Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "wtmhdintus" lying dormant waiting to pounce


  • This topic is locked This topic is locked
38 replies to this topic

#1 PussEKatt

PussEKatt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 11 September 2017 - 06:19 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017
Ran by Colin (administrator) on COLIN-PC (09-09-2017 19:00:35)
Running from C:\Users\Colin\Desktop
Loaded Profiles: Colin (Available Profiles: Colin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
() C:\Program Files (x86)\TotalAV\SecurityService.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Program Files (x86)\TotalAV\TotalAV.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964064 2017-08-18] (SUPERAntiSpyware)
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\Run: [CCleaner Monitoring] => "I:\CCleaner\CCleaner64.exe" /MONITOR
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\MountPoints2: {577760c7-5577-11e7-aade-806e6f6e6963} - E:\Bin\Instv2.exe
BootExecute: autocheck autochk * Partizan
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by Colin (09-09-2017 19:01:02)
Running from C:\Users\Colin\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2017-06-20 07:23:24)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1413940874-3548436395-3315761783-500 - Administrator - Disabled)
Colin (S-1-5-21-1413940874-3548436395-3315761783-1000 - Administrator - Enabled) => C:\Users\Colin
Guest (S-1-5-21-1413940874-3548436395-3315761783-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1413940874-3548436395-3315761783-1002 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
AnyBurn (HKLM-x32\...\AnyBurn) (Version: 3.5 - Power Software Ltd)
Down in Flames (HKLM-x32\...\Down in Flames_is1) (Version:  - Battlefront.com, Inc.)
DVDStyler v3.0.3 (HKLM\...\DVDStyler_is1) (Version:  - Thüring IT-Consulting)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - )
Epson Stylus SX110_TX110 Manual (HKLM-x32\...\Epson Stylus SX110_TX110 User’s Guide) (Version:  - )
EPSON TX110 Series Printer Uninstall (HKLM\...\EPSON TX110 Series) (Version:  - SEIKO EPSON Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.21.169 - Google Inc.) Hidden
IDM Crack 6.25 build 25 (HKLM-x32\...\IDM Crack 6.25 build 25) (Version: build 25 - Crackingpatching.com Team)
Intel® Chipset Device Software (HKLM-x32\...\{bb0592a7-5772-4736-9d55-2402740085db}) (Version: 10.1.1.38 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.6.0.1030 - Intel Corporation)
Intel® Network Connections 21.1.30.0 (HKLM\...\PROSetDX) (Version: 21.1.30.0 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 21.20.16.4508 - Intel Corporation)
Intel® USB 3.0\3.1 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 5.0.0.32 - Intel Corporation)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Close Combat: A Bridge Too Far (HKLM-x32\...\Close Combat) (Version:  - )
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7940 - Realtek Semiconductor Corp.)
Shareaza 2.7.9.0 (HKLM-x32\...\Shareaza_is1) (Version: 2.7.9.0 - Shareaza Development Team)
Sid Meier's Civilization 4 Complete (HKLM-x32\...\{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}) (Version: 1.74 - Firaxis Games)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1248 - SUPERAntiSpyware.com)
Uncommon Valor v1.0 (HKLM-x32\...\UncommonValorv100) (Version:  - )
UnHackMe 9.20 (HKLM-x32\...\UnHackMe_is1) (Version:  - Greatis Software, LLC.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2015-08-14] (Tonec Inc.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2017-06-20] (Intel Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {F2B36E51-ABB3-4C6A-9DB2-B939B63E8CA6} - System32\Tasks\CCleanerSkipUAC => I:\CCleaner\CCleaner.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 6506c494-bc70-4be6-8608-43bd7464a13d.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task f75019b9-7557-425a-9990-75f0ee055139.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\Windows\Tasks\UnHackMe Task Scheduler.job => C:\Program Files (x86)\UnHackMe\hackmon.exe$(Arg0)Greatis Software, LLC.?Part of RegRun Suite/UnHackMe software. hxxp:/www.greatis.com
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-04 20:16 - 2017-08-11 18:45 - 000441696 _____ () C:\Program Files (x86)\TotalAV\SecurityService.exe
2016-10-07 15:48 - 2016-10-07 15:48 - 000387128 ____R () C:\Program Files\Intel\NCS2\WmiProv\Ncs2Provider.dll
2016-10-07 15:48 - 2016-10-07 15:48 - 000206904 ____R () C:\Program Files\Intel\NCS2\Agent\AdapterAgnt.DLL
2017-09-04 20:16 - 2017-08-11 18:45 - 002675040 _____ () C:\Program Files (x86)\TotalAV\TotalAV.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Colin\Downloads:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\Colin\Downloads\Compressed:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\Colin\Downloads\Documents:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\Colin\Downloads\Music:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\Colin\Downloads\Programs:Shareaza.GUID [16]
AlternateDataStreams: C:\Users\Colin\Downloads\Video:Shareaza.GUID [16]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\96697280.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\96697280.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 10:34 - 2017-09-07 22:28 - 000000855 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: AeLookupSvc => 3
MSCONFIG\Services: ALG => 3
MSCONFIG\Services: AppIDSvc => 3
MSCONFIG\Services: AudioEndpointBuilder => 2
MSCONFIG\Services: AudioSrv => 2
MSCONFIG\Services: AxInstSV => 3
MSCONFIG\Services: BDESVC => 3
MSCONFIG\Services: BFE => 2
MSCONFIG\Services: BITS => 2
MSCONFIG\Services: Browser => 3
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: CertPropSvc => 3
MSCONFIG\Services: clr_optimization_v4.0.30319_32 => 2
MSCONFIG\Services: clr_optimization_v4.0.30319_64 => 2
MSCONFIG\Services: COMSysApp => 3
MSCONFIG\Services: CryptSvc => 2
MSCONFIG\Services: defragsvc => 3
MSCONFIG\Services: Dhcp => 2
MSCONFIG\Services: Dnscache => 2
MSCONFIG\Services: dot3svc => 3
MSCONFIG\Services: DPS => 2
MSCONFIG\Services: EapHost => 3
MSCONFIG\Services: EFS => 3
MSCONFIG\Services: ehRecvr => 3
MSCONFIG\Services: ehSched => 3
MSCONFIG\Services: eventlog => 2
MSCONFIG\Services: EventSystem => 2
MSCONFIG\Services: Fax => 3
MSCONFIG\Services: fdPHost => 3
MSCONFIG\Services: FDResPub => 3
MSCONFIG\Services: FontCache => 2
MSCONFIG\Services: FontCache3.0.0.0 => 3
MSCONFIG\Services: hidserv => 3
MSCONFIG\Services: hkmsvc => 3
