Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do i remove unnamed service with high cpu usage Malware


  • This topic is locked This topic is locked
23 replies to this topic

#1 Ahmedbeeh

Ahmedbeeh

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 04 July 2017 - 03:01 AM

Hello folks,

I unfortunately have downloaded some russian software and it installed ALOT of things on my computer one of them being explorer.exe high cpu usage

What i have noticed till now : 

  • explorer and many services cpu usage after i installed the thing also some unnamed services in task manger when i click open location it direct me to explorer.exe.
  • Fake Chromium install in roaming local folders in C drive with alot of python files etc..
  • Many folders and files are created in roaming and temp folders randomly named and have cpu usage in task manger. (Tried deleting the files but something generates them even if offline.
  • Some of the text on explorer ribbon and tabs is missing.
  • a russian website popup on startup it's called furyery .ru 

I can follow any procedure provided while being offline on the infected laptop and download anything from android/linux device and copy it to the infected laptop via usb.

I ran FRST the logs are attached.

 

 

Just a note : after i woke up when i opened the laptop i couldn't find much of the services in task bar like explorer.exe or others just unnamed service with high usage

Attached Files


Edited by Ahmedbeeh, 04 July 2017 - 03:39 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 04 July 2017 - 09:16 AM

Welcome. :)

  • Highlight the entire content of the quote box below.

Start::  
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\...\Run: [pflzhgawdr] => explorer "hxxp://furyery.ru/?utm_source=uoua03&utm_content=5c960e458ac6158314c6529e8f71f655&utm_term=423D1D0DAADC9F0BE53FAD55D4009F80&utm_d=20170703" <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
Advanced Calendar 2.0.0.1000176 (HKLM\...\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}) (Version: 2.0.0.1000176 - MEIXIAN XIE) <==== ATTENTION
Task: {5A7DFB74-8C61-4F39-B59E-14EBE3958D8C} - System32\Tasks\unityp => C:\Users\ahmed\AppData\Local\unityp\unityp.exe [2017-07-03] () <==== ATTENTION
Task: {7099BAF8-D3D9-4332-B195-2E133F77803A} - System32\Tasks\setupsk => C:\Users\ahmed\AppData\Roaming\setupsk\python\pythonw.exe <==== ATTENTION
Task: {7456CB8F-0A86-4CE1-BE47-1F2191FA52D3} - System32\Tasks\setupsk_upd => C:\Users\ahmed\AppData\Roaming\SETUPS~1\python\pythonw.exe <==== ATTENTION
Task: {8CF8C988-C928-4C2C-9F38-63231C7F5CA8} - System32\Tasks\ifgker => C:\Users\ahmed\AppData\Local\ifgker\ifgker.exe [2017-07-03] () <==== ATTENTION
C:\Users\ahmed\AppData\Local\ifgker
ShellIconOverlayIdentifiers: [TortoiseOverlay] -> {CBF88FC2-F150-4F29-BC80-CE30EFD1B62C} => C:\Users\ahmed\AppData\Roaming\Tortoise\TortoiseOverlay.dll -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\2megfyDQwE0I.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\3MzBfxDA1EAs.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\7JZtLCDO2EK7.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\7lb6lEMoOcE4.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\8yhLbUQpqbQS.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\ADTRRQs9VyPv.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\aNqPdP10sbFz.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\blXNLbMwH0Dp.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\cFEBF9lQmX5a.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\d7QOLgxFWg6N.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\DYHZJ8Lqmfow.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\EU9jAw7oQKX6.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\flpvaFjASct5.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\hhsy6N2ko388.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\IpbXCG9JoY8Y.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\jUBTY5m84Ewk.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\K3nBba9Y8lM7.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\K5gloEcg8PpW.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\kNBHd0KTLdYA.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\mjwTLd4XocAK.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\NG5qtV7b4Xz0.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\pYd1vUUSUdPn.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\RiDsX3QVNqD2.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\SvixFvKYExEF.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\TfLX4Hlpoby9.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\TTVgcEGrhgHO.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\vU6Hg1ksEFKS.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\wTfhT1jJCNHA.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\xv8Ld1dzUO6a.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\ZMkwC2tLRogS.exe
C:\Windows\Microsoft\svchost.exe
R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
U3 BthHFSrv; C:\WINDOWS\System32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
U3 BthHFSrv; C:\WINDOWS\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
C:\Windows\Microsoft\svchost.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 04 July 2017 - 10:56 AM

Thank you for you amazing effort helping me 
First the contents of fixlog.txt from FRST

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-07-2017 01

Ran by ahmed (04-07-2017 15:16:15) Run:2
Running from C:\Users\ahmed\Desktop
Loaded Profiles: ahmed (Available Profiles: ahmed)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
  
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\...\Run: [pflzhgawdr] => explorer "hxxp://furyery.ru/?utm_source=uoua03&utm_content=5c960e458ac6158314c6529e8f71f655&utm_term=423D1D0DAADC9F0BE53FAD55D4009F80&utm_d=20170703" <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
Advanced Calendar 2.0.0.1000176 (HKLM\...\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}) (Version: 2.0.0.1000176 - MEIXIAN XIE) <==== ATTENTION
Task: {5A7DFB74-8C61-4F39-B59E-14EBE3958D8C} - System32\Tasks\unityp => C:\Users\ahmed\AppData\Local\unityp\unityp.exe [2017-07-03] () <==== ATTENTION
Task: {7099BAF8-D3D9-4332-B195-2E133F77803A} - System32\Tasks\setupsk => C:\Users\ahmed\AppData\Roaming\setupsk\python\pythonw.exe <==== ATTENTION
Task: {7456CB8F-0A86-4CE1-BE47-1F2191FA52D3} - System32\Tasks\setupsk_upd => C:\Users\ahmed\AppData\Roaming\SETUPS~1\python\pythonw.exe <==== ATTENTION
Task: {8CF8C988-C928-4C2C-9F38-63231C7F5CA8} - System32\Tasks\ifgker => C:\Users\ahmed\AppData\Local\ifgker\ifgker.exe [2017-07-03] () <==== ATTENTION
C:\Users\ahmed\AppData\Local\ifgker
ShellIconOverlayIdentifiers: [TortoiseOverlay] -> {CBF88FC2-F150-4F29-BC80-CE30EFD1B62C} => C:\Users\ahmed\AppData\Roaming\Tortoise\TortoiseOverlay.dll -> No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\2megfyDQwE0I.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\3MzBfxDA1EAs.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\7JZtLCDO2EK7.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\7lb6lEMoOcE4.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\8yhLbUQpqbQS.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\ADTRRQs9VyPv.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\aNqPdP10sbFz.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\blXNLbMwH0Dp.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\cFEBF9lQmX5a.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\d7QOLgxFWg6N.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\DYHZJ8Lqmfow.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\EU9jAw7oQKX6.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\flpvaFjASct5.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\hhsy6N2ko388.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\IpbXCG9JoY8Y.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\jUBTY5m84Ewk.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\K3nBba9Y8lM7.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\K5gloEcg8PpW.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\kNBHd0KTLdYA.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\mjwTLd4XocAK.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\NG5qtV7b4Xz0.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\pYd1vUUSUdPn.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\RiDsX3QVNqD2.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\SvixFvKYExEF.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\TfLX4Hlpoby9.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\TTVgcEGrhgHO.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\vU6Hg1ksEFKS.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\wTfhT1jJCNHA.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\xv8Ld1dzUO6a.exe
2017-07-03 23:41 - 2017-07-03 23:41 - 0000000 _____ () C:\Users\ahmed\AppData\Local\Temp\ZMkwC2tLRogS.exe
C:\Windows\Microsoft\svchost.exe
R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
U3 BthHFSrv; C:\WINDOWS\System32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
U3 BthHFSrv; C:\WINDOWS\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
C:\Windows\Microsoft\svchost.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
 
*****************
 
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\Software\Microsoft\Windows\CurrentVersion\Run\\pflzhgawdr => value not found.
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
SvcHost Service Host => service not found.
Advanced Calendar 2.0.0.1000176 (HKLM\...\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}) (Version: 2.0.0.1000176 - MEIXIAN XIE) <==== ATTENTION => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5A7DFB74-8C61-4F39-B59E-14EBE3958D8C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A7DFB74-8C61-4F39-B59E-14EBE3958D8C} => key removed successfully
C:\WINDOWS\System32\Tasks\unityp => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\unityp => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7099BAF8-D3D9-4332-B195-2E133F77803A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7099BAF8-D3D9-4332-B195-2E133F77803A} => key removed successfully
C:\WINDOWS\System32\Tasks\setupsk => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\setupsk => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7456CB8F-0A86-4CE1-BE47-1F2191FA52D3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7456CB8F-0A86-4CE1-BE47-1F2191FA52D3} => key removed successfully
C:\WINDOWS\System32\Tasks\setupsk_upd => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\setupsk_upd => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8CF8C988-C928-4C2C-9F38-63231C7F5CA8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CF8C988-C928-4C2C-9F38-63231C7F5CA8} => key removed successfully
C:\WINDOWS\System32\Tasks\ifgker => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ifgker => key removed successfully
C:\Users\ahmed\AppData\Local\ifgker => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\TortoiseOverlay => key removed successfully
HKLM\Software\Classes\CLSID\{CBF88FC2-F150-4F29-BC80-CE30EFD1B62C} => key removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\WinRAR32 => key removed successfully
HKLM\Software\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} => key not found. 
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => key removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found. 
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32 => key removed successfully
HKLM\Software\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} => key not found. 
C:\Users\ahmed\AppData\Local\Temp\2megfyDQwE0I.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\3MzBfxDA1EAs.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\7JZtLCDO2EK7.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\7lb6lEMoOcE4.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\8yhLbUQpqbQS.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\ADTRRQs9VyPv.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\aNqPdP10sbFz.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\blXNLbMwH0Dp.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\cFEBF9lQmX5a.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\d7QOLgxFWg6N.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\DYHZJ8Lqmfow.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\EU9jAw7oQKX6.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\flpvaFjASct5.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\hhsy6N2ko388.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\IpbXCG9JoY8Y.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\jUBTY5m84Ewk.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\K3nBba9Y8lM7.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\K5gloEcg8PpW.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\kNBHd0KTLdYA.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\mjwTLd4XocAK.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\NG5qtV7b4Xz0.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\pYd1vUUSUdPn.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\RiDsX3QVNqD2.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\SvixFvKYExEF.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\TfLX4Hlpoby9.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\TTVgcEGrhgHO.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\vU6Hg1ksEFKS.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\wTfhT1jJCNHA.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\xv8Ld1dzUO6a.exe => moved successfully
C:\Users\ahmed\AppData\Local\Temp\ZMkwC2tLRogS.exe => moved successfully
Could not move "C:\Windows\Microsoft\svchost.exe" => Scheduled to move on reboot.
SvcHost Service Host => service not found.
HKLM\System\CurrentControlSet\Services\BthHFSrv => key removed successfully
BthHFSrv => service removed successfully
BthHFSrv => service not found.
Could not move "C:\Windows\Microsoft\svchost.exe" => Scheduled to move on reboot.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 9199616 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 39456962 B
Java, Flash, Steam htmlcache => 28656408 B
Windows/system/drivers => 2157548 B
Edge => 13043554 B
Chrome => 315161885 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 26426 B
ahmed => 24827084 B
 
