Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Requested Resource In Use" Error


  • This topic is locked This topic is locked
57 replies to this topic

#1 Lora_M64

Lora_M64

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 16 September 2017 - 11:25 PM

Every time I attempt to install anything I get the "Requested Resource In Use" error. It doesn't matter what. However, I was able to download and run the Fabar Recovery Scan Tool. I Purchased the Malwarebytes Anti-Malware Premium CD from a local store and tried to use it but I got that message box. I then attempted to use the Chameleon tool. Unfortunately all 13 of them were unsuccessful in allowing me to initiate and run the software.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-09-2017
Ran by Lora (administrator) on WISE_FAMILY (16-09-2017 22:00:25)
Running from C:\Users\Lora\Downloads
Loaded Profiles: Lora (Available Profiles: Lora & denni_000)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Users\Lora\AppData\Local\ntuserlitelist\dataup\dataup.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
() C:\Windows\System32\tprdpw64.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(NETGEAR) C:\Program Files (x86)\NETGEAR\WNDA3100v3\WNDA3100v3.EXE
(Facebook) C:\Users\Lora\AppData\Local\Facebook\Games\FacebookGameroom.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(The CefSharp Authors) C:\Users\Lora\AppData\Local\Facebook\Games\Facebook Gameroom Browser.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
HKLM-x32\...\Run: [cpx] => "C:\Users\Lora\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => "C:\Users\Lora\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
HKLM-x32\...\Run: [SystemExplorerAutoStart] => "C:\Program Files (x86)\System Explorer\SystemExplorer.exe" /TRAY
HKLM-x32\...\Run: [${ISAPPNAME}] => "C:\Program Files (x86)\InstantSupp\InstantSupport.exe" -startup
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\...\Run: [JHID1HTGKTK2A11] => "C:\Program Files\4HXAI4MF5W\4HXAI4MF5.exe"
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\...\Run: [WKRIUB4JW7Q1YHO] => "C:\Program Files\V5HPBZ7RKT\V5HPBZ7RK.exe"
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\...\Run: [gw64-core2 save settings] => "C:\Users\Lora\AppData\Roaming\isMiner\minerstart.vbs"
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [132608 2014-10-28] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v3 Genie.lnk [2017-06-13]
ShortcutTarget: NETGEAR WNDA3100v3 Genie.lnk -> C:\Program Files (x86)\NETGEAR\WNDA3100v3\WNDA3100v3.EXE (NETGEAR)
Startup: C:\Users\Lora\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Gameroom.lnk [2017-08-19]
ShortcutTarget: Facebook Gameroom.lnk -> C:\Users\Lora\AppData\Local\Facebook\Games\FacebookGameroom.exe (Facebook)
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{823001B9-6776-47A5-AF9E-F93E281D65DF}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912&ResetID=131443846633862415&GUID=DA1445DB-9975-41DF-8866-ABFF07ACAD3F
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912&ResetID=131443846633872986&GUID=DA1445DB-9975-41DF-8866-ABFF07ACAD3F