MSCONFIG\Services: HomeGroupListener => 3
MSCONFIG\Services: HomeGroupProvider => 3
MSCONFIG\Services: idsvc => 3
MSCONFIG\Services: IKEEXT => 3
MSCONFIG\Services: IPBusEnum => 3
MSCONFIG\Services: iphlpsvc => 2
MSCONFIG\Services: KeyIso => 3
MSCONFIG\Services: KtmRm => 3
MSCONFIG\Services: LanmanServer => 2
MSCONFIG\Services: LanmanWorkstation => 2
MSCONFIG\Services: lltdsvc => 3
MSCONFIG\Services: lmhosts => 2
MSCONFIG\Services: MMCSS => 2
MSCONFIG\Services: MpsSvc => 2
MSCONFIG\Services: MSDTC => 3
MSCONFIG\Services: MSiSCSI => 3
MSCONFIG\Services: msiserver => 3
MSCONFIG\Services: napagent => 3
MSCONFIG\Services: Netlogon => 3
MSCONFIG\Services: Netman => 3
MSCONFIG\Services: netprofm => 3
MSCONFIG\Services: NlaSvc => 2
MSCONFIG\Services: nsi => 2
MSCONFIG\Services: p2pimsvc => 3
MSCONFIG\Services: p2psvc => 3
MSCONFIG\Services: PcaSvc => 2
MSCONFIG\Services: PerfHost => 3
MSCONFIG\Services: pla => 3
MSCONFIG\Services: PNRPAutoReg => 3
MSCONFIG\Services: PNRPsvc => 3
MSCONFIG\Services: PolicyAgent => 3
MSCONFIG\Services: Power => 2
MSCONFIG\Services: ProtectedStorage => 3
MSCONFIG\Services: QWAVE => 3
MSCONFIG\Services: RasAuto => 3
MSCONFIG\Services: RasMan => 3
MSCONFIG\Services: RemoteRegistry => 3
MSCONFIG\Services: RpcLocator => 3
MSCONFIG\Services: SamSs => 2
MSCONFIG\Services: SCardSvr => 3
MSCONFIG\Services: SCPolicySvc => 3
MSCONFIG\Services: SDRSVC => 3
MSCONFIG\Services: seclogon => 3
MSCONFIG\Services: SENS => 2
MSCONFIG\Services: SensrSvc => 3
MSCONFIG\Services: SessionEnv => 3
MSCONFIG\Services: ShellHWDetection => 2
MSCONFIG\Services: SNMPTRAP => 3
MSCONFIG\Services: Spooler => 2
MSCONFIG\Services: sppuinotify => 3
MSCONFIG\Services: SSDPSRV => 3
MSCONFIG\Services: SstpSvc => 3
MSCONFIG\Services: stisvc => 2
MSCONFIG\Services: swprv => 3
MSCONFIG\Services: SysMain => 2
MSCONFIG\Services: TabletInputService => 3
MSCONFIG\Services: TapiSrv => 3
MSCONFIG\Services: TBS => 3
MSCONFIG\Services: TermService => 3
MSCONFIG\Services: Themes => 2
MSCONFIG\Services: THREADORDER => 3
MSCONFIG\Services: TrkWks => 2
MSCONFIG\Services: TrustedInstaller => 3
MSCONFIG\Services: UI0Detect => 3
MSCONFIG\Services: upnphost => 2
MSCONFIG\Services: UxSms => 2
MSCONFIG\Services: VaultSvc => 3
MSCONFIG\Services: vds => 3
MSCONFIG\Services: VSS => 3
MSCONFIG\Services: W32Time => 3
MSCONFIG\Services: wbengine => 3
MSCONFIG\Services: WbioSrvc => 3
MSCONFIG\Services: wcncsvc => 3
MSCONFIG\Services: WcsPlugInService => 3
MSCONFIG\Services: WdiServiceHost => 3
MSCONFIG\Services: WdiSystemHost => 3
MSCONFIG\Services: WebClient => 3
MSCONFIG\Services: Wecsvc => 3
MSCONFIG\Services: wercplsupport => 3
MSCONFIG\Services: WerSvc => 3
MSCONFIG\Services: WinDefend => 2
MSCONFIG\Services: WinHttpAutoProxySvc => 3
MSCONFIG\Services: Winmgmt => 2
MSCONFIG\Services: WinRM => 3
MSCONFIG\Services: Wlansvc => 3
MSCONFIG\Services: wmiApSrv => 3
MSCONFIG\Services: WMPNetworkSvc => 2
MSCONFIG\Services: WPCSvc => 3
MSCONFIG\Services: WPDBusEnum => 3
MSCONFIG\Services: wscsvc => 2
MSCONFIG\Services: WSearch => 2
MSCONFIG\Services: wtmhdintus => 2
MSCONFIG\Services: wuauserv => 2
MSCONFIG\Services: wudfsvc => 2
MSCONFIG\Services: WwanSvc => 3
MSCONFIG\startupreg: 002kXwVR1yg.exe => C:\Users\Colin\AppData\Roaming\c9bf0d6c58ef44f0abe3e57b137013a5\002kXwVR1yg.exe 
MSCONFIG\startupreg: 39YD5xV.exe => C:\Users\Colin\AppData\Local\a870a402b92847829d9bf43e926b6034\39YD5xV.exe 
MSCONFIG\startupreg: AeT7sWlO9.exe => C:\Users\Colin\AppData\Roaming\c667e727858840e4b547350cda1ce73a\AeT7sWlO9.exe -r1_1 -r2_2
MSCONFIG\startupreg: CloudNet => "C:\Users\Colin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" 31337
MSCONFIG\startupreg: DSS => C:\Windows\BBSTORE\DSS\DSSAGENT.EXE
MSCONFIG\startupreg: EPSON TX110 Series => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFBP.EXE /FU "C:\Windows\TEMP\E_S8660.tmp" /EF "HKCU"
MSCONFIG\startupreg: gplyra => C:\Users\Colin\AppData\Roaming\gplyra\gplyra.exe
MSCONFIG\startupreg: HoXuaNg3JzwU.exe => C:\Users\Colin\AppData\Roaming\db50892ee5e947b69ca9d4dd623d4416\HoXuaNg3JzwU.exe -r1_1 -r2_2
MSCONFIG\startupreg: IDMan => C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
MSCONFIG\startupreg: msiql => C:\Users\Colin\AppData\Local\Temp\00016181\msiql.exe /RUNNING
MSCONFIG\startupreg: n8tmdnçYg3.exe => C:\Program Files\Uninstall Information\EGSC21TJVBWOWLLZ6\n8tmdnçYg3.exe 
MSCONFIG\startupreg: r5U7I4Zjkux79Q.exe => C:\ProgramData\0883d8aa4f314dc28073903b5c9fb464\r5U7I4Zjkux79Q.exe 
MSCONFIG\startupreg: Realtek_HD_Audio_Driver => C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe
MSCONFIG\startupreg: rQXD93NvyGhF.exe => C:\ProgramData\73a89ce208474e31a8cdcd17daac8db1\rQXD93NvyGhF.exe -r1_1 -r2_2
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: SilentWildflower => "C:\Windows\rss\csrss.exe"
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe"
MSCONFIG\startupreg: XStceHH.exe => C:\ProgramData\e79a3bc7a5cd46efaf34a487d62a77a2\XStceHH.exe 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{9DDD00F6-3119-4F17-97E4-946BAA7F39A5}] => (Allow) C:\Program Files (x86)\Shareaza\Shareaza.exe
FirewallRules: [{01544912-9850-43BE-8CBE-0C8BD37BC4F6}] => (Allow) C:\Program Files (x86)\Shareaza\Shareaza.exe
FirewallRules: [TCP Query User{14C081BE-ACA4-4B1E-849C-3ADEBCF47A9C}C:\program files (x86)\shareaza\shareaza.exe] => (Allow) C:\program files (x86)\shareaza\shareaza.exe
FirewallRules: [UDP Query User{125BAA1E-F77E-4461-994A-046F08A91C33}C:\program files (x86)\shareaza\shareaza.exe] => (Allow) C:\program files (x86)\shareaza\shareaza.exe
FirewallRules: [{9E12B889-3AFF-4735-BF7A-5A6E22D342BB}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{71D64DF4-5541-4B89-ADCD-28F84DE9C692}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{27594466-517D-42CA-896C-EE53C963A7C0}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{9E8F5B4B-D167-4C4D-A712-7172C2628BCD}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{791572B8-BB67-42AD-9017-07D5D6675C47}] => (Allow) C:\Windows\System32\rundll32.exe
FirewallRules: [{B978282D-FBDA-41F4-AF25-4DD2A5D693F4}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{85B34758-97A3-4a63-832A-9825D8777935}}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{9187CF69-6824-487d-A9F0-AFF5C2C29BA9}}] => (Allow) C:\Program Files (x86)\UnHackMe\wu.exe
FirewallRules: [{85B34758-97A3-4a63-832A-9825D8777934}}] => (Allow) C:\Program Files (x86)\UnHackMe\regruninfo.exe
FirewallRules: [{9187CF69-6824-487d-A9F0-AFF5C2C29BA8}}] => (Allow) C:\Program Files (x86)\UnHackMe\regruninfo.exe
 