RecycleBin => 2436192 B
EmptyTemp: => 414.8 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 04-07-2017 15:19:59)
 
C:\Windows\Microsoft\svchost.exe => Is moved successfully
C:\Windows\Microsoft\svchost.exe => Is moved successfully
 
==== End of Fixlog 15:19:59 ====

 

The contents of JRT.txt

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Pro x64 
Ran by ahmed (Administrator) on Tue 04/07/2017 at 15:22:59.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 3 
 
Failed to delete: C:\Program Files (x86)\calendartool (Folder) 
Successfully deleted: C:\Users\ahmed\AppData\Roaming\calendartool (Folder) 
Successfully deleted: C:\users\Public\Documents\guid (Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 04/07/2017 at 15:26:04.51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
The contents of AdwCleaner[C0].txt
 

 

# AdwCleaner v6.047 - Logfile created 04/07/2017 at 17:40:51

# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-29.3 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : ahmed - AHMED-LP
# Running from : C:\Users\ahmed\Desktop\adwcleaner_6.047.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
[-] Service deleted: netfilter2
[-] Service deleted: TheCalendarService
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Program Files (x86)\CalendarTool
[-] Folder deleted: C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Roaming\CalendarTool
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\Software\Microsoft\Gosearch
[-] Key deleted: HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\Software\Microsoft\Gosearchq
[-] Key deleted: HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\Software\MICROSOFT\KometaInstaller
[#] Key deleted on reboot: HKCU\Software\Microsoft\Gosearch
[#] Key deleted on reboot: HKCU\Software\Microsoft\Gosearchq
[#] Key deleted on reboot: HKCU\Software\MICROSOFT\KometaInstaller
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Gosearch
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Gosearchq
[#] Key deleted on reboot: [x64] HKCU\Software\MICROSOFT\KometaInstaller
[-] Key deleted: [x64] HKLM\SOFTWARE\CALENDARTOOL
[-] Key deleted: [x64] HKLM\SOFTWARE\DtsEncodeTools
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1870 Bytes] - [04/07/2017 17:40:51]
C:\AdwCleaner\AdwCleaner[S0].txt - [2049 Bytes] - [04/07/2017 17:40:10]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2016 Bytes] ##########
 
 

 



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 05 July 2017 - 08:20 PM

Sorry for the delay.

 

 One more scan:

favicon-32x32.png Please download Malwarebytes to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg


  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 06 July 2017 - 04:50 AM

The report after rebooting 

 

 

Malwarebytes

www.malwarebytes.com
 
-Log Details-
Scan Date: 7/6/17
Scan Time: 11:33 AM
Log File: mbttd.txt
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2301
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: AHMED-LP\ahmed
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369188
Threats Detected: 6
Threats Quarantined: 6
Time Elapsed: 2 min, 28 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 1
PUP.Optional.StartPage, HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\SOFTWARE\START PAGE, Quarantined, [60], [259290],1.0.2301
 
Registry Value: 1
PUP.Optional.StartPage, HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\SOFTWARE\START PAGE|START PAGE, Quarantined, [60], [259290],1.0.2301
 
Registry Data: 1
PUP.Optional.StartPage.Generic, HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [625], [395820],1.0.2301
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
Trojan.Agent.Generic, C:\USERS\AHMED\APPDATA\LOCAL\UNITYP, Quarantined, [481], [401843],1.0.2301
 
File: 2
Adware.Agent, C:\USERS\AHMED\APPDATA\LOCAL\UNITYP\UNITYP.EXE, Quarantined, [258], [390384],1.0.2301
Trojan.Agent.Generic, C:\Users\ahmed\AppData\Local\unityp\rules.xml, Quarantined, [481], [401843],1.0.2301
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#6 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 06 July 2017 - 10:24 AM

since yesterday i noticed that the laptop sometimes become unusable really really slow to respond any thing the mouse is slow after awhile i realised that the disk is 100% usage nearly the time  with only 0.1MB/s usage like in the photo does this have anyting to do with malwares and junk that was on my computer?

 

 

Yd1geAf.png



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 06 July 2017 - 11:30 AM

Lets check for a rootkit.

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.

  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 07 July 2017 - 06:04 AM

I won't be able to do that the laptop isn't booting up properly after i forced shutdown with power button because it was taking 30 minute to shutdown.
It boots to automatic repairs, attempting repairs which never ended (12 hours plus now), so I'll probably end up installing fresh Windows
I assume the new os will be adware free and rootkits free (if there was any), right?
How do i assure that there no infected files on other partitions

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 07 July 2017 - 10:58 AM

Perhaps the issue is not software related but hardware. Are you able to boot to the Recovery environment Command prompt?
 
Entry points into the Windows Recovery Environment (WinRE).

You can access WinRE features through the Boot Options menu, which can be launched from Windows in a few different ways:

  • Option 1: From the login screen, click Shutdown, then hold down the Shift key while selecting Restart.
  • Option 2: In Windows 10, select Start > Settings > Update & security > Recovery > under Advanced Startup, click Restart now.
  • Option 3: Boot to recovery media.
  • Option 4: Use a hardware recovery button (or button combination) configured by the OEM (Computer Manufacturer).

After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.
 
Let me know if able to boot to the command prompt.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 07 July 2017 - 11:02 AM

yes i can open the command prompt trough Troubleshooting > Advanced Options > Command prompt.



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 07 July 2017 - 11:16 AM

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 07 July 2017 - 01:03 PM

Here are the logs
I've already installed windows (on other partition i had ubuntu on before) just to continue studying