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> DefaultScope {1A95DC8F-4A6D-4938-B715-50B59B516306} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKLM -> {1A95DC8F-4A6D-4938-B715-50B59B516306} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKLM -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisre_17_25_ssg01&cd=2XzuyEtN2Y1L1Qzu0DyE0B0E0Dzy0B0Bzy0F0EyC0ByE0D0FtN0D0Tzu0StBtDtDtBtN1L2XzutAtFtByBtFyEtFyDtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyE0Fzz0EyC0A0BzytGyC0EzzyCtGtAyC0D0EtGtCyC0B0EtGtDyDtCtAtAyE0FyEyCzyyCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0CyC0C0D0B0CtAtG0FyEtB0DtGyEzz0EtAtG0AyDyBzztGtAtAtBzyyDzy0AtCyE0A0FyE2QtN0A0LzuyE&cr=611358704&ir=&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKLM-x32 -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisre_17_25_ssg01&cd=2XzuyEtN2Y1L1Qzu0DyE0B0E0Dzy0B0Bzy0F0EyC0ByE0D0FtN0D0Tzu0StBtDtDtBtN1L2XzutAtFtByBtFyEtFyDtDtN1L1Czu1BtBtN1L1G1B1V1N2Y1L1Qzu2SyE0Fzz0EyC0A0BzytGyC0EzzyCtGtAyC0D0EtGtCyC0B0EtGtDyDtCtAtAyE0FyEyCzyyCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0CyC0C0D0B0CtAtG0FyEtB0DtGyEzz0EtAtG0AyDyBzztGtAtAtBzyyDzy0AtCyE0A0FyE2QtN0A0LzuyE&cr=611358704&ir=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2499391496-340238081-2209737464-1001 -> DefaultScope {1A95DC8F-4A6D-4938-B715-50B59B516306} URL =
SearchScopes: HKU\S-1-5-21-2499391496-340238081-2209737464-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2499391496-340238081-2209737464-1001 -> {0A50DDD4-9E2C-497B-9EAA-8B6BAC6DBA40} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-2499391496-340238081-2209737464-1001 -> {1A95DC8F-4A6D-4938-B715-50B59B516306} URL =
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF DefaultProfile: byd4xaxw.default
FF ProfilePath: C:\Users\Lora\AppData\Roaming\Mozilla\Firefox\Profiles\byd4xaxw.default [2017-09-16]
FF Extension: (ADB Helper) - C:\Users\Lora\AppData\Roaming\Mozilla\Firefox\Profiles\byd4xaxw.default\Extensions\adbhelper@mozilla.org [2017-09-08]
FF Extension: (Valence) - C:\Users\Lora\AppData\Roaming\Mozilla\Firefox\Profiles\byd4xaxw.default\Extensions\fxdevtools-adapters@mozilla.org [2017-08-03]
FF Extension: (gameskip) - C:\Users\Lora\AppData\Roaming\Mozilla\Firefox\Profiles\byd4xaxw.default\Extensions\jid1-kTnBlFu1W5AJlw@jetpack.xpi [2017-09-03]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_27_0_0_130.dll [2017-09-12] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_130.dll [2017-09-12] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-06-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-06-13] (Google Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Lora\AppData\Local\Google\Chrome\User Data\Default [2017-06-19]
CHR Extension: (Docs) - C:\Users\Lora\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-06-13]
CHR Extension: (Google Drive) - C:\Users\Lora\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-06-13]
CHR Extension: (YouTube) - C:\Users\Lora\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-06-13]
CHR Extension: (Gmail) - C:\Users\Lora\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-06-13]
CHR Profile: C:\Users\Lora\AppData\Local\Google\Chrome\User Data\System Profile [2017-06-13]
CHR HKU\S-1-5-21-2499391496-340238081-2209737464-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jlcgehabolcakkjhgmgpkagpolbjlhfa] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"drmkpro64" => service could not be unlocked. <==== ATTENTION