==================== Restore Points =========================
 
22-07-2017 21:36:10 Removed Steam
23-07-2017 15:11:57 Removed Realtek High Definition Audio Driver
23-07-2017 15:15:15 Installed Realtek High Definition Audio Driver
23-07-2017 18:51:33 Microsoft Visual C++ 2017 Redistributable (x86) - 14.10.25008
23-07-2017 18:52:01 Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215
23-07-2017 18:52:09 Microsoft Visual C++ 2017 Redistributable (x64) - 14.10.25008
23-07-2017 18:52:23 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
24-07-2017 19:50:28 Driver Booster : EPSON Scanner
24-07-2017 19:58:20 Windows Update
24-07-2017 20:42:48 Installed DirectX
25-07-2017 17:57:54 Device Driver Package Install: Intel® Corporation Sound, video and game controllers
25-07-2017 17:58:55 Device Driver Package Install: Intel Corporation Display adapters
25-07-2017 18:09:17 Revo Uninstaller's restore point - Driver Booster 4.4
25-07-2017 18:10:07 Revo Uninstaller's restore point - SlimDrivers
25-07-2017 18:10:16 Removed SlimDrivers
25-07-2017 18:12:51 Installed Microsoft Visual C++ 2005 Redistributable
27-08-2017 22:52:26 Revo Uninstaller's restore point - Everything 1.6
27-08-2017 22:52:55 Revo Uninstaller's restore point - FM Wizard Editor 17.3.1
27-08-2017 22:53:41 Revo Uninstaller's restore point - One System Care
27-08-2017 22:54:18 Revo Uninstaller's restore point - Online Application
27-08-2017 22:54:28 Removed Online Application
27-08-2017 22:55:08 Revo Uninstaller's restore point - PC Clean Plus
27-08-2017 22:59:00 Revo Uninstaller's restore point - PC Clean Plus
27-08-2017 23:00:04 Revo Uninstaller's restore point - QWiget 1.0.1
27-08-2017 23:01:05 Revo Uninstaller's restore point - VKOKAdBlock
27-08-2017 23:01:38 Revo Uninstaller's restore point - VidsqaurE
27-08-2017 23:02:11 Revo Uninstaller's restore point - System Healer
27-08-2017 23:03:04 Revo Uninstaller's restore point - 1.0.0.1
27-08-2017 23:04:09 Revo Uninstaller's restore point - Search module
27-08-2017 23:05:10 Revo Uninstaller's restore point - ProxyGate version 3.0.0.1180
28-08-2017 22:37:00 Revo Uninstaller's restore point - WindowsTM
28-08-2017 23:34:42 Revo Uninstaller's restore point - Google Chrome
07-09-2017 22:39:12 Restore Operation
08-09-2017 20:53:11 After Virus
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/09/2017 06:59:07 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (09/09/2017 02:48:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (09/08/2017 08:49:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (09/08/2017 08:46:38 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\UnHackMe\reanimator.exe Files (x86)\UnHackMe\reanimator.exe" /wiz /full; Description = UnHackMe Malware Removal; Error = 0x8007043c).
 
Error: (09/08/2017 08:44:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\UnHackMe\reanimator.exe Files (x86)\UnHackMe\reanimator.exe" /wiz /full; Description = UnHackMe Malware Removal; Error = 0x8007043c).
 
Error: (09/08/2017 08:43:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (09/08/2017 08:42:30 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\UnHackMe\reanimator.exe Files (x86)\UnHackMe\reanimator.exe" /wiz /full; Description = UnHackMe Malware Removal; Error = 0x8007043c).
 
Error: (09/08/2017 08:28:22 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-1413940874-3548436395-3315761783-1000}/">.
 
Error: (09/08/2017 08:26:57 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-1413940874-3548436395-3315761783-1000}/">.
 
Error: (09/08/2017 08:21:43 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program CCleaner64.exe version 5.33.0.6162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: fa0
 
Start Time: 01d3289cf3124b61
 
Termination Time: 1
 
Application Path: C:\Program Files\CCleaner\CCleaner64.exe
 
Report Id:
 
 
System errors:
=============
Error: (09/09/2017 06:59:26 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR3.
 
Error: (09/09/2017 06:59:25 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR3.
 
Error: (09/09/2017 06:59:16 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070420'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
 
Error: (09/09/2017 06:59:14 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
epp
 
Error: (09/09/2017 02:48:37 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
epp
 
Error: (09/08/2017 08:49:50 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
 
Error: (09/08/2017 08:49:48 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
epp
 
Error: (09/08/2017 08:41:33 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
AFD
AsIO
DfsC
discache
epp
NetBIOS
NetBT
nsiproxy
Psched
rdbss
SASDIFSV
SASKUTIL
spldr
tdx
Wanarpv6
WfpLwf
wtmhdkernel
 
Error: (09/08/2017 08:41:31 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Listener service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (09/08/2017 08:41:31 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
The dependency service or group failed to start.
 
 
CodeIntegrity:
===================================
  Date: 2017-08-27 22:35:06.567
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Noobzo\GNUpdate\smw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-08-27 22:35:06.520
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Noobzo\GNUpdate\smw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-08-27 22:33:03.263
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Noobzo\GNUpdate\smw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-08-27 22:33:03.262
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Noobzo\GNUpdate\smw.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-7600 CPU @ 3.50GHz
Percentage of memory in use: 19%
Total physical RAM: 8060.63 MB
Available physical RAM: 6470.61 MB
Total Virtual: 16119.46 MB
Available Virtual: 14509.08 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:473.17 GB) (Free:350.61 GB) NTFS
Drive d: (Games) (Fixed) (Total:465.76 GB) (Free:286.55 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (Misc E) (Fixed) (Total:415.64 GB) (Free:368.6 GB) NTFS
Drive f: (Windows 7) (Fixed) (Total:50.12 GB) (Free:41.81 GB) NTFS
Drive s: (Steam ) (Fixed) (Total:458.12 GB) (Free:211.44 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1DF0A70D)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1A161A15)
Partition 1: (Not Active) - (Size=415.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=50.1 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