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-07-2017

Ran by SYSTEM on MININT-U0963GR (07-07-2017 19:00:29)
Running from d:\
Platform: Windows 10 Pro Version 1703 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-14] (Oracle Corporation)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
Startup: C:\Users\ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2017-07-03]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (Rainmeter)
Startup: C:\Users\ahmed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-05-29]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3705536 2017-06-04] (Microsoft Corporation)
S2 icacl; C:\WINDOWS\system32\icacl.exe [920784 2017-07-03] ()
S2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373728 2016-11-30] (Intel Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S2 MouseWithoutBordersSvc; C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [28552 2016-10-03] (Microsoft)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-18] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-03-18] (Microsoft Corporation)
S4 TransformService; "C:\Program Files\ASUS\ASUS FlipLock\TransformService.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AsusTP; C:\Windows\System32\drivers\AsusTP.sys [119320 2016-11-14] (ASUS Corporation)
S3 Btcsrusb; C:\Windows\System32\Drivers\btcusb.sys [50952 2016-07-14] (IVT Corporation.)
S1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77376 2017-07-06] ()
S3 HIDSwitch; C:\Windows\System32\drivers\AsRadioControl.sys [31120 2016-12-19] (ASUS)
S3 INVN_MotionApps; C:\Windows\System32\drivers\WUDFRd.sys [220672 2017-03-18] (Microsoft Corporation)
S3 m76usb; C:\Windows\System32\drivers\m76usb.sys [563360 2015-06-02] (Ralink Technology Corp.)
S2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188312 2017-07-06] (Malwarebytes)
S3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [113592 2017-07-06] (Malwarebytes)
S3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [44960 2017-07-06] (Malwarebytes)
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-07-06] () <==== ATTENTION (zero byte File/Folder)
S3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [93600 2017-07-06] (Malwarebytes)
S1 MpKsle7b6ff6c; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BA263F05-AED9-4405-AD96-170D2616CDBA}\MpKsle7b6ff6c.sys [44928 2017-07-06] (Microsoft Corporation)
S3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-03-18] (Realtek                                            )
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [759552 2015-07-07] (Realsil Semiconductor Corporation)
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S3 uvhid; C:\Windows\System32\drivers\uvhid.sys [28128 2017-05-20] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-06 22:29 - 2017-07-06 22:29 - 00000000 __SHD C:\found.003
2017-07-06 21:44 - 2017-07-07 18:54 - 00000000 _____ C:\Recovery.txt
2017-07-06 01:44 - 2017-07-06 01:44 - 00001732 _____ C:\Users\ahmed\Desktop\mbttd.txt
2017-07-06 01:39 - 2017-07-06 01:39 - 00001765 _____ C:\Users\ahmed\Desktop\mbtt.txt
2017-07-06 01:28 - 2017-07-06 01:28 - 00188312 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMChameleon.sys
2017-07-06 01:28 - 2017-07-06 01:28 - 00093600 _____ (Malwarebytes) C:\Windows\System32\Drivers\mwac.sys
2017-07-06 01:28 - 2017-07-06 01:14 - 00113592 _____ (Malwarebytes) C:\Windows\System32\Drivers\farflt.sys
2017-07-06 01:28 - 2017-07-06 01:14 - 00044960 _____ (Malwarebytes) C:\Windows\System32\Drivers\mbam.sys
2017-07-06 01:27 - 2017-07-06 01:31 - 00077376 _____ C:\Windows\System32\Drivers\mbae64.sys
2017-07-06 01:27 - 2017-07-06 01:27 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-07-06 01:27 - 2017-07-06 01:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-07-06 01:27 - 2017-07-06 01:27 - 00000000 ____D C:\Program Files\Malwarebytes
2017-07-06 01:27 - 2017-07-06 01:14 - 00000000 _____ C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2017-07-06 01:01 - 2017-07-06 01:26 - 00000000 ____D C:\Users\ahmed\Desktop\ew
2017-07-04 07:37 - 2017-07-04 07:40 - 00000000 ____D C:\AdwCleaner
2017-07-04 05:33 - 2017-07-04 07:37 - 04110280 _____ C:\Users\ahmed\Desktop\adwcleaner_6.047.exe
2017-07-04 05:26 - 2017-07-04 05:26 - 00000760 _____ C:\Users\ahmed\Desktop\JRT.txt
2017-07-04 05:16 - 2017-07-04 05:19 - 00015703 _____ C:\Users\ahmed\Desktop\Fixlog.txt
2017-07-04 05:15 - 2017-07-03 21:44 - 02436096 _____ (Farbar) C:\Users\ahmed\Desktop\FRST64.exe
2017-07-03 21:44 - 2017-07-04 05:19 - 00000000 ____D C:\FRST
2017-07-03 13:29 - 2017-07-03 13:29 - 00920784 _____ C:\Windows\System32\icacl.exe
2017-07-03 13:27 - 2017-07-03 13:27 - 00000000 ____D C:\Users\Public\Documents\Tools
2017-07-03 13:16 - 2017-07-03 13:16 - 00055080 _____ (Windows ® Win 7 DDK provider) C:\Windows\System32\Drivers\unityp.sys
2017-07-03 09:05 - 2017-07-03 09:05 - 00000000 ____D C:\Users\ahmed\Documents\Rainmeter
2017-07-03 09:05 - 2017-07-03 09:05 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\Rainmeter
2017-07-03 09:05 - 2017-07-03 09:05 - 00000000 ____D C:\Program Files\Rainmeter
2017-07-01 11:01 - 2017-07-01 11:11 - 00000000 ____D C:\NST
2017-07-01 10:59 - 2017-07-04 15:47 - 00004154 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F106290A-1C08-4380-A190-9ACC67D1298A}
2017-07-01 10:59 - 2017-07-01 10:59 - 00032768 _____ C:\Users\ahmed\Documents\EasyBCD Backup (2017-07-01).bcd
2017-07-01 10:58 - 2017-07-01 10:58 - 00001292 _____ C:\Users\Public\Desktop\EasyBCD 2.3.lnk
2017-07-01 10:58 - 2017-07-01 10:58 - 00000000 ____D C:\Users\ahmed\AppData\Local\NeoSmart_Technologies
2017-07-01 10:58 - 2017-07-01 10:58 - 00000000 ____D C:\Program Files (x86)\NeoSmart Technologies
2017-06-29 09:13 - 2017-06-29 09:13 - 00001909 _____ C:\Users\ahmed\Desktop\fifa15.exe - Shortcut.lnk
2017-06-28 15:42 - 2017-06-28 15:42 - 00000000 ____D C:\Users\ahmed\AppData\LocalLow\Smac
2017-06-28 15:42 - 2017-06-28 15:42 - 00000000 ____D C:\ProgramData\Steam
2017-06-28 15:28 - 2017-06-28 15:28 - 00000000 ____D C:\ProgramData\X360CE
2017-06-28 15:13 - 2017-06-28 15:13 - 00000000 ____D C:\Windows\SysWOW64\directx
2017-06-28 15:10 - 2017-06-28 15:10 - 00000473 _____ C:\Users\Public\Desktop\Tokyo 42.lnk
2017-06-27 04:38 - 2017-06-28 15:36 - 00000000 ____D C:\ProgramData\Package Cache
2017-06-27 04:37 - 2017-06-29 00:42 - 00000000 ____D C:\ProgramData\Unified Remote
2017-06-27 04:37 - 2017-06-27 04:37 - 00001173 _____ C:\Users\Public\Desktop\Unified Remote.lnk
2017-06-27 04:37 - 2017-06-27 04:37 - 00000000 ____D C:\Users\ahmed\Documents\Unified Remote
2017-06-27 04:37 - 2017-06-27 04:37 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\Unified Remote
2017-06-27 04:37 - 2017-06-27 04:37 - 00000000 ____D C:\Program Files (x86)\Unified Remote 3
2017-06-27 04:37 - 2017-05-20 14:34 - 00028128 _____ (Windows ® Win 7 DDK provider) C:\Windows\System32\Drivers\uvhid.sys
2017-06-27 04:37 - 2017-05-20 14:34 - 00007680 _____ (Windows ® Win 7 DDK provider) C:\Windows\System32\Drivers\hidkmdf.sys
2017-06-27 04:36 - 2017-06-27 04:36 - 37193512 _____ (Unified Intents AB ) C:\Users\ahmed\Desktop\ServerSetup-3-6-0-950.exe
2017-06-22 23:14 - 2017-06-22 23:14 - 00000000 ____D C:\Users\ahmed\AppData\Local\Steam
2017-06-22 23:14 - 2017-06-22 23:14 - 00000000 ____D C:\Users\ahmed\AppData\Local\CEF
2017-06-22 23:09 - 2017-07-05 10:56 - 00000000 ____D C:\Program Files (x86)\Steam
2017-06-22 23:09 - 2017-06-22 23:09 - 00001038 _____ C:\Users\Public\Desktop\Steam.lnk
2017-06-21 23:59 - 2017-06-21 23:59 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\Skype
2017-06-18 17:32 - 2017-06-18 17:32 - 00000000 ____D C:\Program Files (x86)\Ralink
2017-06-18 17:32 - 2012-09-25 05:03 - 00014119 ____R C:\Windows\SysWOW64\RaCoInst.dat
2017-06-18 17:32 - 2012-05-10 12:01 - 01503744 _____ (The OpenSSL Project, hxxp://www.openssl.org/) C:\Windows\System32\libeay32.dll
2017-06-18 17:32 - 2012-05-10 12:01 - 00308736 _____ (The OpenSSL Project, hxxp://www.openssl.org/) C:\Windows\System32\ssleay32.dll
2017-06-18 17:15 - 2017-06-18 17:15 - 00000000 ____D C:\Users\ahmed\AppData\LocalLow\Adobe
2017-06-17 08:34 - 2017-06-17 08:48 - 00001540 _____ C:\Users\ahmed\Desktop\time stamp.ccf
2017-06-17 08:29 - 2017-06-17 08:29 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\FastStone
2017-06-17 08:28 - 2017-06-17 08:28 - 00001180 _____ C:\Users\Public\Desktop\FastStone Image Viewer.lnk
2017-06-17 08:28 - 2017-06-17 08:28 - 00000000 ____D C:\Program Files (x86)\FastStone Image Viewer
2017-06-16 23:29 - 2017-06-16 23:29 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2017-06-16 23:21 - 2017-06-16 23:21 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2017-06-16 23:20 - 2017-06-16 23:20 - 00000000 ____D C:\Program Files\Adobe
2017-06-16 23:18 - 2017-06-16 23:20 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-06-16 23:15 - 2017-06-16 23:21 - 00000000 ____D C:\Program Files\Common Files\Adobe
2017-06-16 23:08 - 2017-06-16 23:21 - 00000000 ____D C:\ProgramData\Adobe
2017-06-16 23:08 - 2017-06-16 23:08 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\Macromedia
2017-06-16 23:07 - 2017-06-17 00:36 - 00000000 ____D C:\Users\ahmed\AppData\Local\Adobe
2017-06-16 21:42 - 2017-06-16 22:59 - 00000000 ____D C:\Users\ahmed\Downloads\Adobe Photoshop CC 2017 v18.1.1.252 Cracked Portable [CracksNow]
2017-06-16 04:14 - 2017-06-16 04:14 - 00000000 ____D C:\Users\ahmed\AppData\Local\ElevatedDiagnostics
2017-06-16 03:22 - 2017-06-16 03:22 - 00000000 ____D C:\Program Files (x86)\Ralink Corporation
2017-06-16 03:22 - 2014-11-07 23:47 - 00382292 _____ C:\Windows\System32\Drivers\FW7650.bin
2017-06-15 01:45 - 2017-06-15 01:45 - 00000000 ____D C:\ProgramData\Electronic Arts
2017-06-15 01:39 - 2010-05-26 01:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2017-06-15 01:39 - 2010-05-26 01:41 - 01998168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
2017-06-15 01:39 - 2007-04-04 08:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_3.dll
2017-06-15 01:38 - 2017-06-15 07:24 - 00000000 ____D C:\Users\ahmed\Documents\FIFA 14
2017-06-15 01:38 - 2017-06-15 01:38 - 00000881 _____ C:\Users\Public\Desktop\FIFA 14.lnk
2017-06-14 23:14 - 2017-06-15 07:43 - 00000000 ____D C:\Users\ahmed\Documents\FIFA 15
2017-06-14 23:12 - 2017-06-28 15:29 - 00126616 _____ (hxxp://x360ce.googlecode.com) C:\Windows\System32\xinput1_3.dll
2017-06-14 23:12 - 2014-07-16 01:15 - 00138208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vcomp110.dll
2017-06-14 23:12 - 2014-07-16 01:15 - 00138208 _____ (Microsoft Corporation) C:\Windows\System32\vcomp110.dll
2017-06-14 23:12 - 2014-01-09 01:06 - 00661448 _____ (Microsoft Corporation) C:\Windows\System32\msvcp110.dll
2017-06-14 23:12 - 2013-05-07 23:06 - 00051024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vcomp100.dll
2017-06-14 23:12 - 2013-05-07 23:06 - 00051024 _____ (Microsoft Corporation) C:\Windows\System32\vcomp100.dll
2017-06-14 23:12 - 2012-08-30 03:15 - 00421200 _____ (Microsoft Corporation) C:\Windows\System32\msvcp100.dll
2017-06-14 23:12 - 2012-08-17 00:38 - 00773968 _____ (Microsoft Corporation) C:\Windows\System32\msvcr100.dll
2017-06-14 23:12 - 2012-08-04 06:17 - 00349696 _____ C:\Windows\SysWOW64\Mss32.dll
2017-06-14 23:12 - 2012-08-04 06:17 - 00349696 _____ C:\Windows\System32\Mss32.dll
2017-06-14 23:12 - 2011-06-16 08:21 - 01723392 _____ C:\Windows\SysWOW64\meqon.dll
2017-06-14 23:12 - 2011-06-16 08:21 - 01723392 _____ C:\Windows\System32\meqon.dll
2017-06-14 23:12 - 2011-06-15 08:45 - 00009216 _____ C:\Windows\SysWOW64\3DRDebugLib.dll
2017-06-14 23:12 - 2011-06-15 08:45 - 00009216 _____ C:\Windows\System32\3DRDebugLib.dll
2017-06-14 23:12 - 2011-06-14 09:25 - 00664120 _____ C:\Windows\SysWOW64\dnCommon.dll
2017-06-14 23:12 - 2011-06-14 09:25 - 00664120 _____ C:\Windows\System32\dnCommon.dll
2017-06-14 23:12 - 2011-06-14 09:25 - 00348216 _____ C:\Windows\SysWOW64\dnAnimation.dll
2017-06-14 23:12 - 2011-06-14 09:25 - 00348216 _____ C:\Windows\System32\dnAnimation.dll