R2 Dataup; C:\Users\Lora\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S3 SystemExplorerHelpService; C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [820960 2014-12-20] (Mister Group)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
S2 windowsmanagementservice; C:\Users\Lora\AppData\Local\tblckpm\vpfhws\ct.exe [X] <==== ATTENTION

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
R3 WNDA3100v3; C:\WINDOWS\system32\DRIVERS\WNDA3100v3.sys [2222736 2014-12-08] (MediaTek Inc.)
R5 drmkpro64;  <==== ATTENTION: Locked Service <==== ATTENTION
S1 gljnibxe; \??\C:\WINDOWS\system32\drivers\gljnibxe.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-16 22:00 - 2017-09-16 22:00 - 002398720 _____ (Farbar) C:\Users\Lora\Downloads\FRST64.exe
2017-09-16 22:00 - 2017-09-16 22:00 - 000010518 _____ C:\Users\Lora\Downloads\FRST.txt
2017-09-16 21:43 - 2017-09-16 21:44 - 016563352 _____ (Malwarebytes Corp.) C:\Users\Lora\Downloads\mbar-1.09.3.1001.exe
2017-09-12 13:30 - 2017-08-15 09:06 - 015260160 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-09-12 13:30 - 2017-08-13 13:58 - 025730560 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-09-12 13:30 - 2017-08-13 11:54 - 020269056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-09-12 13:30 - 2017-08-12 04:30 - 022361344 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2017-09-12 13:29 - 2017-08-19 12:27 - 000237568 _____ (Microsoft Corporation) C:\WINDOWS\system32\shdocvw.dll
2017-09-12 13:29 - 2017-08-19 11:48 - 000215040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shdocvw.dll
2017-09-12 13:29 - 2017-08-17 17:07 - 000537200 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2017-09-12 13:29 - 2017-08-17 17:07 - 000140016 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2017-09-12 13:29 - 2017-08-17 17:03 - 000450392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2017-09-12 13:29 - 2017-08-17 17:03 - 000136832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2017-09-12 13:29 - 2017-08-15 09:01 - 000279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2017-09-12 13:29 - 2017-08-15 09:01 - 000128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2017-09-12 13:29 - 2017-08-15 09:01 - 000076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2017-09-12 13:29 - 2017-08-15 08:58 - 013673984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-09-12 13:29 - 2017-08-13 12:19 - 000040960 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\nsiproxy.sys
2017-09-12 13:29 - 2017-08-13 12:05 - 000576512 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-09-12 13:29 - 2017-08-13 12:04 - 002899968 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-09-12 13:29 - 2017-08-13 11:51 - 005981696 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-09-12 13:29 - 2017-08-13 11:50 - 000817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-09-12 13:29 - 2017-08-13 11:29 - 000499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-09-12 13:29 - 2017-08-13 11:28 - 000064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2017-09-12 13:29 - 2017-08-13 11:24 - 002291200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-09-12 13:29 - 2017-08-13 11:23 - 000092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2017-09-12 13:29 - 2017-08-13 11:21 - 000145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2017-09-12 13:29 - 2017-08-13 11:20 - 000315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2017-09-12 13:29 - 2017-08-13 11:17 - 000663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-09-12 13:29 - 2017-08-13 11:15 - 007078912 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2017-09-12 13:29 - 2017-08-13 11:14 - 001033216 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2017-09-12 13:29 - 2017-08-13 11:07 - 000262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2017-09-12 13:29 - 2017-08-13 11:05 - 000380416 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2017-09-12 13:29 - 2017-08-13 11:04 - 000807936 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2017-09-12 13:29 - 2017-08-13 11:04 - 000726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-09-12 13:29 - 2017-08-13 11:01 - 002134528 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2017-09-12 13:29 - 2017-08-13 10:52 - 005274624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2017-09-12 13:29 - 2017-08-13 10:52 - 000486912 _____ (Microsoft Corporation) C:\WINDOWS\system32\tpmvsc.dll