 

If you look at the 4th entry from the bottom in the msconfig services you will see "wtmhdintus"



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 11 September 2017 - 07:07 AM

Hi PussEKatt :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Your FRST.txt log looks incomplete. Can you copy/paste it here again?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 11 September 2017 - 10:01 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017
Ran by Colin (administrator) on COLIN-PC (09-09-2017 19:00:35)
Running from C:\Users\Colin\Desktop
Loaded Profiles: Colin (Available Profiles: Colin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
(SEIKO EPSON CORPORATION) C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
() C:\Program Files (x86)\TotalAV\SecurityService.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Program Files (x86)\TotalAV\TotalAV.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7964064 2017-08-18] (SUPERAntiSpyware)
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\Run: [CCleaner Monitoring] => "I:\CCleaner\CCleaner64.exe" /MONITOR
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\MountPoints2: {577760c7-5577-11e7-aade-806e6f6e6963} - E:\Bin\Instv2.exe
BootExecute: autocheck autochk * Partizan
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Tcpip\Parameters: [DhcpNameServer] 10.1.1.1
Tcpip\..\Interfaces\{C0AA6FE9-6A55-416C-ACD4-FCBE4B261520}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{C0AA6FE9-6A55-416C-ACD4-FCBE4B261520}: [DhcpNameServer] 10.1.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-au/?ocid=iehp
URLSearchHook: [S-1-5-21-1413940874-3548436395-3315761783-1000] ATTENTION => Default URLSearchHook is missing
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2016-07-13] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2016-07-13] (Internet Download Manager, Tonec Inc.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
 
FireFox:
========
FF HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Colin\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\Colin\AppData\Roaming\IDM\idmmzcc5 [2017-09-08] [not signed]
FF HKU\S-1-5-21-1413940874-3548436395-3315761783-1000\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2016-08-03]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-30] (Google Inc.)
FF Plugin HKU\S-1-5-21-1413940874-3548436395-3315761783-1000: @tracker-software.com/PDF-XChange Editor Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Editor\npPDFXEditPlugin.x64.dll [No File]
 