2017-06-14 23:12 - 2011-03-29 17:40 - 00177152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxupdate.dll
2017-06-14 23:12 - 2011-03-29 17:40 - 00177152 _____ (Microsoft Corporation) C:\Windows\System32\dxupdate.dll
2017-06-14 23:12 - 2010-07-10 08:08 - 01081616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2017-06-14 23:12 - 2010-07-10 08:08 - 01081616 _____ (Microsoft Corporation) C:\Windows\System32\MSCOMCTL.OCX
2017-06-14 23:12 - 2010-06-01 16:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2017-06-14 23:12 - 2010-06-01 16:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
2017-06-14 23:12 - 2010-06-01 16:55 - 00176984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
2017-06-14 23:12 - 2010-06-01 16:55 - 00176984 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll
2017-06-14 23:12 - 2010-06-01 16:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2017-06-14 23:12 - 2010-06-01 16:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 02526056 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 02401112 _____ (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 01907552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 01907552 _____ (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 00511328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 00511328 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2017-06-14 23:12 - 2010-05-25 23:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
2017-06-14 23:12 - 2010-03-22 03:21 - 00730424 _____ (Ubisoft) C:\Windows\SysWOW64\ubiorbitapi_r2.dll
2017-06-14 23:12 - 2010-03-22 03:21 - 00730424 _____ (Ubisoft) C:\Windows\System32\ubiorbitapi_r2.dll
2017-06-14 23:12 - 2010-02-15 11:03 - 00286208 _____ C:\Windows\SysWOW64\binkw32.dll
2017-06-14 23:12 - 2010-02-15 11:03 - 00286208 _____ C:\Windows\System32\binkw32.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00530776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_6.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00530776 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00176984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_6.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00176984 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00078680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_4.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00078680 _____ (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00024920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
2017-06-14 23:12 - 2010-02-03 23:01 - 00024920 _____ (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll
2017-06-14 23:12 - 2009-09-04 06:44 - 00517960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_5.dll
2017-06-14 23:12 - 2009-09-04 06:44 - 00517960 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll
2017-06-14 23:12 - 2009-09-04 06:44 - 00176968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_5.dll
2017-06-14 23:12 - 2009-09-04 06:44 - 00176968 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_5.dll
2017-06-14 23:12 - 2009-09-04 06:44 - 00073544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_3.dll
2017-06-14 23:12 - 2009-09-04 06:44 - 00073544 _____ (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 05554512 _____ (Microsoft Corporation) C:\Windows\System32\d3dcsx_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 02582888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 02582888 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 02475352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 02475352 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 00523088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 00523088 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 00285024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_42.dll
2017-06-14 23:12 - 2009-09-04 06:29 - 00285024 _____ (Microsoft Corporation) C:\Windows\System32\d3dx11_42.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 03032312 _____ (Valve Corporation) C:\Windows\SysWOW64\Steam_orig.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 03032312 _____ (Valve Corporation) C:\Windows\System32\Steam_orig.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 02968048 _____ (Valve Corporation) C:\Windows\SysWOW64\steamclient_orig.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 02968048 _____ (Valve Corporation) C:\Windows\System32\steamclient_orig.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 01672504 _____ C:\Windows\SysWOW64\swds.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 01672504 _____ C:\Windows\System32\swds.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00365816 _____ (Valve Corporation) C:\Windows\SysWOW64\vstdlib_s.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00365816 _____ (Valve Corporation) C:\Windows\SysWOW64\Copy of vstdlib_s.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00365816 _____ (Valve Corporation) C:\Windows\System32\vstdlib_s.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00365816 _____ (Valve Corporation) C:\Windows\System32\Copy of vstdlib_s.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00352256 _____ C:\Windows\SysWOW64\vgui.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00352256 _____ C:\Windows\System32\vgui.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00259320 _____ (Valve Corporation) C:\Windows\SysWOW64\tier0_s.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00259320 _____ (Valve Corporation) C:\Windows\System32\tier0_s.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00254012 _____ C:\Windows\SysWOW64\proxy.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00254012 _____ C:\Windows\System32\proxy.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00245819 _____ C:\Windows\SysWOW64\vgui2.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00245819 _____ C:\Windows\System32\vgui2.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00139264 _____ C:\Windows\SysWOW64\voice_speex.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00139264 _____ C:\Windows\SysWOW64\Copy of voice_speex.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00139264 _____ C:\Windows\System32\voice_speex.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00139264 _____ C:\Windows\System32\Copy of voice_speex.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00122974 _____ C:\Windows\SysWOW64\FileSystem_Steam.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00122974 _____ C:\Windows\System32\FileSystem_Steam.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00118872 _____ C:\Windows\SysWOW64\FileSystem_Stdio.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00118872 _____ C:\Windows\System32\FileSystem_Stdio.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00070144 _____ (Valve Corporation) C:\Windows\SysWOW64\steam_api_c.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00070144 _____ (Valve Corporation) C:\Windows\System32\steam_api_c.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00067072 _____ (Valve Corporation) C:\Windows\SysWOW64\steam_api.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00067072 _____ (Valve Corporation) C:\Windows\System32\steam_api.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00053248 _____ C:\Windows\SysWOW64\voice_miles.dll
2017-06-14 23:12 - 2009-05-24 14:08 - 00053248 _____ C:\Windows\System32\voice_miles.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 01840440 _____ C:\Windows\SysWOW64\hw.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 01840440 _____ C:\Windows\System32\hw.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 01672504 _____ C:\Windows\SysWOW64\sw.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 01672504 _____ C:\Windows\System32\sw.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00344064 _____ C:\Windows\SysWOW64\tier0.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00344064 _____ C:\Windows\System32\tier0.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00340480 _____ (Valve Corporation) C:\Windows\SysWOW64\vstdlib.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00340480 _____ (Valve Corporation) C:\Windows\SysWOW64\Copy of vstdlib.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00340480 _____ (Valve Corporation) C:\Windows\System32\vstdlib.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00340480 _____ (Valve Corporation) C:\Windows\System32\Copy of vstdlib.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00211456 _____ (Aureal Semiconductor) C:\Windows\SysWOW64\a3dapi.dll
2017-06-14 23:12 - 2009-05-24 13:57 - 00211456 _____ (Aureal Semiconductor) C:\Windows\System32\a3dapi.dll
2017-06-14 23:12 - 2009-05-17 09:38 - 00329728 _____ (Valve Corporation) C:\Windows\SysWOW64\Steam.dll
2017-06-14 23:12 - 2009-05-17 09:38 - 00329728 _____ (Valve Corporation) C:\Windows\System32\Steam.dll
2017-06-14 23:12 - 2009-05-11 14:26 - 00372736 _____ C:\Windows\SysWOW64\steamclient.dll
2017-06-14 23:12 - 2009-05-11 14:26 - 00372736 _____ C:\Windows\System32\steamclient.dll
2017-06-14 23:12 - 2009-03-16 03:18 - 00521560 _____ C:\Windows\SysWOW64\XAudio2_4.dll
2017-06-14 23:12 - 2009-03-16 03:18 - 00521560 _____ C:\Windows\System32\XAudio2_4.dll
2017-06-14 23:12 - 2009-03-16 03:18 - 00174936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_4.dll
2017-06-14 23:12 - 2009-03-16 03:18 - 00174936 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_4.dll
2017-06-14 23:12 - 2009-03-16 03:18 - 00024920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_6.dll
2017-06-14 23:12 - 2009-03-16 03:18 - 00024920 _____ (Microsoft Corporation) C:\Windows\System32\X3DAudio1_6.dll
2017-06-14 23:12 - 2009-03-09 04:27 - 05425496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_41.dll
2017-06-14 23:12 - 2009-03-09 04:27 - 05425496 _____ (Microsoft Corporation) C:\Windows\System32\D3DX9_41.dll
2017-06-14 23:12 - 2009-03-09 04:27 - 02430312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_41.dll
2017-06-14 23:12 - 2009-03-09 04:27 - 02430312 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_41.dll
2017-06-14 23:12 - 2009-03-09 04:27 - 00520544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_41.dll
2017-06-14 23:12 - 2009-03-09 04:27 - 00520544 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_41.dll
2017-06-14 23:12 - 2009-01-13 03:25 - 00025608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Copy of X3DAudio1_4.dll
2017-06-14 23:12 - 2009-01-13 03:25 - 00025608 _____ (Microsoft Corporation) C:\Windows\System32\Copy of X3DAudio1_4.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00518480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_3.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00518480 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00175440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_3.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00175440 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00074576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_2.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00074576 _____ (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00025936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_5.dll
2017-06-14 23:12 - 2008-10-26 23:04 - 00025936 _____ (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll
2017-06-14 23:12 - 2008-10-14 19:22 - 05631312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
2017-06-14 23:12 - 2008-10-14 19:22 - 05631312 _____ (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll
2017-06-14 23:12 - 2008-10-14 19:22 - 02605920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
2017-06-14 23:12 - 2008-10-14 19:22 - 02605920 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll
2017-06-14 23:12 - 2008-10-14 19:22 - 00519000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
2017-06-14 23:12 - 2008-10-14 19:22 - 00519000 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_40.dll
2017-06-14 23:12 - 2008-10-09 06:36 - 00512008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX10d_39.dll
2017-06-14 23:12 - 2008-10-09 06:36 - 00512008 _____ (Microsoft Corporation) C:\Windows\System32\D3DX10d_39.dll