2017-09-12 13:29 - 2017-08-13 10:51 - 000880640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-09-12 13:29 - 2017-08-13 10:48 - 004547072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-09-12 13:29 - 2017-08-13 10:46 - 000230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2017-09-12 13:29 - 2017-08-13 10:44 - 000694784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2017-09-12 13:29 - 2017-08-13 10:44 - 000331776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2017-09-12 13:29 - 2017-08-13 10:43 - 002058752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2017-09-12 13:29 - 2017-08-13 10:40 - 003241472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-09-12 13:29 - 2017-08-13 10:27 - 001544704 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-09-12 13:29 - 2017-08-13 10:25 - 007797248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2017-09-12 13:29 - 2017-08-13 10:18 - 005270016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2017-09-12 13:29 - 2017-08-13 10:18 - 000800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2017-09-12 13:29 - 2017-08-13 10:17 - 002767872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-09-12 13:29 - 2017-08-13 10:14 - 000710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2017-09-12 13:29 - 2017-08-13 10:13 - 001314816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-09-12 13:29 - 2017-08-12 04:26 - 019789736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2017-09-12 13:29 - 2017-08-11 19:39 - 001364552 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2017-09-12 13:29 - 2017-08-11 18:59 - 007440728 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-09-12 13:29 - 2017-08-11 18:58 - 001737600 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2017-09-12 13:29 - 2017-08-11 18:58 - 001502000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2017-09-12 13:29 - 2017-08-11 15:46 - 000367104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PCPTpm12.dll
2017-09-12 13:29 - 2017-08-11 15:29 - 000425984 _____ (Microsoft Corporation) C:\WINDOWS\system32\PCPTpm12.dll
2017-09-12 13:29 - 2017-08-11 15:13 - 000175616 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmTasks.dll
2017-09-12 13:29 - 2017-08-10 22:30 - 004170240 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-09-12 13:29 - 2017-08-10 22:27 - 000281600 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netbt.sys
2017-09-12 13:29 - 2017-08-10 22:27 - 000243200 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
2017-09-12 13:29 - 2017-08-10 21:38 - 000477184 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2017-09-12 13:29 - 2017-08-10 21:08 - 001753600 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2017-09-12 13:29 - 2017-08-10 21:08 - 000329216 _____ (Microsoft Corporation) C:\WINDOWS\system32\srvsvc.dll
2017-09-12 13:29 - 2017-08-10 21:02 - 001084928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2017-09-12 13:29 - 2017-08-10 20:52 - 001491456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2017-09-12 13:29 - 2017-08-10 20:49 - 000346624 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntprint.dll
2017-09-12 13:29 - 2017-08-10 20:44 - 001095680 _____ (Microsoft Corporation) C:\WINDOWS\system32\localspl.dll
2017-09-12 13:29 - 2017-08-10 20:43 - 000865792 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2017-09-12 13:29 - 2017-08-10 20:41 - 000307200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntprint.dll
2017-09-12 13:29 - 2017-08-06 16:20 - 000607232 _____ (Microsoft Corporation) C:\WINDOWS\system32\rastls.dll
2017-09-12 13:29 - 2017-08-06 02:13 - 000530432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rastls.dll
2017-09-12 13:29 - 2017-07-22 13:34 - 000033792 _____ (Microsoft Corporation) C:\WINDOWS\system32\iscsium.dll
2017-09-12 13:29 - 2017-07-22 12:32 - 000027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iscsium.dll
2017-09-12 13:29 - 2017-07-17 14:53 - 004298240 _____ (Microsoft Corporation) C:\WINDOWS\system32\D3DCompiler_47.dll
2017-09-12 13:29 - 2017-07-16 18:55 - 003551744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\D3DCompiler_47.dll
2017-09-12 13:29 - 2017-07-13 18:03 - 002013528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2017-09-12 13:29 - 2017-07-12 15:29 - 000420440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wevtapi.dll
2017-09-12 13:29 - 2017-07-12 15:29 - 000075440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2017-09-12 13:29 - 2017-07-12 15:25 - 000308872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wevtapi.dll
2017-09-12 13:29 - 2017-07-12 15:25 - 000066112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appidapi.dll
2017-09-12 13:29 - 2017-07-08 14:03 - 000017920 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidcertstorecheck.exe
2017-09-12 13:29 - 2017-07-08 13:43 - 000197632 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidpolicyconverter.exe
2017-09-12 13:29 - 2017-07-08 13:30 - 000039936 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2017-09-12 13:29 - 2017-07-08 13:20 - 000445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2017-09-12 13:29 - 2017-07-08 12:25 - 001436160 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-09-12 13:29 - 2017-07-08 12:00 - 000324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2017-09-12 13:29 - 2017-07-07 22:14 - 000100184 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\disk.sys
2017-08-28 08:07 - 2017-08-28 08:07 - 000000000 ____D C:\Users\Lora\AppData\Roaming\.mono
2017-08-28 08:07 - 2017-08-28 08:07 - 000000000 ____D C:\Users\Lora\AppData\Local\RedSkyLab
2017-08-19 16:02 - 2017-08-19 16:02 - 000000000 ____D C:\Users\Lora\AppData\LocalLow\thisgamestudio