Chrome: 
=======
CHR Profile: C:\Users\Colin\AppData\Local\Google\Chrome\User Data\Default [2017-09-09]
CHR Extension: (Docs) - C:\Users\Colin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-09-08]
CHR Extension: (Google Drive) - C:\Users\Colin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-09-08]
CHR Extension: (YouTube) - C:\Users\Colin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-09-08]
CHR Extension: (Gmail) - C:\Users\Colin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-09-08]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [looohgelibjoplmkhecmalapkgadkfcc] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-31] (SUPERAntiSpyware.com)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [324560 2017-06-20] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [987432 2016-07-26] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [177440 2016-09-14] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes)
R2 SecurityService; C:\Program Files (x86)\TotalAV\SecurityService.exe [441696 2017-08-11] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-09-09] ()
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [514024 2016-10-05] (Intel Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2017-09-03] () [File not signed]
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [32224 2016-09-19] (Intel Corporation)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2017-09-03] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [253888 2017-09-09] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [199736 2016-09-06] (Intel Corporation)
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [40304 2017-09-06] (Greatis Software)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 wtmhdkernel; C:\Windows\system32\drivers\wtmhdkernel.sys [205160 2010-11-21] () [File not signed]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-09 19:00 - 2017-09-09 19:00 - 000009620 _____ C:\Users\Colin\Desktop\FRST.txt
2017-09-09 19:00 - 2017-09-09 19:00 - 000000000 ____D C:\FRST
2017-09-09 15:40 - 2017-09-09 15:25 - 002395648 _____ (Farbar) C:\Users\Colin\Desktop\FRST64.exe
2017-09-08 20:41 - 2017-09-08 20:46 - 000152708 _____ C:\Windows\ntbtlog.txt
2017-09-08 20:26 - 2017-09-08 20:26 - 000002762 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-09-08 20:19 - 2017-09-08 20:19 - 000000000 ____D C:\Windows\pss
2017-09-07 22:32 - 2017-09-09 18:59 - 000253888 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-09-07 22:23 - 2017-09-07 22:23 - 000000207 _____ C:\Windows\tweaking.com-regbackup-COLIN-PC-Windows-7-Home-Premium-(64-bit).dat
2017-09-07 22:23 - 2017-09-07 22:23 - 000000000 ____D C:\RegBackup
2017-09-07 22:16 - 2017-09-07 22:17 - 000000000 ____D C:\Users\Public\Desktop\CC Support
2017-09-07 20:34 - 2017-09-08 08:45 - 000000000 ____D C:\VIPRERESCUE
2017-09-07 20:34 - 2016-03-04 12:26 - 000032400 _____ (ThreatTrack Security) C:\Windows\system32\Drivers\gfiutil.sys
2017-09-07 20:34 - 2015-08-27 07:31 - 000040584 _____ (ThreatTrack Security) C:\Windows\system32\Drivers\gfiark.sys
2017-09-06 20:11 - 2017-09-06 20:11 - 000040304 _____ (Greatis Software) C:\Windows\SysWOW64\Drivers\Partizan.sys
2017-09-06 20:00 - 2017-09-09 18:58 - 000000248 _____ C:\Windows\SysWOW64\PARTILOG.EXE
2017-09-06 19:53 - 2017-09-06 19:53 - 000000000 ____D C:\@RestoreQuarantine
2017-09-06 19:50 - 2017-09-08 20:46 - 000002447 _____ C:\Windows\SysWOW64\Partizan.RRI
2017-09-06 19:44 - 2017-09-08 20:50 - 000000000 ____D C:\Users\Public\Documents\regruninfo
2017-09-06 19:44 - 2017-09-08 20:50 - 000000000 ____D C:\Users\Colin\Documents\RegRun2
2017-09-06 19:44 - 2017-09-08 08:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2017-09-06 19:44 - 2017-09-08 08:45 - 000000000 ____D C:\Program Files (x86)\UnHackMe
2017-09-06 19:44 - 2017-09-06 19:45 - 000000000 ____D C:\ProgramData\RegRun
2017-09-06 19:44 - 2017-09-06 19:44 - 000001011 _____ C:\Users\Colin\Desktop\UnHackMe.lnk
2017-09-06 19:44 - 2017-09-06 19:44 - 000000418 _____ C:\Windows\Tasks\UnHackMe Task Scheduler.job
2017-09-06 19:44 - 2017-09-06 19:44 - 000000002 RSHOT C:\Windows\winstart.bat
2017-09-06 19:44 - 2017-09-06 19:44 - 000000002 RSHOT C:\Windows\SysWOW64\CONFIG.NT
2017-09-06 19:44 - 2017-09-06 19:44 - 000000002 RSHOT C:\Windows\SysWOW64\AUTOEXEC.NT
2017-09-06 19:44 - 2017-08-30 11:47 - 000014984 _____ (Greatis Software, LLC.) C:\Windows\SysWOW64\Drivers\UnHackMeDrv.sys
2017-09-06 19:44 - 2015-12-28 11:32 - 000049968 _____ (Greatis Software) C:\Windows\system32\partizan.exe
2017-09-04 20:37 - 2017-09-08 08:45 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-09-04 20:37 - 2017-09-08 08:45 - 000000000 ____D C:\Windows\SysWOW64\GPBAK
2017-09-04 20:37 - 2008-04-14 02:11 - 000295936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appmgr.dll
2017-09-04 20:37 - 2001-08-23 13:00 - 000034871 _____ C:\Windows\SysWOW64\gpedit.msc
2017-09-04 20:16 - 2017-09-08 08:45 - 000000000 ____D C:\Program Files (x86)\TotalAV
2017-09-04 20:16 - 2017-09-04 20:16 - 000001020 _____ C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TotalAV.lnk
2017-09-04 20:16 - 2017-09-04 20:16 - 000000000 ____D C:\Users\Colin\AppData\Roaming\TotalAV
2017-09-04 19:21 - 2017-09-04 19:21 - 000875463 _____ C:\Users\Colin\Desktop\add_gpedit_msc_by_jwils876.zip
2017-09-03 22:45 - 2017-09-03 22:45 - 026980753 _____ C:\Users\Colin\Desktop\cce_public_x86.zip
2017-09-03 22:13 - 2017-09-03 22:13 - 000193436 _____ C:\TDSSKiller.3.1.0.15_03.09.2017_22.13.25_log.txt
2017-09-03 22:09 - 2017-09-03 22:09 - 000000000 ____D C:\Users\Public\Documents\XMUpdate
2017-09-03 21:44 - 2017-09-03 21:44 - 000055232 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-09-03 21:43 - 2017-09-03 21:48 - 000000000 ____D C:\ProgramData\HitmanPro
2017-09-03 21:42 - 2017-09-03 22:14 - 000003374 _____ C:\Users\Colin\Desktop\Rkill.txt
2017-09-03 21:40 - 2017-09-08 08:45 - 000000000 ____D C:\TDSSKiller_Quarantine
2017-09-02 17:41 - 2017-09-08 08:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-09-02 17:41 - 2017-09-02 17:47 - 000002024 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-09-02 17:41 - 2017-09-02 17:41 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-09-02 17:41 - 2017-09-02 17:41 - 000000000 ____D C:\Program Files\Malwarebytes
2017-09-02 17:41 - 2017-08-24 11:27 - 000077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-09-02 17:34 - 2017-09-03 20:50 - 000140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-08-31 22:43 - 2017-08-31 22:43 - 000000000 ____D C:\Users\Colin\AppData\Local\ElevatedDiagnostics
2017-08-31 21:43 - 2017-08-31 20:01 - 012845072 _____ (IObit ) C:\Users\Colin\Desktop\sd5_setup.exe
2017-08-31 21:43 - 2017-08-30 22:47 - 009932672 _____ C:\Users\Colin\Desktop\bitdefender_online.exe
2017-08-30 20:55 - 2017-09-08 08:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-08-30 20:55 - 2017-09-08 08:45 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2017-08-30 20:55 - 2017-08-30 20:55 - 000000510 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task f75019b9-7557-425a-9990-75f0ee055139.job
2017-08-30 20:55 - 2017-08-30 20:55 - 000000510 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 6506c494-bc70-4be6-8608-43bd7464a13d.job
2017-08-30 20:55 - 2017-08-30 20:55 - 000000000 ____D C:\Users\Colin\AppData\Roaming\SUPERAntiSpyware.com
2017-08-30 20:55 - 2017-08-30 20:55 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2017-08-30 20:24 - 2017-08-30 20:24 - 000002271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-08-30 20:24 - 2017-08-30 20:24 - 000002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-08-27 22:47 - 2017-09-08 08:45 - 000000000 ____D C:\Users\Colin\AppData\Roaming\ae65c38d79ba402c8ced2148f46eacb1
2017-08-27 22:47 - 2017-09-08 08:45 - 000000000 ____D C:\Users\Colin\AppData\Local\f46802122f414b3dbec9e1924c2be0fd
2017-08-27 22:46 - 2017-08-27 22:46 - 000000258 __RSH C:\Users\Colin\ntuser.pol
2017-08-27 22:36 - 2017-09-08 08:45 - 000000000 ____D C:\Users\Colin\AppData\Roaming\08f068fe99da4b579c3473013e86dcc3
2017-08-27 22:36 - 2017-09-08 08:45 - 000000000 ____D C:\Users\Colin\AppData\Local\a870a402b92847829d9bf43e926b6034
2017-08-27 22:36 - 2017-08-27 22:37 - 005563776 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlmp.exe
2017-08-27 22:36 - 2017-08-27 22:37 - 000642944 _____ (Microsoft Corporation) C:\Windows\system32\osloader.efi
2017-08-27 22:35 - 2017-08-28 22:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\WindowsTM
2017-08-27 22:35 - 2017-08-27 22:35 - 000000000 ____D C:\ProgramData\Cache