2017-06-14 23:12 - 2008-09-18 05:47 - 00430088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3D10SDKLayers.DLL
2017-06-14 23:12 - 2008-09-18 05:47 - 00430088 _____ (Microsoft Corporation) C:\Windows\System32\D3D10SDKLayers.DLL
2017-06-14 23:12 - 2008-07-30 22:41 - 00177672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_2.dll
2017-06-14 23:12 - 2008-07-30 22:41 - 00177672 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_2.dll
2017-06-14 23:12 - 2008-07-30 22:41 - 00072200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xapofx1_1.dll
2017-06-14 23:12 - 2008-07-30 22:41 - 00072200 _____ (Microsoft Corporation) C:\Windows\System32\xapofx1_1.dll
2017-06-14 23:12 - 2008-07-30 22:40 - 00513544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
2017-06-14 23:12 - 2008-07-30 22:40 - 00513544 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_2.dll
2017-06-14 23:12 - 2008-07-09 23:00 - 04992520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_39.dll
2017-06-14 23:12 - 2008-07-09 23:00 - 04992520 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_39.dll
2017-06-14 23:12 - 2008-07-09 23:00 - 01942552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
2017-06-14 23:12 - 2008-07-09 23:00 - 01942552 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_39.dll
2017-06-14 23:12 - 2008-07-09 23:00 - 00540688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
2017-06-14 23:12 - 2008-07-09 23:00 - 00540688 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_39.dll
2017-06-14 23:12 - 2008-05-30 02:19 - 00511496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_1.dll
2017-06-14 23:12 - 2008-05-30 02:19 - 00511496 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_1.dll
2017-06-14 23:12 - 2008-05-30 02:18 - 00177672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_1.dll
2017-06-14 23:12 - 2008-05-30 02:18 - 00177672 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_1.dll
2017-06-14 23:12 - 2008-05-30 02:17 - 00068104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_0.dll
2017-06-14 23:12 - 2008-05-30 02:17 - 00068104 _____ (Microsoft Corporation) C:\Windows\System32\XAPOFX1_0.dll
2017-06-14 23:12 - 2008-05-30 02:16 - 00028168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_4.dll
2017-06-14 23:12 - 2008-05-30 02:16 - 00028168 _____ (Microsoft Corporation) C:\Windows\System32\X3DAudio1_4.dll
2017-06-14 23:12 - 2008-05-30 02:11 - 04991496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_38.dll
2017-06-14 23:12 - 2008-05-30 02:11 - 04991496 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_38.dll
2017-06-14 23:12 - 2008-05-30 02:11 - 01941528 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_38.dll
2017-06-14 23:12 - 2008-05-30 02:11 - 00540688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_38.dll
2017-06-14 23:12 - 2008-05-30 02:11 - 00540688 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_38.dll
2017-06-14 23:12 - 2008-03-05 05:04 - 00489480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_0.dll
2017-06-14 23:12 - 2008-03-05 05:04 - 00489480 _____ (Microsoft Corporation) C:\Windows\System32\XAudio2_0.dll
2017-06-14 23:12 - 2008-03-05 05:03 - 00177672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_0.dll
2017-06-14 23:12 - 2008-03-05 05:03 - 00177672 _____ (Microsoft Corporation) C:\Windows\System32\xactengine3_0.dll
2017-06-14 23:12 - 2008-03-05 05:00 - 00028168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_3.dll
2017-06-14 23:12 - 2008-03-05 05:00 - 00028168 _____ (Microsoft Corporation) C:\Windows\System32\X3DAudio1_3.dll
2017-06-14 23:12 - 2008-03-05 04:56 - 04910088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_37.dll
2017-06-14 23:12 - 2008-03-05 04:56 - 04910088 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_37.dll
2017-06-14 23:12 - 2008-03-05 04:56 - 01860120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_37.dll
2017-06-14 23:12 - 2008-03-05 04:56 - 01860120 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_37.dll
2017-06-14 23:12 - 2008-02-05 12:07 - 00529424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_37.dll
2017-06-14 23:12 - 2008-02-05 12:07 - 00529424 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_37.dll
2017-06-14 23:12 - 2007-10-21 16:40 - 00411656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_10.dll
2017-06-14 23:12 - 2007-10-21 16:40 - 00411656 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_10.dll
2017-06-14 23:12 - 2007-10-12 04:14 - 05081608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_36.dll
2017-06-14 23:12 - 2007-10-12 04:14 - 05081608 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_36.dll
2017-06-14 23:12 - 2007-10-12 04:14 - 02006552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcompiler_36.dll
2017-06-14 23:12 - 2007-10-12 04:14 - 02006552 _____ (Microsoft Corporation) C:\Windows\System32\d3dcompiler_36.dll
2017-06-14 23:12 - 2007-10-12 02:27 - 08008656 _____ (Acresso Software Inc.) C:\Windows\SysWOW64\ISUIServices.dll
2017-06-14 23:12 - 2007-10-12 02:27 - 08008656 _____ (Acresso Software Inc.) C:\Windows\System32\ISUIServices.dll
2017-06-14 23:12 - 2007-10-01 22:56 - 00508264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_36.dll
2017-06-14 23:12 - 2007-10-01 22:56 - 00508264 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_36.dll
2017-06-14 23:12 - 2007-07-19 12:57 - 00411496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_9.dll
2017-06-14 23:12 - 2007-07-19 12:57 - 00411496 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_9.dll
2017-06-14 23:12 - 2007-07-19 12:54 - 00021352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_2.dll
2017-06-14 23:12 - 2007-07-19 12:54 - 00021352 _____ (Microsoft Corporation) C:\Windows\System32\x3daudio1_2.dll
2017-06-14 23:12 - 2007-07-19 06:14 - 05073256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_35.dll
2017-06-14 23:12 - 2007-07-19 06:14 - 05073256 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_35.dll
2017-06-14 23:12 - 2007-07-19 06:14 - 01985904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcompiler_35.dll
2017-06-14 23:12 - 2007-07-19 06:14 - 01985904 _____ (Microsoft Corporation) C:\Windows\System32\d3dcompiler_35.dll
2017-06-14 23:12 - 2007-07-19 06:14 - 00508264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_35.dll
2017-06-14 23:12 - 2007-07-19 06:14 - 00508264 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_35.dll
2017-06-14 23:12 - 2007-06-20 08:49 - 00409960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_8.dll
2017-06-14 23:12 - 2007-06-20 08:49 - 00409960 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_8.dll
2017-06-14 23:12 - 2007-05-16 04:45 - 04496232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_34.dll
2017-06-14 23:12 - 2007-05-16 04:45 - 04496232 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_34.dll
2017-06-14 23:12 - 2007-05-16 04:45 - 01401200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcompiler_34.dll
2017-06-14 23:12 - 2007-05-16 04:45 - 01401200 _____ (Microsoft Corporation) C:\Windows\System32\d3dcompiler_34.dll
2017-06-14 23:12 - 2007-05-16 04:45 - 00506728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_34.dll
2017-06-14 23:12 - 2007-05-16 04:45 - 00506728 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_34.dll
2017-06-14 23:12 - 2007-04-07 06:33 - 00024344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Copy of X3DAudio1_1.dll
2017-06-14 23:12 - 2007-04-07 06:33 - 00024344 _____ (Microsoft Corporation) C:\Windows\System32\Copy of X3DAudio1_1.dll
2017-06-14 23:12 - 2007-04-04 07:55 - 00403304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_7.dll
2017-06-14 23:12 - 2007-04-04 07:55 - 00403304 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_7.dll
2017-06-14 23:12 - 2007-03-15 05:57 - 00506728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_33.dll
2017-06-14 23:12 - 2007-03-15 05:57 - 00506728 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10_33.dll
2017-06-14 23:12 - 2007-03-12 05:42 - 04494184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_33.dll
2017-06-14 23:12 - 2007-03-12 05:42 - 04494184 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_33.dll
2017-06-14 23:12 - 2007-03-12 05:42 - 01400176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dcompiler_33.dll
2017-06-14 23:12 - 2007-03-12 05:42 - 01400176 _____ (Microsoft Corporation) C:\Windows\System32\d3dcompiler_33.dll
2017-06-14 23:12 - 2007-03-05 01:42 - 00017688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_1.dll
2017-06-14 23:12 - 2007-03-05 01:42 - 00017688 _____ (Microsoft Corporation) C:\Windows\System32\X3DAudio1_1.dll
2017-06-14 23:12 - 2007-02-20 16:11 - 00068888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Copy of xinput1_3.dll
2017-06-14 23:12 - 2007-02-20 16:11 - 00068888 _____ (Microsoft Corporation) C:\Windows\System32\Copy of xinput1_3.dll
2017-06-14 23:12 - 2007-01-24 04:27 - 00393576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_6.dll
2017-06-14 23:12 - 2007-01-24 04:27 - 00393576 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_6.dll
2017-06-14 23:12 - 2006-12-08 01:00 - 00390424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_5.dll
2017-06-14 23:12 - 2006-12-08 01:00 - 00390424 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_5.dll
2017-06-14 23:12 - 2006-11-29 02:06 - 04398360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_32.dll
2017-06-14 23:12 - 2006-11-29 02:06 - 04398360 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_32.dll
2017-06-14 23:12 - 2006-11-29 02:06 - 00469264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10.dll
2017-06-14 23:12 - 2006-11-29 02:06 - 00469264 _____ (Microsoft Corporation) C:\Windows\System32\d3dx10.dll
2017-06-14 23:12 - 2006-09-28 05:05 - 03977496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_31.dll
2017-06-14 23:12 - 2006-09-28 05:05 - 03977496 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_31.dll
2017-06-14 23:12 - 2006-09-28 05:04 - 00364824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_4.dll
2017-06-14 23:12 - 2006-09-28 05:04 - 00364824 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_4.dll
2017-06-14 23:12 - 2006-07-27 21:31 - 00083736 _____ C:\Windows\SysWOW64\xinput1_2.dll
2017-06-14 23:12 - 2006-07-27 21:31 - 00083736 _____ C:\Windows\System32\xinput1_2.dll
2017-06-14 23:12 - 2006-07-27 21:30 - 00363288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_3.dll
2017-06-14 23:12 - 2006-07-27 21:30 - 00363288 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_3.dll
2017-06-14 23:12 - 2006-05-30 19:22 - 00354072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_2.dll
2017-06-14 23:12 - 2006-05-30 19:22 - 00354072 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_2.dll
2017-06-14 23:12 - 2006-03-31 01:41 - 03927248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_30.dll
2017-06-14 23:12 - 2006-03-31 01:41 - 03927248 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_30.dll
2017-06-14 23:12 - 2006-03-31 01:40 - 00352464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_1.dll
2017-06-14 23:12 - 2006-03-31 01:40 - 00352464 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_1.dll
2017-06-14 23:12 - 2006-03-31 01:39 - 00083664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_1.dll
2017-06-14 23:12 - 2006-03-31 01:39 - 00083664 _____ (Microsoft Corporation) C:\Windows\System32\xinput1_1.dll
2017-06-14 23:12 - 2006-02-02 21:43 - 03830992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_29.dll
2017-06-14 23:12 - 2006-02-02 21:43 - 03830992 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_29.dll
2017-06-14 23:12 - 2006-02-02 21:42 - 00355536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_0.dll
2017-06-14 23:12 - 2006-02-02 21:42 - 00355536 _____ (Microsoft Corporation) C:\Windows\System32\xactengine2_0.dll
2017-06-14 23:12 - 2006-02-02 21:41 - 00016592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_0.dll