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-16 22:00 - 2017-06-19 14:17 - 000000000 ____D C:\FRST
2017-09-16 21:50 - 2017-06-13 03:50 - 000003934 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{7AB7BA16-9EF9-4F0E-81CF-0B63A584C05C}
2017-09-16 21:26 - 2017-06-13 02:40 - 000003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2499391496-340238081-2209737464-1001
2017-09-16 21:21 - 2017-06-13 06:38 - 000000000 ___DO C:\Users\Lora\SkyDrive
2017-09-16 21:21 - 2013-08-22 09:45 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-09-16 21:21 - 2013-08-22 09:44 - 000480872 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-09-16 21:15 - 2017-06-30 17:31 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-09-16 21:15 - 2017-06-15 15:24 - 000000000 ____D C:\Program Files\Microsoft Office
2017-09-16 21:15 - 2013-08-22 14:12 - 000000000 ____D C:\WINDOWS\ShellNew
2017-09-16 21:15 - 2013-08-22 10:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-09-16 21:15 - 2013-08-22 10:36 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2017-09-16 21:14 - 2013-08-22 10:36 - 000000000 ____D C:\Program Files\Common Files\System
2017-09-16 21:14 - 2013-08-22 08:25 - 000000076 _____ C:\WINDOWS\win.ini
2017-09-16 16:44 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\rescache
2017-09-16 16:14 - 2013-08-22 08:25 - 000524288 ___SH C:\WINDOWS\system32\config\BBI
2017-09-16 16:02 - 2013-08-22 08:36 - 000000000 ____D C:\WINDOWS\Inf
2017-09-16 15:56 - 2013-08-22 10:36 - 000000000 ___RD C:\WINDOWS\ToastData
2017-09-16 15:48 - 2017-06-13 04:00 - 000003954 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{D6731BFF-C7B7-4F08-B721-135272E57B76}
2017-09-15 17:52 - 2017-06-25 13:52 - 000000000 ____D C:\ProgramData\{256AE009-AF28-6ACF-29EE-F48DB3AC7F43}
2017-09-14 03:00 - 2017-06-18 18:31 - 000000478 _____ C:\WINDOWS\Tasks\TechUtilities.job
2017-09-13 05:41 - 2017-06-13 04:03 - 000003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2499391496-340238081-2209737464-1002
2017-09-13 05:32 - 2017-06-13 17:05 - 000000000 ____D C:\WINDOWS\system32\MRT
2017-09-13 05:30 - 2017-06-13 17:05 - 138202976 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-09-13 05:29 - 2013-08-22 10:20 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-09-12 20:50 - 2017-06-13 02:32 - 000820208 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-09-12 17:36 - 2017-07-16 11:17 - 000004324 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-09-12 17:36 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-09-12 17:36 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\system32\Macromed
2017-09-10 07:13 - 2013-08-22 10:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-09-10 07:13 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-09-09 23:00 - 2017-05-17 19:58 - 000000000 __RDO C:\Users\denni_000\SkyDrive
2017-09-03 18:17 - 2017-05-18 17:30 - 000000000 ____D C:\Users\Lora\.android
2017-09-03 10:39 - 2017-06-30 17:26 - 000000000 ____D C:\Users\Lora\AppData\LocalLow\Mozilla
2017-09-02 08:15 - 2017-06-13 02:26 - 000000000 ____D C:\Users\Lora
2017-09-01 18:54 - 2017-06-23 15:35 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-09-01 18:54 - 2017-06-23 15:35 - 000177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-08-28 09:25 - 2013-08-22 10:36 - 000000000 ____D C:\WINDOWS\system32\NDF
2017-08-28 08:03 - 2017-06-14 20:25 - 000000000 ____D C:\Users\Public\Facebook Games
2017-08-26 20:58 - 2017-06-25 14:47 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-08-19 08:41 - 2017-07-14 14:14 - 000001173 _____ C:\Users\Lora\Desktop\Facebook Gameroom.lnk
2017-08-19 08:41 - 2017-06-13 11:55 - 000000000 ____D C:\Users\Lora\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Facebook
2017-08-19 08:41 - 2017-06-13 11:55 - 000000000 ____D C:\Users\Lora\AppData\Local\Facebook
2017-08-17 11:35 - 2017-06-13 17:13 - 000544424 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2017-07-02 09:57 - 2017-07-02 09:57 - 000000045 _____ () C:\Users\Lora\AppData\Roaming\WB.CFG
2017-05-17 11:32 - 2017-05-17 11:32 - 000125952 _____ () C:\Users\Lora\AppData\Local\report
2017-06-15 22:08 - 2017-06-19 11:50 - 000007617 _____ () C:\Users\Lora\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
2017-06-13 11:41 - 2017-06-13 11:41 - 000412672 _____ () C:\Users\Lora\AppData\Local\Temp\browser_air_setup.exe
2017-06-13 11:41 - 2017-06-13 11:41 - 000567334 _____ () C:\Users\Lora\AppData\Local\Temp\global_installer.exe
2017-06-13 11:41 - 2017-06-13 11:42 - 000697010 _____ (VideoBox                                                    ) C:\Users\Lora\AppData\Local\Temp\ms.exe
2017-06-15 15:23 - 2012-10-01 19:44 - 000178824 ____R (Microsoft Corporation) C:\Users\Lora\AppData\Local\Temp\ose00000.exe
2017-06-19 12:16 - 2017-06-19 12:17 - 013460656 _____ (Reimage) C:\Users\Lora\AppData\Local\Temp\ReimagePackage.exe
2017-06-13 11:41 - 2017-06-13 11:41 - 000386479 _____ (                                                            ) C:\Users\Lora\AppData\Local\Temp\Setup (1).exe
2017-06-13 11:41 - 2017-06-13 11:41 - 000624640 _____ () C:\Users\Lora\AppData\Local\Temp\setup.exe
2017-06-13 11:52 - 2017-06-13 11:52 - 000046924 _____ () C:\Users\Lora\AppData\Local\Temp\tu17p84.exe
2017-06-13 11:42 - 2017-06-13 11:42 - 001199825 _____ () C:\Users\Lora\AppData\Local\Temp\unins000.exe

Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\tprdpw64.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\ndistpr64.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION

LastRegBack: 2017-09-12 02:51

==================== End of FRST.txt ============================

 

 

+6Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-09-2017
Ran by Lora (16-09-2017 22:01:24)
Running from C:\Users\Lora\Downloads
Windows 8.1 (Update) (X64) (2017-06-13 07:28:51)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2499391496-340238081-2209737464-500 - Administrator - Disabled)
denni_000 (S-1-5-21-2499391496-340238081-2209737464-1002 - Administrator - Enabled) => C:\Users\denni_000
Guest (S-1-5-21-2499391496-340238081-2209737464-501 - Limited - Disabled)
Lora (S-1-5-21-2499391496-340238081-2209737464-1001 - Administrator - Enabled) => C:\Users\Lora

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.130 - Adobe Systems Incorporated)
Facebook Gameroom 1.8.6429.23271 (HKLM-x32\...\{D71E0CAE-F4B3-499E-B515-396B02139A39}) (Version: 1.8.6429.23271 - Facebook)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 55.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 55.0.3 (x86 en-US)) (Version: 55.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 54.0 - Mozilla)
NETGEAR WNDA3100v3 (HKLM-x32\...\{60C50FCC-545B-4D5D-B0D1-4A773143BCE7}) (Version: 1.0.0.10 - NETGEAR) Hidden
NETGEAR WNDA3100v3 Genie (HKLM-x32\...\InstallShield_{60C50FCC-545B-4D5D-B0D1-4A773143BCE7}) (Version: 1.0.0.10 - NETGEAR)
System Explorer 7.0.0 (HKLM-x32\...\{40F485F7-6478-4896-B0D5-F94BE677EB78}_is1) (Version:  - Mister Group)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2015-06-01] (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {42E524C0-E93F-478F-A6A2-F9043EB9F224} - \SMW_P -> No File <==== ATTENTION
Task: {4CEFB411-835F-434A-BB52-DD17CF63B8AB} - System32\Tasks\{48E08B6D-B1FB-48C6-B164-DF9BF468D40D} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\s5\u.exe"
Task: {6B7732D9-DB1E-496A-8267-C875E9A8AD5F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-06-13] (Google Inc.)
Task: {B3068A46-E92B-4899-90A2-B3741692845B} - System32\Tasks\TechUtilities => C:\Program Files (x86)\TechUtilities\TechUtilities.exe
Task: {B5D07714-D154-4BE0-A1E3-8F6A1E92598C} - System32\Tasks\{cdddc628-d2b6-4769-8d09-smth95b5ebfb} detom => "wscript.exe" "C:\ProgramData\{256AE009-AF28-6ACF-29EE-F48DB3AC7F43}\rede.txt" "68747470733a2f2f70756c6f6a612e636f6d" "433a5c50726f6772616d446174615c7b32353641453030392d414632382d364143462d323945452d4634384442334143374634337d5c6361736f6e61" "433a5c50726f6772616d446174615c7b32353641453030392d414632382d364143462d32 (the data entry has 82 more characters). <==== ATTENTION
Task: {E5439EED-43C4-4722-86F1-7CC7CFED0A1C} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\VideErroroReporting => C:\\ProgramData\\WindowsVideoErrorReporting\\wvermgr.exe
Task: {EFE5709E-A019-4C6C-84F7-05B4383C3E61} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-06-13] (Google Inc.)
Task: {FE1EF7E6-60E3-433D-B553-5336B354A99B} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-09-12] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\TechUtilities.job => C:\Program Files (x86)\TechUtilities\TechUtilities.exe-t C:\Program Files (x86)\TechUtilities\TechUtilities.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-01-05 17:36 - 2017-01-05 17:36 - 000077824 _____ () C:\Users\Lora\AppData\Local\ntuserlitelist\dataup\dataup.exe