2017-08-27 22:35 - 2017-08-25 23:33 - 001952256 ___SH C:\Users\Colin\AppData\Roaming\tmp546.dat
2017-08-27 22:34 - 2017-09-07 22:32 - 000000258 __RSH C:\ProgramData\ntuser.pol
2017-08-27 22:33 - 2017-09-08 08:45 - 000000000 ___HD C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}
2017-08-27 22:33 - 2017-08-27 22:33 - 000000000 ___HD C:\ProgramData\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}
2017-08-27 22:32 - 2017-08-27 22:32 - 000000000 ____D C:\Windows\Azart
2017-08-25 19:00 - 2017-08-25 22:05 - 000000000 ____D C:\Users\Colin\Desktop\Penny
2017-08-24 20:28 - 2017-08-27 22:11 - 000000000 ____D C:\Users\Colin\Desktop\TCM 2003
2017-08-22 21:48 - 2017-09-08 08:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battlefront
2017-08-22 21:48 - 2017-08-22 21:48 - 000001330 _____ C:\Users\Colin\Desktop\Down in Flames.lnk
2017-08-22 21:47 - 2017-08-22 21:47 - 000000000 ____D C:\Program Files (x86)\Battlefront
2017-08-22 21:43 - 2017-09-08 08:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uncommon Valor
2017-08-22 21:43 - 2017-08-22 21:43 - 000001664 _____ C:\Users\Colin\Desktop\Uncommon Valor Game Menu.lnk
2017-08-22 21:43 - 2017-08-22 21:36 - 000720896 _____ (Indigo Rose Corporation) C:\Windows\iun6002.exe
2017-08-22 21:37 - 2017-08-22 21:37 - 000000000 ____D C:\Matrix Games
2017-08-22 21:30 - 2017-08-22 21:30 - 000000330 _____ C:\Windows\ereg077.dat
2017-08-22 21:30 - 2017-08-22 21:30 - 000000000 _____ C:\Windows\SETUP32.INI
2017-08-22 21:27 - 2017-09-08 08:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games
2017-08-22 21:27 - 2017-08-22 21:27 - 000002132 _____ C:\Users\Public\Desktop\A Bridge Too Far.lnk
2017-08-22 21:26 - 2017-08-22 21:26 - 000000000 ____D C:\Program Files (x86)\Microsoft Games
2017-08-22 21:15 - 1998-10-29 16:45 - 000306688 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2017-08-22 20:13 - 2017-09-08 08:45 - 000000000 ____D C:\Users\Colin\Desktop\Prod Key
2017-08-15 19:28 - 2017-08-15 21:49 - 000000910 _____ C:\Users\Colin\Desktop\Ocean Games.txt
2017-08-14 19:07 - 2017-08-20 16:50 - 000000000 ____D C:\Users\Colin\Desktop\Print Fin
2017-08-12 19:49 - 2017-08-12 19:49 - 000781699 _____ C:\Users\Colin\Downloads\Full Manual (English).pdf
2017-08-12 19:16 - 2017-08-12 19:20 - 051242360 _____ C:\Users\Colin\Downloads\Karlmod_full_version.1.rar
2017-08-10 20:58 - 2017-08-10 20:58 - 000000000 ____D C:\Users\Reg\AppData\Roaming\ImgBurn
2017-08-10 20:58 - 2017-08-10 20:58 - 000000000 ____D C:\Users\Reg
2017-08-10 18:59 - 2017-09-08 08:45 - 000000000 ____D C:\Users\Colin\Desktop\Pete
2017-08-10 18:55 - 2017-08-25 22:03 - 000000000 ____D C:\Users\Colin\Desktop\Cindy
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-09 18:59 - 2017-06-20 16:14 - 000000000 __SHD C:\Users\Colin\IntelGraphicsProfiles
2017-09-09 18:58 - 2009-07-14 13:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-09 15:19 - 2009-07-14 12:45 - 000020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-09 15:19 - 2009-07-14 12:45 - 000020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-09 14:54 - 2009-07-14 13:13 - 000781298 _____ C:\Windows\system32\PerfStringBackup.INI
2017-09-09 14:54 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\inf
2017-09-08 20:27 - 2017-06-23 21:25 - 000000000 ____D C:\Users\Colin\AppData\Roaming\IDM
2017-09-08 20:26 - 2017-06-21 07:14 - 000000000 ____D C:\Windows\Panther
2017-09-08 08:45 - 2017-07-31 20:30 - 000000000 ____D C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BUG Mod 4.4
2017-09-08 08:45 - 2017-07-26 19:32 - 000000000 ____D C:\Users\Colin\Desktop\Zipped Games
2017-09-08 08:45 - 2017-07-26 19:21 - 000000000 ____D C:\Users\Colin\Desktop\Chk Out
2017-09-08 08:45 - 2017-07-12 03:04 - 000000000 ____D C:\Users\Colin\AppData\Local\FM_Scout_Editor_2017
2017-09-08 08:45 - 2017-07-09 04:48 - 000000000 ____D C:\Users\Colin\Desktop\CHK
2017-09-08 08:45 - 2017-07-05 07:03 - 000000000 ____D C:\Users\Colin\Desktop\Combat.Command.2.Danger.Forward.Gold.Edition-iND
2017-09-08 08:45 - 2017-06-27 20:15 - 000000000 ____D C:\Users\Colin\AppData\Roaming\anyburn
2017-09-08 08:45 - 2017-06-24 16:36 - 000000000 ____D C:\Users\Colin\AppData\Roaming\Thunderbird
2017-09-08 08:45 - 2017-06-23 21:25 - 000000000 ____D C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2017-09-08 08:45 - 2017-06-23 21:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2017-09-08 08:45 - 2017-06-23 20:23 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-09-08 08:45 - 2017-06-23 20:23 - 000000000 ____D C:\Program Files\7-Zip
2017-09-08 08:45 - 2017-06-22 22:19 - 000000000 ____D C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2017-09-08 08:45 - 2017-06-22 20:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shareaza
2017-09-08 08:45 - 2017-06-22 20:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDStyler
2017-09-08 08:45 - 2017-06-22 20:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyBurn
2017-09-08 08:45 - 2017-06-22 20:11 - 000000000 ____D C:\Users\Colin\Desktop\ShortCuts
2017-09-08 08:45 - 2017-06-22 20:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
2017-09-08 08:45 - 2017-06-20 15:59 - 000000000 ____D C:\Users\Colin\AppData\Local\Apps\2.0
2017-09-08 08:45 - 2017-06-20 15:43 - 000000000 ____D C:\ProgramData\Intel
2017-09-08 08:45 - 2017-06-20 15:23 - 000000000 ____D C:\Users\Colin
2017-09-08 08:45 - 2011-04-12 16:28 - 000000000 ___RD C:\Users\Public\Recorded TV
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ____D C:\Windows\Offline Web Pages
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ____D C:\Windows\Downloaded Program Files
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ____D C:\Program Files\Windows Sidebar
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ____D C:\Program Files\Microsoft Games
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ____D C:\Program Files\DVD Maker
2017-09-08 08:45 - 2009-07-14 13:32 - 000000000 ____D C:\Program Files (x86)\Windows Sidebar
2017-09-08 08:45 - 2009-07-14 12:45 - 000000000 ____D C:\Windows\Setup
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 __RSD C:\Windows\Media
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\TAPI
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\system32\sysprep
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\system32\Msdtc
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\system32\ias
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\system32\GroupPolicy
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\servicing
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\security
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\PLA
2017-09-08 08:45 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\Help
2017-09-08 08:44 - 2009-07-14 11:20 - 000000000 ____D C:\Windows\registration
2017-09-07 22:37 - 2017-06-20 15:59 - 000057560 _____ C:\Users\Colin\AppData\Local\GDIPFONTCACHEV1.DAT
2017-09-07 22:36 - 2009-07-14 13:08 - 000032622 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-09-07 22:31 - 2009-07-14 12:45 - 000274320 _____ C:\Windows\system32\FNTCACHE.DAT
2017-09-03 21:58 - 2009-07-14 11:20 - 000000000 ____D C:\Program Files\S3 IDI
2017-08-30 20:56 - 2010-11-21 11:24 - 000000000 __SHD C:\Users\Colin\AppData\Roaming\82F840
2017-08-30 20:46 - 2017-06-23 21:25 - 000000000 ____D C:\Users\Colin\AppData\Roaming\DMCache
2017-08-30 20:28 - 2017-06-20 16:00 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-08-30 20:28 - 2017-06-20 16:00 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-08-30 20:24 - 2017-06-20 16:00 - 000000000 ____D C:\Program Files (x86)\Google
2017-08-27 22:36 - 2009-07-14 10:34 - 000001658 _____ C:\Windows\system32\Drivers\etc\hosts_bak_15
2017-08-27 22:34 - 2017-06-23 21:25 - 000000000 ____D C:\Program Files (x86)\Internet Download Manager
2017-08-27 21:15 - 2017-07-05 07:03 - 000000000 ____D C:\Users\Colin\Desktop\Files
2017-08-27 20:55 - 2017-07-13 02:58 - 000000000 ____D C:\Users\Colin\Desktop\Reviews
2017-08-25 19:29 - 2017-06-23 21:25 - 000000000 ____D C:\Users\Colin\Downloads\Compressed
2017-08-22 21:15 - 2017-06-22 22:18 - 000000000 ____D C:\Windows\BBSTORE
2017-08-19 22:09 - 2017-07-01 21:34 - 000000000 ____D C:\Users\Colin\Desktop\ISOs
2017-08-18 21:43 - 2017-07-05 07:05 - 000000000 ____D C:\Users\Colin\Desktop\Bin Q
2017-08-15 19:35 - 2017-06-25 17:29 - 000000000 ____D C:\Users\Colin\Desktop\HDD Contents
2017-08-14 19:34 - 2017-08-01 22:22 - 000000000 ____D C:\Users\Colin\Desktop\To Print
2017-08-10 21:16 - 2017-08-09 22:35 - 000000000 ____D C:\Users\Colin\Desktop\Re=Makes
 