2017-06-14 23:12 - 2006-02-02 21:41 - 00016592 _____ (Microsoft Corporation) C:\Windows\System32\x3daudio1_0.dll
2017-06-14 23:12 - 2005-12-05 07:09 - 03815120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_28.dll
2017-06-14 23:12 - 2005-12-05 07:09 - 03815120 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_28.dll
2017-06-14 23:12 - 2005-09-19 20:28 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mgspid.dll
2017-06-14 23:12 - 2005-09-19 20:28 - 00081920 _____ (Microsoft Corporation) C:\Windows\System32\mgspid.dll
2017-06-14 23:12 - 2005-09-19 11:45 - 00061440 _____ C:\Windows\SysWOW64\deformerdll.dll
2017-06-14 23:12 - 2005-09-19 11:45 - 00061440 _____ C:\Windows\System32\deformerdll.dll
2017-06-14 23:12 - 2005-09-19 11:44 - 00102400 _____ C:\Windows\SysWOW64\esinet.dll
2017-06-14 23:12 - 2005-09-19 11:44 - 00102400 _____ C:\Windows\System32\esinet.dll
2017-06-14 23:12 - 2005-09-19 11:30 - 00122880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ConfigDetect.dll
2017-06-14 23:12 - 2005-09-19 11:30 - 00122880 _____ (Microsoft Corporation) C:\Windows\System32\ConfigDetect.dll
2017-06-14 23:12 - 2005-09-19 11:30 - 00073728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Eula.dll
2017-06-14 23:12 - 2005-09-19 11:30 - 00073728 _____ (Microsoft Corporation) C:\Windows\System32\Eula.dll
2017-06-14 23:12 - 2005-09-19 11:28 - 00389632 _____ C:\Windows\SysWOW64\granny2.dll
2017-06-14 23:12 - 2005-09-19 11:28 - 00389632 _____ C:\Windows\System32\granny2.dll
2017-06-14 23:12 - 2005-09-19 11:28 - 00081998 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rockalldll.dll
2017-06-14 23:12 - 2005-09-19 11:28 - 00081998 _____ (Microsoft Corporation) C:\Windows\System32\rockalldll.dll
2017-06-14 23:12 - 2005-09-19 11:28 - 00039424 _____ C:\Windows\SysWOW64\PidGen.dll
2017-06-14 23:12 - 2005-09-19 11:28 - 00039424 _____ C:\Windows\System32\PidGen.dll
2017-06-14 23:12 - 2005-07-28 13:19 - 00033792 _____ C:\Windows\SysWOW64\SetupENU.dll
2017-06-14 23:12 - 2005-07-28 13:19 - 00033792 _____ C:\Windows\System32\SetupENU.dll
2017-06-14 23:12 - 2005-07-22 07:59 - 03807440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_27.dll
2017-06-14 23:12 - 2005-07-22 07:59 - 03807440 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_27.dll
2017-06-14 23:12 - 2005-05-26 03:34 - 03767504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_26.dll
2017-06-14 23:12 - 2005-05-26 03:34 - 03767504 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_26.dll
2017-06-14 23:12 - 2005-03-18 06:19 - 03823312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_25.dll
2017-06-14 23:12 - 2005-03-18 06:19 - 03823312 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_25.dll
2017-06-14 23:12 - 2005-02-05 08:45 - 03544272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_24.dll
2017-06-14 23:12 - 2005-02-05 08:45 - 03544272 _____ (Microsoft Corporation) C:\Windows\System32\d3dx9_24.dll
2017-06-14 23:12 - 2004-08-03 14:56 - 01179648 _____ (Microsoft Corporation) C:\Windows\System32\d3d8.dll
2017-06-14 23:12 - 2004-08-03 14:56 - 00825344 _____ (Microsoft Corporation) C:\Windows\System32\d3dim700.dll
2017-06-14 23:12 - 2003-05-20 23:18 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3a.dll
2017-06-14 23:12 - 2003-05-20 23:18 - 00024576 _____ (Microsoft Corporation) C:\Windows\System32\msxml3a.dll
2017-06-14 23:12 - 2003-03-18 10:14 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2017-06-14 23:12 - 2003-03-18 10:14 - 00499712 _____ (Microsoft Corporation) C:\Windows\System32\msvcp71.dll
2017-06-14 23:12 - 2003-02-20 18:42 - 00348160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2017-06-14 23:12 - 2003-02-20 18:42 - 00348160 _____ (Microsoft Corporation) C:\Windows\System32\msvcr71.dll
2017-06-14 23:12 - 2002-06-29 15:27 - 00045115 _____ (Microsoft Corporation) C:\Windows\SysWOW64\idle.dll
2017-06-14 23:12 - 2002-06-29 15:27 - 00045115 _____ (Microsoft Corporation) C:\Windows\System32\idle.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00590336 _____ (Microsoft Corporation) C:\Windows\System32\d3dramp.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00436224 _____ (Microsoft Corporation) C:\Windows\System32\d3dim.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00350208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3drm.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00350208 _____ (Microsoft Corporation) C:\Windows\System32\d3drm.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00047616 _____ (Microsoft Corporation) C:\Windows\System32\d3dxof.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dpmesh.dll
2017-06-14 23:12 - 2001-08-23 04:00 - 00034816 _____ (Microsoft Corporation) C:\Windows\System32\d3dpmesh.dll
2017-06-14 23:03 - 2013-12-30 05:36 - 00849360 _____ (Microsoft Corporation) C:\Windows\System32\msvcr110.dll
2017-06-14 07:01 - 2017-07-04 05:19 - 00000008 __RSH C:\ProgramData\ntuser.pol
2017-06-14 03:04 - 2017-06-03 02:09 - 08318880 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2017-06-14 03:04 - 2017-06-03 02:09 - 01003624 _____ (Microsoft Corporation) C:\Windows\System32\ucrtbase.dll
2017-06-14 03:04 - 2017-06-03 02:08 - 02969880 _____ (Microsoft Corporation) C:\Windows\System32\CoreUIComponents.dll
2017-06-14 03:04 - 2017-06-03 02:07 - 00119712 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tdx.sys
2017-06-14 03:04 - 2017-06-03 02:00 - 00219040 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tpm.sys
2017-06-14 03:04 - 2017-06-03 01:59 - 01409048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32full.dll
2017-06-14 03:04 - 2017-06-03 01:59 - 00626528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontdrvhost.exe
2017-06-14 03:04 - 2017-06-03 01:59 - 00311200 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2017-06-14 03:04 - 2017-06-03 01:59 - 00259400 _____ (Microsoft Corporation) C:\Windows\System32\MusNotifyIcon.exe
2017-06-14 03:04 - 2017-06-03 01:58 - 00254176 _____ (Microsoft Corporation) C:\Windows\System32\mfps.dll
2017-06-14 03:04 - 2017-06-03 01:55 - 02681760 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2017-06-14 03:04 - 2017-06-03 01:36 - 01150784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2017-06-14 03:04 - 2017-06-03 01:35 - 02259768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreUIComponents.dll
2017-06-14 03:04 - 2017-06-03 01:28 - 23677440 _____ (Microsoft Corporation) C:\Windows\System32\edgehtml.dll
2017-06-14 03:04 - 2017-06-03 01:26 - 00266640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capauthz.dll
2017-06-14 03:04 - 2017-06-03 01:23 - 20373920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2017-06-14 03:04 - 2017-06-03 01:23 - 06760024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-06-14 03:04 - 2017-06-03 01:23 - 00573856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2017-06-14 03:04 - 2017-06-03 01:21 - 01516448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppVEntSubsystems32.dll
2017-06-14 03:04 - 2017-06-03 01:20 - 00583160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreMessaging.dll
2017-06-14 03:04 - 2017-06-03 01:14 - 00099328 _____ (Microsoft Corporation) C:\Windows\System32\utcutil.dll
2017-06-14 03:04 - 2017-06-03 01:12 - 00119296 _____ (Microsoft Corporation) C:\Windows\System32\UserDataTimeUtil.dll
2017-06-14 03:04 - 2017-06-03 01:11 - 02958848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32kfull.sys
2017-06-14 03:04 - 2017-06-03 01:11 - 00128000 _____ (Microsoft Corporation) C:\Windows\System32\mssprxy.dll
2017-06-14 03:04 - 2017-06-03 01:11 - 00052736 _____ (Microsoft Corporation) C:\Windows\System32\musdialoghandlers.dll
2017-06-14 03:04 - 2017-06-03 01:11 - 00038912 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2017-06-14 03:04 - 2017-06-03 01:11 - 00035840 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\BasicRender.sys
2017-06-14 03:04 - 2017-06-03 01:10 - 00293376 _____ (Microsoft Corporation) C:\Windows\System32\MusNotification.exe
2017-06-14 03:04 - 2017-06-03 01:10 - 00102400 _____ (Microsoft Corporation) C:\Windows\System32\MusNotificationUx.exe
2017-06-14 03:04 - 2017-06-03 01:09 - 00271872 _____ (Microsoft Corporation) C:\Windows\System32\Windows.Security.Authentication.Identity.Provider.dll
2017-06-14 03:04 - 2017-06-03 01:09 - 00221184 _____ (Microsoft Corporation) C:\Windows\System32\devicengccredprov.dll
2017-06-14 03:04 - 2017-06-03 01:09 - 00094720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UserDataTimeUtil.dll
2017-06-14 03:04 - 2017-06-03 01:07 - 23682048 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2017-06-14 03:04 - 2017-06-03 01:07 - 00721920 _____ (Microsoft Corporation) C:\Windows\System32\MusUpdateHandlers.dll
2017-06-14 03:04 - 2017-06-03 01:07 - 00002560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-06-14 03:04 - 2017-06-03 01:05 - 20506624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2017-06-14 03:04 - 2017-06-03 01:05 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Security.Authentication.Identity.Provider.dll
2017-06-14 03:04 - 2017-06-03 01:05 - 00169984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\devicengccredprov.dll
2017-06-14 03:04 - 2017-06-03 01:04 - 12787200 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2017-06-14 03:04 - 2017-06-03 01:04 - 00805888 _____ (Microsoft Corporation) C:\Windows\System32\ieproxy.dll
2017-06-14 03:04 - 2017-06-03 01:03 - 19336192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-06-14 03:04 - 2017-06-03 01:03 - 01260544 _____ (Microsoft Corporation) C:\Windows\System32\GamePanel.exe
2017-06-14 03:04 - 2017-06-03 01:03 - 00467456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TpmCoreProvisioning.dll
2017-06-14 03:04 - 2017-06-03 01:02 - 08245760 _____ (Microsoft Corporation) C:\Windows\System32\Chakra.dll
2017-06-14 03:04 - 2017-06-03 01:00 - 03379200 _____ (Microsoft Corporation) C:\Windows\System32\tquery.dll
2017-06-14 03:04 - 2017-06-03 01:00 - 00933376 _____ (Microsoft Corporation) C:\Windows\System32\SearchIndexer.exe
2017-06-14 03:04 - 2017-06-03 01:00 - 00358400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieproxy.dll
2017-06-14 03:04 - 2017-06-03 00:59 - 04730368 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2017-06-14 03:04 - 2017-06-03 00:59 - 02672128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-06-14 03:04 - 2017-06-03 00:59 - 02597376 _____ (Microsoft Corporation) C:\Windows\System32\mssrch.dll
2017-06-14 03:04 - 2017-06-03 00:59 - 01142784 _____ (Microsoft Corporation) C:\Windows\System32\localspl.dll
2017-06-14 03:04 - 2017-06-03 00:59 - 00975360 _____ (Microsoft Corporation) C:\Windows\HelpPane.exe
2017-06-14 03:04 - 2017-06-03 00:59 - 00636416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WpcWebFilter.dll
2017-06-14 03:04 - 2017-06-03 00:58 - 05961216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-06-14 03:04 - 2017-06-03 00:58 - 02516480 _____ (Microsoft Corporation) C:\Windows\System32\diagtrack.dll
2017-06-14 03:04 - 2017-06-03 00:58 - 01888256 _____ (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2017-06-14 03:04 - 2017-06-03 00:58 - 01046016 _____ (Microsoft Corporation) C:\Windows\System32\ngcsvc.dll
2017-06-14 03:04 - 2017-06-03 00:58 - 00827392 _____ (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2017-06-14 03:04 - 2017-06-03 00:57 - 11870720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-06-14 03:04 - 2017-06-03 00:57 - 06535168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mspaint.exe
2017-06-14 03:04 - 2017-06-03 00:57 - 05557760 _____ (Microsoft Corporation) C:\Windows\System32\dbgeng.dll
2017-06-14 03:04 - 2017-06-03 00:57 - 02829824 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2017-06-14 03:04 - 2017-06-03 00:57 - 01675264 _____ (Microsoft Corporation) C:\Windows\System32\wpncore.dll
2017-06-14 03:04 - 2017-06-03 00:57 - 01248768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AzureSettingSyncProvider.dll
2017-06-14 03:04 - 2017-06-03 00:57 - 00797184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchIndexer.exe
