Version: 3.1.0.1251 - Citrix Online)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
ContextMenuHandlers06: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2016-07-30] (IvoSoft)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {87C5791E-44EF-4D41-90AE-0032D27A84CB} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {886C7D63-90D7-4982-B4C4-22C027503764} - System32\Tasks\OneDrive Standalone Update Task v2 => C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Task: {B38D22D9-ADA2-439B-886C-FB75014D55EE} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-18] (Google Inc.)
Task: {B6026B27-38D4-4B1C-AC23-8C68D6D8BCEC} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-03-18] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 12:42 - 2016-07-16 12:42 - 00231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2017-06-14 00:14 - 2017-06-03 11:01 - 02681200 _____ () C:\Windows\system32\CoreUIComponents.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "UseAlternateShell"="1"
ce"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2017-03-18 08:24 - 2017-03-18 08:18 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3720240877-411679040-2386219677-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{5390359A-A460-49B0-9EB8-FF22D778E5E1}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{9AA13095-B3D5-443E-A8E4-7376E3F1C05F}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [{9700BCF7-CA06-4B5E-BEE2-938B05FEF2EB}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/04/2017 09:20:21 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.
 
Details:
Could not query the status of the EventSystem service.
 
System Error:
A system shutdown is in progress.
.
 
Error: (07/03/2017 10:35:23 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-NGSHFDV)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147023174 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/03/2017 10:35:23 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: DESKTOP-NGSHFDV)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy5
 
Error: (07/03/2017 10:35:21 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-NGSHFDV)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/03/2017 10:35:21 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: DESKTOP-NGSHFDV)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy5
 
Error: (07/03/2017 10:35:18 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-NGSHFDV)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/03/2017 10:35:18 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: DESKTOP-NGSHFDV)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy5
 
Error: (07/03/2017 10:35:16 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-NGSHFDV)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/03/2017 10:35:15 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: DESKTOP-NGSHFDV)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy5
 
Error: (07/03/2017 10:35:15 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-NGSHFDV)
Description: Activation of app Microsoft.Getstarted_5.10.1441.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (07/04/2017 07:22:59 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (07/04/2017 07:19:30 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1068" attempting to start the service netprofm with arguments "Unavailable" in order to run the server:
{A47979D2-C419-11D9-A5B4-001185AD2B89}
 
Error: (07/04/2017 07:19:30 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (07/04/2017 07:19:30 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Location Awareness service depends on the DHCP Client service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (07/04/2017 07:19:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1068" attempting to start the service netprofm with arguments "Unavailable" in order to run the server:
{A47979D2-C419-11D9-A5B4-001185AD2B89}
 
Error: (07/04/2017 07:19:29 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (07/04/2017 07:19:29 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Location Awareness service depends on the DHCP Client service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (07/04/2017 07:19:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service wuauserv with arguments "Unavailable" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (07/04/2017 07:19:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service wuauserv with arguments "Unavailable" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (07/04/2017 07:19:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1068" attempting to start the service netprofm with arguments "Unavailable" in order to run the server:
{A47979D2-C419-11D9-A5B4-001185AD2B89}
 
 
CodeIntegrity:
===================================
  Date: 2017-06-23 15:16:00.122
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 15:16:00.096
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sfc_os.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 15:15:59.997
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 13:36:42.844
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 13:36:42.794
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sfc_os.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 13:36:42.738
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 09:37:14.731
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 09:37:14.705
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sfc_os.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-23 09:37:14.630
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-06-22 18:07:22.732
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\aepic.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Celeron® Dual-Core CPU T3500 @ 2.10GHz
Percentage of memory in use: 17%
Total physical RAM: 3037.17 MB
Available physical RAM: 2518.51 MB
Total Virtual: 6109.17 MB
Available Virtual: 5646.31 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:297.55 GB) (Free:265.71 GB) NTFS
Drive d: () (Removable) (Total:14.52 GB) (Free:1.89 GB) FAT32
Drive e: (Windows RE tools) (Fixed) (Total:0.44 GB) (Free:0.13 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: B2ED8A6B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14.5 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,584 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:22 AM

Posted 04 July 2017 - 02:16 PM

I should have something for you when you return.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 rhcomp

rhcomp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Devon, UK
  • Local time:12:22 PM

Posted 04 July 2017 - 02:29 PM

Thanks Gary... 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users