==================== Files in the root of some directories =======
 
2017-08-27 22:35 - 2017-08-25 23:33 - 001952256 ___SH () C:\Users\Colin\AppData\Roaming\tmp546.dat
2017-06-20 15:42 - 2017-06-20 15:42 - 000000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-08-22 18:56
 
==================== End of FRST.txt ============================
 
Yoan, Thank you for your quick reply,I have pasted the first part again.It says "End of FRST.txt" so I hope it is all there Yes my PC is behaving normally now but as I said to Torchwood ( at Windows 7 forums ) I suspected that the wtmhdintus virus is just waiting for me to go on line.I pulled out the ehternet connection from the back of my PC as soon as the virus struck and will not plug it in again till I know I am safe.I look forward to your reply.
 
Colin


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 11 September 2017 - 10:42 AM

In that case, let's see what we can remove with Malwarebytes and RogueKiller :)

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply
RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 12 September 2017 - 07:27 AM

Hi Aura,

  Thank you again for your very quick reply.Here is the scan result from Rogue Killer:

 

RogueKiller V12.11.14.0 (x64) [Sep 11 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Colin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 09/12/2017 19:53:25 (Duration : 00:07:28)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 29 ¤¤¤
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_Reg_ON_D_F729\Software\Conduit -> Deleted
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_Reg_ON_D_F729\Software\Conduit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Reg_ON_S_B11F\Software\SlimWare Utilities Inc -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Reg_ON_S_B11F\Software\SlimWare Utilities Inc -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Reg_ON_D_F729\Software\AppDataLow\Software\PassShow -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Reg_ON_D_F729\Software\AppDataLow\Software\PassShow -> Deleted
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_8BB0\Microsoft\Windows\CurrentVersion\Run | BCU : "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe" [x] -> Deleted
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_8BB0\Microsoft\Windows\CurrentVersion\Run | BCU : "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe" [x] -> ERROR [2]
[PUP.Gen0|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet001\Services\BCUService (C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe) -> Deleted
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1017\ControlSet001\Services\SWDUMon (system32\DRIVERS\SWDUMon.sys) -> Deleted
[PUP.Gen0|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet002\Services\BCUService (C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe) -> Deleted
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1017\ControlSet002\Services\SWDUMon (system32\DRIVERS\SWDUMon.sys) -> Deleted
[PUP.Gen0|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet003\Services\BCUService (C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe) -> Deleted
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1017\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1017\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D77B9D37-800B-42E9-AACA-8C071B344300} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1017\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3D1F2843-3D48-4D82-9F32-AF6DF3A51222} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C0AA6FE9-6A55-416C-ACD4-FCBE4B261520} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet002\Services\Tcpip\Parameters\Interfaces\{D77B9D37-800B-42E9-AACA-8C071B344300} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_S_1017\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3D1F2843-3D48-4D82-9F32-AF6DF3A51222} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C0AA6FE9-6A55-416C-ACD4-FCBE4B261520} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_DF5F\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D77B9D37-800B-42E9-AACA-8C071B344300} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{C0AA6FE9-6A55-416C-ACD4-FCBE4B261520} | DhcpNameServer : 10.1.1.1 ([X])  -> Replaced ()
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Adw.Wizzcaster][File] C:\$Recycle.Bin\S-1-5-21-1413940874-3548436395-3315761783-1000\$RJ45TTS.txt -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-08WN4A0 SCSI Disk Device +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 484526 MB
3 - Basic data partition | Offset (sectors): 992778240 | Size: 469113 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: ST500DM0 02-1BD142 SCSI Disk Device +++++
--- User ---
[MBR] 9f47afbab0bd3e9ff436c0710c2ec2bf
[BSP] 809a846f45ff98215637e1c45185fa93 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive2: WDC WD5000AADS-00S9B SCSI Disk Device +++++
--- User ---
[MBR] 442830687fa40939b77dc3884c4ce43e
[BSP] a407dc89be0c4a7a517ead4f1d134aba : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 425611 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 871653376 | Size: 51327 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
I could not update Malwarebytes first because the virus has disconnected me from the internet.I disconnected the ethernet cable but I was unable to access the internet before that anyway.I dont think updating will matter that much in this instance, because (bear with me a minute and I will explain )
I like playing Football Manager but I find that too much time is taken up with silly things like press conferences and international results etc etc etc, so I looked for a similar game that is not so involved.I found an old game called "LMA Manager 2007" so I downloaded it but the file was currupt so I looked for another download of this game and downloaded that but I got suspicious when LMA was in lower case, so I set a restore point but got infected with this virus anyway and I was not able to access system restore.As mentioned above though this game is dated 2007, so it is an old game and surley an old virus as well ?!
I look forward to hearing from you,
 
Colin 


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 12 September 2017 - 07:38 AM

If you cannot connect to the Internet, we'll remove most of the infection with FRST then.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 13 September 2017 - 06:52 AM

Hi Aura,

 Here is the log you asked for:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by Colin (13-09-2017 19:41:04) Run:1
Running from C:\Users\Colin\Desktop
Loaded Profiles: Colin (Available Profiles: Colin)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
 
R2 SecurityService; C:\Program Files (x86)\TotalAV\SecurityService.exe [441696 2017-08-11] ()
R1 wtmhdkernel; C:\Windows\system32\drivers\wtmhdkernel.sys [205160 2010-11-21] () [File not signed]
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\96697280.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\96697280.sys => ""="Driver"
 
MSCONFIG\Services: wtmhdintus => 2
 
MSCONFIG\startupreg: 002kXwVR1yg.exe => C:\Users\Colin\AppData\Roaming\c9bf0d6c58ef44f0abe3e57b137013a5\002kXwVR1yg.exe 
MSCONFIG\startupreg: 39YD5xV.exe => C:\Users\Colin\AppData\Local\a870a402b92847829d9bf43e926b6034\39YD5xV.exe 
MSCONFIG\startupreg: AeT7sWlO9.exe => C:\Users\Colin\AppData\Roaming\c667e727858840e4b547350cda1ce73a\AeT7sWlO9.exe -r1_1 -r2_2
MSCONFIG\startupreg: CloudNet => "C:\Users\Colin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" 31337
MSCONFIG\startupreg: gplyra => C:\Users\Colin\AppData\Roaming\gplyra\gplyra.exe
MSCONFIG\startupreg: HoXuaNg3JzwU.exe => C:\Users\Colin\AppData\Roaming\db50892ee5e947b69ca9d4dd623d4416\HoXuaNg3JzwU.exe -r1_1 -r2_2
MSCONFIG\startupreg: msiql => C:\Users\Colin\AppData\Local\Temp\00016181\msiql.exe /RUNNING
MSCONFIG\startupreg: n8tmdnçYg3.exe => C:\Program Files\Uninstall Information\EGSC21TJVBWOWLLZ6\n8tmdnçYg3.exe 
MSCONFIG\startupreg: r5U7I4Zjkux79Q.exe => C:\ProgramData\0883d8aa4f314dc28073903b5c9fb464\r5U7I4Zjkux79Q.exe 
MSCONFIG\startupreg: Realtek_HD_Audio_Driver => C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe
MSCONFIG\startupreg: rQXD93NvyGhF.exe => C:\ProgramData\73a89ce208474e31a8cdcd17daac8db1\rQXD93NvyGhF.exe -r1_1 -r2_2
MSCONFIG\startupreg: SilentWildflower => "C:\Windows\rss\csrss.exe"
MSCONFIG\startupreg: XStceHH.exe => C:\ProgramData\e79a3bc7a5cd46efaf34a487d62a77a2\XStceHH.exe 
 