2017-06-14 03:04 - 2017-06-03 00:56 - 06292992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2017-06-14 03:04 - 2017-06-03 00:55 - 03656192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-06-14 03:04 - 2017-06-03 00:55 - 02132480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-06-14 03:04 - 2017-06-03 00:55 - 01019904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aadtb.dll
2017-06-14 03:04 - 2017-06-03 00:54 - 02341376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2017-06-14 03:04 - 2017-06-03 00:54 - 02298368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2017-06-14 03:04 - 2017-06-03 00:54 - 00794112 _____ (Microsoft Corporation) C:\Windows\System32\pwcreator.exe
2017-06-14 03:04 - 2017-06-03 00:53 - 04559360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2017-06-14 03:03 - 2017-06-03 02:15 - 01596600 _____ (Microsoft Corporation) C:\Windows\System32\gdi32full.dll
2017-06-14 03:03 - 2017-06-03 02:15 - 00750560 _____ (Microsoft Corporation) C:\Windows\System32\fontdrvhost.exe
2017-06-14 03:03 - 2017-06-03 02:15 - 00382368 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2017-06-14 03:03 - 2017-06-03 02:14 - 01147296 _____ (Microsoft Corporation) C:\Windows\System32\hvix64.exe
2017-06-14 03:03 - 2017-06-03 02:14 - 01024928 _____ (Microsoft Corporation) C:\Windows\System32\hvax64.exe
2017-06-14 03:03 - 2017-06-03 02:10 - 00130464 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tm.sys
2017-06-14 03:03 - 2017-06-03 02:07 - 00923048 _____ (Microsoft Corporation) C:\Windows\System32\CoreMessaging.dll
2017-06-14 03:03 - 2017-06-03 02:02 - 02444192 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2017-06-14 03:03 - 2017-06-03 02:01 - 05477096 _____ (Microsoft Corporation) C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
2017-06-14 03:03 - 2017-06-03 02:00 - 00872472 _____ (Microsoft Corporation) C:\Windows\System32\ClipSVC.dll
2017-06-14 03:03 - 2017-06-03 02:00 - 00321376 _____ (Microsoft Corporation) C:\Windows\System32\capauthz.dll
2017-06-14 03:03 - 2017-06-03 01:58 - 21352696 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2017-06-14 03:03 - 2017-06-03 01:58 - 07904784 _____ (Microsoft Corporation) C:\Windows\System32\Windows.Media.Protection.PlayReady.dll
2017-06-14 03:03 - 2017-06-03 01:58 - 00660384 _____ (Microsoft Corporation) C:\Windows\System32\comctl32.dll
2017-06-14 03:03 - 2017-06-03 01:57 - 00371616 _____ (Microsoft Corporation) C:\Windows\System32\CloudExperienceHost.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 02228120 _____ (Microsoft Corporation) C:\Windows\System32\AppVEntSubsystems64.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 01854880 _____ (Microsoft Corporation) C:\Windows\System32\AppVEntVirtualization.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 01693600 _____ (Microsoft Corporation) C:\Windows\System32\AppVIntegration.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 01458592 _____ (Microsoft Corporation) C:\Windows\System32\AppVEntSubsystemController.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 00848288 _____ (Microsoft Corporation) C:\Windows\System32\AppVOrchestration.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 00846752 _____ (Microsoft Corporation) C:\Windows\System32\AppVClient.exe
2017-06-14 03:03 - 2017-06-03 01:56 - 00844696 _____ (Microsoft Corporation) C:\Windows\System32\AppVEntStreamingManager.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 00697760 _____ (Microsoft Corporation) C:\Windows\System32\AppVCatalog.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 00672672 _____ (Microsoft Corporation) C:\Windows\System32\AppVPublishing.dll
2017-06-14 03:03 - 2017-06-03 01:56 - 00399264 _____ (Microsoft Corporation) C:\Windows\System32\AppVScripting.dll
2017-06-14 03:03 - 2017-06-03 01:14 - 03673088 _____ (Microsoft Corporation) C:\Windows\System32\win32kfull.sys
2017-06-14 03:03 - 2017-06-03 01:14 - 00443392 _____ (Microsoft Corporation) C:\Windows\System32\PerceptionSimulationExtensions.dll
2017-06-14 03:03 - 2017-06-03 01:14 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\dwmredir.dll
2017-06-14 03:03 - 2017-06-03 01:14 - 00047104 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2017-06-14 03:03 - 2017-06-03 01:11 - 00002560 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
2017-06-14 03:03 - 2017-06-03 01:10 - 00076800 _____ (Microsoft Corporation) C:\Windows\System32\DeviceCredentialDeployment.exe
2017-06-14 03:03 - 2017-06-03 01:09 - 00064512 _____ (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2017-06-14 03:03 - 2017-06-03 01:07 - 00778240 _____ C:\Windows\System32\MBR2GPT.EXE
2017-06-14 03:03 - 2017-06-03 01:07 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\bcdboot.exe
2017-06-14 03:03 - 2017-06-03 01:06 - 00551936 _____ (Microsoft Corporation) C:\Windows\System32\TpmCoreProvisioning.dll
2017-06-14 03:03 - 2017-06-03 01:05 - 07336448 _____ (Microsoft Corporation) C:\Windows\System32\Windows.Data.Pdf.dll
2017-06-14 03:03 - 2017-06-03 01:05 - 01878016 _____ (Microsoft Corporation) C:\Windows\System32\AzureSettingSyncProvider.dll
2017-06-14 03:03 - 2017-06-03 01:04 - 00925696 _____ (Microsoft Corporation) C:\Windows\System32\WpcWebFilter.dll
2017-06-14 03:03 - 2017-06-03 01:01 - 06726656 _____ (Microsoft Corporation) C:\Windows\System32\mspaint.exe
2017-06-14 03:03 - 2017-06-03 01:01 - 02804736 _____ (Microsoft Corporation) C:\Windows\System32\AppXDeploymentServer.dll
2017-06-14 03:03 - 2017-06-03 00:59 - 02625024 _____ (Microsoft Corporation) C:\Windows\System32\Windows.UI.Logon.dll
2017-06-14 03:03 - 2017-06-03 00:59 - 02056192 _____ (Microsoft Corporation) C:\Windows\System32\win32kbase.sys
2017-06-14 03:03 - 2017-06-03 00:59 - 01293824 _____ (Microsoft Corporation) C:\Windows\System32\aadtb.dll
2017-06-14 03:03 - 2017-06-03 00:58 - 02650112 _____ (Microsoft Corporation) C:\Windows\System32\dwmcore.dll
2017-06-14 03:03 - 2017-06-03 00:51 - 00064512 _____ (Microsoft Corporation) C:\Windows\bfsvc.exe
2017-06-13 22:12 - 2017-06-13 22:12 - 00000000 ____D C:\Users\ahmed\.android
2017-06-13 22:11 - 2017-06-13 22:11 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\JetBrains
2017-06-13 22:11 - 2017-06-13 22:11 - 00000000 ____D C:\Users\ahmed\.IdeaIC2017.1
2017-06-13 22:06 - 2017-06-13 22:06 - 00000859 _____ C:\Users\Public\Desktop\IntelliJ IDEA Community Edition 2017.1.4 x64.lnk
2017-06-13 22:06 - 2017-06-13 22:06 - 00000000 ____D C:\Program Files\JetBrains
2017-06-12 01:45 - 2017-06-12 01:59 - 00000000 ____D C:\Users\ahmed\AndroidStudioProjects
2017-06-12 00:22 - 2017-06-12 00:21 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-06-12 00:18 - 2017-06-12 00:21 - 00000000 ____D C:\Program Files (x86)\Java
2017-06-12 00:18 - 2017-06-12 00:18 - 00000000 ____D C:\Users\ahmed\AppData\LocalLow\Oracle
2017-06-11 22:37 - 2017-07-06 07:20 - 00001084 _____ C:\Users\ahmed\Desktop\Internet Download Manager.lnk
2017-06-11 22:37 - 2017-07-06 01:40 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\DMCache
2017-06-11 22:37 - 2017-07-01 11:03 - 00000000 ____D C:\Program Files (x86)\Internet Download Manager
2017-06-11 22:37 - 2017-07-01 06:41 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\IDM
2017-06-11 22:37 - 2017-06-11 22:37 - 00000000 ____D C:\ProgramData\IDM
2017-06-09 20:13 - 2017-06-09 20:13 - 00277062 _____ C:\Users\ahmed\Desktop\bit-do-stats-S5_Sensation.xlsx
2017-06-08 08:59 - 2017-06-08 08:15 - 00223432 _____ (Tonec Inc.) C:\Windows\System32\Drivers\idmwfp.sys
2017-06-07 07:10 - 2017-06-07 07:10 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\ASUS Flip
2017-06-07 07:09 - 2017-06-07 07:09 - 00000000 ____D C:\Windows\SysWOW64\WifiPower
2017-06-07 07:09 - 2017-06-07 07:09 - 00000000 ____D C:\Program Files\ASUS
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-06 07:38 - 2017-05-18 11:54 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\NetSpeedMonitor
2017-07-06 07:20 - 2017-05-18 13:28 - 00001064 _____ C:\Users\ahmed\Desktop\PotPlayer 64 bit.lnk
2017-07-06 07:20 - 2017-05-18 13:26 - 00001166 _____ C:\Users\ahmed\Desktop\CodeBlocks.lnk
2017-07-06 03:40 - 2017-05-18 10:33 - 00000000 ____D C:\Windows\System32\SleepStudy
2017-07-06 01:40 - 2017-05-18 20:12 - 01048576 _____ C:\Windows\System32\config\BBI
2017-07-06 01:26 - 2017-05-19 08:59 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\CodeBlocks
2017-07-06 01:18 - 2017-05-18 10:48 - 01250398 _____ C:\Windows\System32\PerfStringBackup.INI
2017-07-06 01:15 - 2017-05-18 12:10 - 00000000 ____D C:\ProgramData\ASUS Smart Gesture
2017-07-06 01:15 - 2017-05-18 10:41 - 00000000 ____D C:\users\ahmed
2017-07-06 01:15 - 2017-05-18 10:37 - 00000180 _____ C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-07-06 01:15 - 2017-05-15 11:25 - 00000000 __SHD C:\Users\ahmed\IntelGraphicsProfiles
2017-07-06 01:14 - 2017-05-18 10:46 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-06 01:04 - 2017-05-18 20:22 - 00000000 ___HD C:\Program Files\WindowsApps
2017-07-06 01:04 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\AppReadiness
2017-07-06 01:01 - 2017-05-19 09:01 - 00000000 ____D C:\Users\ahmed\Desktop\4
2017-07-05 02:24 - 2017-05-18 10:49 - 00000000 ____D C:\Users\ahmed\AppData\Local\Packages
2017-07-04 15:35 - 2017-05-15 13:28 - 00000000 ____D C:\Users\ahmed\Downloads\Compressed
2017-07-04 13:58 - 2017-05-18 20:21 - 00000000 ____D C:\Windows\INF
2017-07-04 05:14 - 2017-05-18 20:22 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2017-07-04 05:14 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-07-03 12:40 - 2017-05-19 04:37 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\qBittorrent
2017-07-02 14:30 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\System32\NDF
2017-07-01 11:09 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\LiveKernelReports
2017-06-28 15:33 - 2017-05-18 11:58 - 00002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-06-28 15:29 - 2017-05-23 01:02 - 00000000 ____D C:\Windows\Minidump
2017-06-27 13:42 - 2017-05-15 13:28 - 00000000 ____D C:\Users\ahmed\Downloads\Video
2017-06-22 00:00 - 2017-05-18 10:53 - 00003276 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-06-22 00:00 - 2017-05-15 11:17 - 00000000 ___RD C:\Users\ahmed\OneDrive
2017-06-21 04:56 - 2017-05-18 20:22 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-06-20 14:58 - 2017-05-18 13:02 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-06-18 17:32 - 2017-05-18 11:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-06-18 01:51 - 2017-05-18 10:33 - 05019760 _____ C:\Windows\System32\FNTCACHE.DAT
2017-06-16 23:29 - 2017-05-18 10:49 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\Adobe
2017-06-16 05:37 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\rescache
2017-06-16 03:22 - 2017-05-18 11:13 - 00000032 _____ C:\Windows\0
2017-06-14 06:59 - 2017-05-15 11:12 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-06-14 03:25 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\System32\oobe
2017-06-14 03:25 - 2017-05-18 20:22 - 00000000 ____D C:\Windows\System32\appraiser
2017-06-14 03:11 - 2017-05-19 13:26 - 00000000 ____D C:\Windows\System32\MRT
2017-06-14 03:07 - 2017-05-19 13:26 - 133627792 ____C (Microsoft Corporation) C:\Windows\System32\MRT.exe
2017-06-14 03:06 - 2017-05-18 20:16 - 00000000 ____D C:\Windows\CbsTemp
2017-06-11 22:33 - 2017-05-18 12:07 - 00000000 ____D C:\Windows\System32\appmgmt
2017-06-08 15:29 - 2017-05-18 10:37 - 00319043 _____ C:\Windows\System32\Drivers\RTWAVES40.dat
2017-06-08 15:29 - 2017-05-18 10:37 - 00006786 _____ C:\Windows\System32\Drivers\rtwavesEFX.dat
2017-06-08 15:29 - 2017-05-18 10:37 - 00002626 _____ C:\Windows\System32\Drivers\rtwavesMFX.dat
2017-06-08 15:29 - 2017-05-18 10:37 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2017-06-07 05:22 - 2017-05-19 04:25 - 00000000 ____D C:\Users\ahmed\AppData\Roaming\PotPlayerMini64
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe
[2017-05-15 11:27] - [2017-04-18 22:07] - 0707072 _____ (Microsoft Corporation) D0F1FB0E90BFBD14865B770E2567BE1D
 