C:\Program Files\Uninstall Information\EGSC21TJVBWOWLLZ6
C:\Program Files (x86)\TotalAV
C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}
C:\ProgramData\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}
C:\ProgramData\0883d8aa4f314dc28073903b5c9fb464
C:\ProgramData\73a89ce208474e31a8cdcd17daac8db1
C:\ProgramData\e79a3bc7a5cd46efaf34a487d62a77a2
C:\ProgramData\MicrosoftCorporation
C:\ProgramData\ntuser.pol
C:\Users\Colin\ntuser.pol
C:\Users\Colin\AppData\Local\a870a402b92847829d9bf43e926b6034
C:\Users\Colin\AppData\Local\f46802122f414b3dbec9e1924c2be0fd
C:\Users\Colin\AppData\Roaming\08f068fe99da4b579c3473013e86dcc3
C:\Users\Colin\AppData\Roaming\ae65c38d79ba402c8ced2148f46eacb1
C:\Users\Colin\AppData\Roaming\c9bf0d6c58ef44f0abe3e57b137013a5
C:\Users\Colin\AppData\Roaming\c667e727858840e4b547350cda1ce73a
C:\Users\Colin\AppData\Roaming\db50892ee5e947b69ca9d4dd623d4416
C:\Users\Colin\AppData\Roaming\82F840
C:\Users\Colin\AppData\Roaming\gplyra
C:\Users\Colin\AppData\Roaming\TotalAV
C:\Users\Colin\AppData\Roaming\EpicNet Inc
C:\Users\Colin\AppData\Roaming\tmp546.dat
C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TotalAV.lnk
C:\Windows\rss
C:\Windows\system32\drivers\wtmhdkernel.sys
 
CMD: netsh winsock reset
 
EmptyTemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008 => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009 => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008 => key removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009 => key removed successfully
HKLM\System\CurrentControlSet\Services\SecurityService => key removed successfully
SecurityService => service removed successfully
wtmhdkernel => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\wtmhdkernel => key could not remove, key could be protected
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => key removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\96697280.sys => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\96697280.sys => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\wtmhdintus => key removed successfully
HKLM\System\CurrentControlSet\Services\wtmhdintus => key not found. 
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\002kXwVR1yg.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\39YD5xV.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AeT7sWlO9.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloudNet => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gplyra => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HoXuaNg3JzwU.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msiql => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\n8tmdnçYg3.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\r5U7I4Zjkux79Q.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Realtek_HD_Audio_Driver => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rQXD93NvyGhF.exe => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SilentWildflower => key removed successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\XStceHH.exe => key removed successfully
C:\Program Files\Uninstall Information\EGSC21TJVBWOWLLZ6 => moved successfully
C:\Program Files (x86)\TotalAV => moved successfully
C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} => moved successfully
C:\ProgramData\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87} => moved successfully
"C:\ProgramData\0883d8aa4f314dc28073903b5c9fb464" => not found.
"C:\ProgramData\73a89ce208474e31a8cdcd17daac8db1" => not found.
"C:\ProgramData\e79a3bc7a5cd46efaf34a487d62a77a2" => not found.
"C:\ProgramData\MicrosoftCorporation" => not found.
C:\ProgramData\ntuser.pol => moved successfully
C:\Users\Colin\ntuser.pol => moved successfully
C:\Users\Colin\AppData\Local\a870a402b92847829d9bf43e926b6034 => moved successfully
C:\Users\Colin\AppData\Local\f46802122f414b3dbec9e1924c2be0fd => moved successfully
C:\Users\Colin\AppData\Roaming\08f068fe99da4b579c3473013e86dcc3 => moved successfully
C:\Users\Colin\AppData\Roaming\ae65c38d79ba402c8ced2148f46eacb1 => moved successfully
"C:\Users\Colin\AppData\Roaming\c9bf0d6c58ef44f0abe3e57b137013a5" => not found.
"C:\Users\Colin\AppData\Roaming\c667e727858840e4b547350cda1ce73a" => not found.
"C:\Users\Colin\AppData\Roaming\db50892ee5e947b69ca9d4dd623d4416" => not found.
C:\Users\Colin\AppData\Roaming\82F840 => moved successfully
"C:\Users\Colin\AppData\Roaming\gplyra" => not found.
C:\Users\Colin\AppData\Roaming\TotalAV => moved successfully
"C:\Users\Colin\AppData\Roaming\EpicNet Inc" => not found.
C:\Users\Colin\AppData\Roaming\tmp546.dat => moved successfully
C:\Users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TotalAV.lnk => moved successfully
"C:\Windows\rss" => not found.
Could not move "C:\Windows\system32\drivers\wtmhdkernel.sys" => Scheduled to move on reboot.
 
========= netsh winsock reset =========
 
Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 11003
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 16676313 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 844 B
Edge => 0 B
Chrome => 5977863 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 100688 B
systemprofile32 => 65960 B
LocalService => 66228 B
NetworkService => 67558 B
Colin => 4244030 B
 
RecycleBin => 4373714 B
EmptyTemp: => 30.1 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 13-09-2017 19:42:25)
 
"C:\Windows\system32\drivers\wtmhdkernel.sys" => Could not move
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\wtmhdkernel => key could not remove, key could be protected
 
==== End of Fixlog 19:42:25 ====


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 13 September 2017 - 07:04 AM

Now are you able to update Malwarebytes and run a scan with it like previously instructed?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 13 September 2017 - 08:49 AM

No,sorry,as I said before the virus/rootkit stopped me from using the internet but I have a laptop as well as a desktop PC ( thats what I am using to communicate with you ) so is there a way that I could update Malwarebytes on my laptop and then transfer that update to my desktop ?

Failing that I know my way around the registery and hidden files and folders so as the location of "wtmhdintus" is shown above.I dont mind deleating/altering the infinceted reg key HKLM\System\CurrentControlSet\Services\wtmhdkernel and if you tell me what to do with  "C:\Windows\system32\drivers\wtmhdkernel.sys" I will do that as well.

Is this information of any use to you ?....Look forward to hearing from you.

 

P.S. I can hang around on line for about another hour.

 

Colin



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 13 September 2017 - 09:44 AM

If you're using Malwarebytes 3, offline updates aren't supported yet.

Do you have access to a USB Flash Drive?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 13 September 2017 - 09:47 AM

Yes I do



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 13 September 2017 - 09:55 AM

Good. Follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well
Boot in the Recovery Environment
  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 13 September 2017 - 10:04 AM

Thanks Aura, will follow your instructions and post tomorrow.



#14 PussEKatt

PussEKatt
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 13 September 2017 - 10:39 AM

Aura,Do I need to do the scan as an administrator ?



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 13 September 2017 - 10:50 AM

You don't need to run a scan, but run a Fix in the Recovery Environment. You'll be Admin there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users