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2017-06-01 12:18] - [2017-05-19 22:56] - 4847928 _____ (Microsoft Corporation) E719D0A5DBC7D5ACFC179D361EF8C2FC
 
C:\Windows\SysWOW64\explorer.exe
[2017-06-01 12:19] - [2017-05-20 00:48] - 4469832 _____ (Microsoft Corporation) C17394E24B257A8F44A0AA0BC3E299C2
 
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-05-15 11:27] - [2017-04-27 16:03] - 1085440 _____ (Microsoft Corporation) 0E79A4C76CAAA0CFE9CA42C13E5AA086
 
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2017-03-18 12:57] - [2017-03-18 12:57] - 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551
 
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 7627.52 MB
Available physical RAM: 6783.81 MB
Total Virtual: 7627.52 MB
Available Virtual: 6817.75 MB
 
==================== Drives ================================
 
Drive a: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive c: (ub) (Fixed) (Total:41.02 GB) (Free:1.29 GB) NTFS
Drive d: (UBUNTU-BUDG) (Removable) (Total:14.82 GB) (Free:14.82 GB) FAT32
Drive e: (New Volume) (Fixed) (Total:229.09 GB) (Free:61.27 GB) NTFS
Drive f: (newW) (Fixed) (Total:48.83 GB) (Free:27.85 GB) NTFS
Drive g: (New Volume) (Fixed) (Total:146.48 GB) (Free:43.57 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 741D2ACD)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=41 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=146.5 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=277.9 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (Size: 14.8 GB) (Disk ID: 0059D679)
Partition 1: (Active) - (Size=14.8 GB) - (Type=0C)
 
LastRegBack: 2017-07-04 15:21
 
==================== End of FRST.txt ============================

 



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 08 July 2017 - 09:24 AM

Sorry for the delay. My broadband has been failing lately.

:step1:
Download the enclosed file. Save it next to FRST64 in the Flash drive.
Insert the Flash drive in the infected computer and boot to the Recovery Environment Command prompt.
Open FRST64 as you did before and click on the Fix button.
When finished a log, Fixlog.txt, will be produced in the Flash drive. Post its contents in your next reply.

:step2:
With FRST64 opened.

Type the following in the edit box on FRST64, after "Search:".

explorer.exe;winlogon.exe;rpcss.dll;volsnap.sys

It then should look like:

Search: explorer.exe;winlogon.exe;rpcss.dll;volsnap.sys

Click the Search Files button and post the log (Search.txt) it will produce in the USB drive in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Ahmedbeeh

Ahmedbeeh
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:04:26 PM

Posted 09 July 2017 - 04:43 AM

after many hour the program is still showing "fixing" and all i'm getting in the log is   

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-07-2017

Ran by SYSTEM (09-07-2017 01:38:30) Run:2
Running from D:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
C:\Program Files (x86)\CalendarTool
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\...\Run: [pflzhgawdr] => explorer "hxxp://furyery.ru/?utm_source=uoua03&utm_content=5c960e458ac6158314c6529e8f71f655&utm_term=423D1D0DAADC9F0BE53FAD55D4009F80&utm_d=20170703" <==== ATTENTION
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\...\Run: [ycAutoLaunch_8CBE38B36689A36CA12FC1D1F99E7487] => "C:\Users\ahmed\AppData\Local\yc\Application\yc.exe" /prefetch:5
C:\Users\ahmed\AppData\Local\yc
HKU\S-1-5-21-1836712891-4191174927-1607608965-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://furyery.ru/?utm_source=startpage03&utm_content=34afc74846061763931ac04c5f0d226a&utm_term=423D1D0DAADC9F0BE53FAD55D4009F80&utm_d=20170703
R2 icacl; C:\WINDOWS\system32\icacl.exe [920784 2017-07-03] ()
R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
R2 TheCalendarService; C:\Program Files (x86)\CalendarTool\2.0.0.1000176\CalendarServ.exe [161424 2017-06-25] ()
U3 BthHFSrv; C:\WINDOWS\System32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
U3 BthHFSrv; C:\WINDOWS\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
CMD: CMD: for /d %f in (C:\Users\ahmed\AppData\Local\Temp\) do del /q "%f"
CMD: SC STOP "SvcHost Service Host"
CMD: SC DELETE "SvcHost Service Host"
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-07-06] () <==== ATTENTION (zero byte File/Folder)
S2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188312 2017-07-06] (Malwarebytes)
S3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [113592 2017-07-06] (Malwarebytes)
S3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [44960 2017-07-06] (Malwarebytes)
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [0 2017-07-06] () <==== ATTENTION (zero byte File/Folder)
S3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [93600 2017-07-06] (Malwarebytes)
2017-07-06 01:28 - 2017-07-06 01:28 - 00188312 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMChameleon.sys
2017-07-06 01:28 - 2017-07-06 01:28 - 00093600 _____ (Malwarebytes) C:\Windows\System32\Drivers\mwac.sys
2017-07-06 01:28 - 2017-07-06 01:14 - 00113592 _____ (Malwarebytes) C:\Windows\System32\Drivers\farflt.sys
2017-07-06 01:28 - 2017-07-06 01:14 - 00044960 _____ (Malwarebytes) C:\Windows\System32\Drivers\mbam.sys
2017-07-06 01:27 - 2017-07-06 01:31 - 00077376 _____ C:\Windows\System32\Drivers\mbae64.sys
2017-07-06 01:27 - 2017-07-06 01:27 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-07-06 01:27 - 2017-07-06 01:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-07-06 01:27 - 2017-07-06 01:27 - 00000000 ____D C:\Program Files\Malwarebytes
2017-07-06 01:27 - 2017-07-06 01:14 - 00000000 _____ C:\Windows\System32\Drivers\MBAMSwissArmy.sys
C:\Windows\0
*****************
 
"C:\Program Files (x86)\CalendarTool" => not found.
 

 

the search log 

 

 

Farbar Recovery Scan Tool (x64) Version: 05-07-2017

Ran by SYSTEM (09-07-2017 05:44:41)
Running from D:\
Boot Mode: Recovery
 
================== Search Files: "explorer.exe;winlogon.exe;rpcss.dll;volsnap.sys" =============
 
C:\Windows\explorer.exe
[2017-06-01 12:18][2017-05-19 22:56] 4847928 _____ (Microsoft Corporation) E719D0A5DBC7D5ACFC179D361EF8C2FC
 
C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.15063.332_none_f1279e8f1466fe8a\explorer.exe
[2017-06-01 12:19][2017-05-20 00:48] 4469832 _____ (Microsoft Corporation) C17394E24B257A8F44A0AA0BC3E299C2
 
C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_10.0.15063.0_none_6d1d2a9de6ebea22\explorer.exe
[2017-03-18 12:58][2017-06-03 20:22] 0242908 _____ () 9190C8609A6A95E9FBF71F078C6B06F9
 
C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.15063.250_none_04c9abef3b4d51d2\winlogon.exe
[2017-05-15 11:27][2017-04-18 22:07] 0707072 _____ (Microsoft Corporation) D0F1FB0E90BFBD14865B770E2567BE1D
 
C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.15063.0_none_80d6da500dc0355d\winlogon.exe
[2017-03-18 12:57][2017-05-27 15:47] 0060458 _____ () 4304255FD29A7CA74738DBFDAF395202
 
C:\Windows\WinSxS\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.15063.0_none_703dcec1da3ef92f\volsnap.sys
[2017-03-18 12:57][2017-03-18 12:57] 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551
 
C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.15063.332_none_e6d2f43ce0063c8f\explorer.exe
[2017-06-01 12:18][2017-05-19 22:56] 4847928 _____ (Microsoft Corporation) E719D0A5DBC7D5ACFC179D361EF8C2FC
 
C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.15063.0_none_62c8804bb28b2827\explorer.exe
[2017-03-18 12:58][2017-06-03 20:08] 0323692 _____ () C0B5198EC33770F940C700EC61B2F7A4
 
C:\Windows\WinSxS\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.15063.296_none_feac48e0a456dbe7\rpcss.dll
[2017-05-15 11:27][2017-04-27 16:03] 1085440 _____ (Microsoft Corporation) 0E79A4C76CAAA0CFE9CA42C13E5AA086
 
C:\Windows\WinSxS\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.15063.0_none_7adeb53576aeb7a4\rpcss.dll
[2017-03-18 12:58][2017-05-26 20:29] 0135541 _____ () 07036BAF25B0A539CEFCEE15F191B380
 
C:\Windows\syswow64\explorer.exe
[2017-06-01 12:19][2017-05-20 00:48] 4469832 _____ (Microsoft Corporation) C17394E24B257A8F44A0AA0BC3E299C2
 
C:\Windows\System32\rpcss.dll
[2017-05-15 11:27][2017-04-27 16:03] 1085440 _____ (Microsoft Corporation) 0E79A4C76CAAA0CFE9CA42C13E5AA086
 
C:\Windows\System32\winlogon.exe
[2017-05-15 11:27][2017-04-18 22:07] 0707072 _____ (Microsoft Corporation) D0F1FB0E90BFBD14865B770E2567BE1D
 
C:\Windows\System32\drivers\volsnap.sys
[2017-03-18 12:57][2017-03-18 12:57] 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551
 
X:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.15063.0_none_80d6da500dc0355d\winlogon.exe
[2017-03-18 13:38][2017-03-18 13:38] 0707584 _____ (Microsoft Corporation) 47FF22F309A19C495E6BDD90DFA92A95
 
X:\Windows\WinSxS\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.15063.0_none_703dcec1da3ef92f\volsnap.sys
[2017-03-18 13:38][2017-03-18 13:38] 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551
 
X:\Windows\WinSxS\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_10.0.15063.0_none_7adeb53576aeb7a4\rpcss.dll
[2017-03-18 13:38][2017-03-18 13:38] 1084416 _____ (Microsoft Corporation) 18440D3E6011A2D4E8965ADA201A089B
 
X:\Windows\System32\rpcss.dll
[2017-03-18 13:38][2017-03-18 13:38] 1084416 _____ (Microsoft Corporation) 18440D3E6011A2D4E8965ADA201A089B
 
X:\Windows\System32\winlogon.exe
[2017-03-18 13:38][2017-03-18 13:38] 0707584 _____ (Microsoft Corporation) 47FF22F309A19C495E6BDD90DFA92A95
 
X:\Windows\System32\drivers\volsnap.sys
[2017-03-18 13:38][2017-03-18 13:38] 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551
 
====== End of Search ======


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:26 AM

Posted 09 July 2017 - 06:05 PM

Please run FRST once again and post the new FRST.txt log.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users