2017-05-03 17:11 - 2017-05-03 17:11 - 000619008 ____N () C:\windows\system32\tprdpw64.exe
2015-06-01 21:00 - 2015-06-01 21:00 - 000102912 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-05-04 11:13 - 2017-05-04 11:13 - 000235520 _____ () C:\Users\Lora\AppData\Local\ntuserlitelist\dataup\help_dll.dll
2014-12-22 10:03 - 2014-12-22 10:03 - 000122880 _____ () C:\Program Files (x86)\NETGEAR\WNDA3100v3\Ralink.dll
2012-11-21 18:26 - 2012-11-21 18:26 - 001204224 _____ () C:\Program Files (x86)\NETGEAR\WNDA3100v3\RaWLAPI.dll
2017-08-08 12:02 - 2017-08-08 12:02 - 001157632 _____ () C:\Users\Lora\AppData\Local\Facebook\Games\CefSharp.Core.dll
2017-08-08 12:02 - 2017-08-08 12:02 - 068178432 _____ () C:\Users\Lora\AppData\Local\Facebook\Games\libcef.dll
2017-08-08 12:02 - 2017-08-08 12:02 - 000748032 _____ () C:\Users\Lora\AppData\Local\Facebook\Games\CefSharp.BrowserSubprocess.Core.dll
2017-08-08 12:02 - 2017-08-08 12:02 - 002246144 _____ () C:\Users\Lora\AppData\Local\Facebook\Games\libglesv2.dll
2017-08-08 12:02 - 2017-08-08 12:02 - 000079360 _____ () C:\Users\Lora\AppData\Local\Facebook\Games\libegl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2499391496-340238081-2209737464-1001\...\google.com -> hxxps://www.google.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 08:25 - 2017-06-19 00:14 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2499391496-340238081-2209737464-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Lora\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\img5.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "SystemExplorerAutoStart"
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\...\StartupApproved\Run: => "WKRIUB4JW7Q1YHO"
HKU\S-1-5-21-2499391496-340238081-2209737464-1001\...\StartupApproved\Run: => "JHID1HTGKTK2A11"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{1951BF09-BADD-4540-B9F9-0F525488FB73}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{F9700A99-577B-434D-B17D-701B802896D0}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{20F1E225-6691-46ED-B39A-B26E1412D052}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{F172DCDF-5405-4E6E-85B9-532A87EF6EEF}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{75ADD557-E22F-43B8-8D83-7F964694FEE6}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{462EDAEC-BF5D-420E-8F22-42AEC6A50ADE}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D8F0E649-F5CF-4437-802B-F9190A29B5D3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{BBB776B1-C6A6-45AB-9FAA-0EE2F203C61B}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{BD0EB47C-3008-4B42-B59D-EE75A39D2039}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{611E2F28-5898-4F32-A1EF-0063644DAC54}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{536CD79D-4FB9-4DD0-8BF4-136092B8C3B9}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [TCP Query User{052CB64D-AE56-44ED-8606-2A044A160C49}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{4E171A6F-0D1E-4912-A1C8-A8679AE40EAC}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe

==================== Restore Points =========================

28-08-2017 21:30:19 Scheduled Checkpoint
05-09-2017 17:45:28 Scheduled Checkpoint
12-09-2017 02:53:31 Windows Update
16-09-2017 21:13:03 Removed Microsoft Office Professional Plus 2013
16-09-2017 21:13:25 PROPLUSR

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/16/2017 09:21:48 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (09/16/2017 09:21:44 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (09/16/2017 08:50:21 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WISE_FAMILY)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (09/16/2017 08:12:37 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (09/16/2017 08:12:26 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WISE_FAMILY)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (09/16/2017 04:59:51 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: WISE_FAMILY)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (09/16/2017 04:15:48 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (09/16/2017 04:15:46 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (09/16/2017 04:04:15 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=UserLogon;SessionId=1

Error: (09/16/2017 04:02:51 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007007B
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=fe1c3238-432a-43a1-8e25-97e7d1ef10f3;NotificationInterval=1440;Trigger=NetworkAvailable


System errors:
=============
Error: (09/16/2017 09:23:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Management Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/16/2017 09:23:29 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
The requested resource is in use.

Error: (09/16/2017 08:52:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Dataup Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/16/2017 04:40:55 PM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: NT AUTHORITY)
Description: 0x8000002a79\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\WINDOWS\system32\config\DRIVERS

Error: (09/16/2017 04:17:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Management Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/16/2017 04:17:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
The requested resource is in use.

Error: (09/16/2017 04:04:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Management Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/16/2017 04:04:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
The requested resource is in use.

Error: (09/09/2017 11:11:18 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: 743W8Revolution.TubeMovies.

Error: (09/09/2017 11:11:18 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: 11529PurpleHazeLabs.MovieBoxHD.


CodeIntegrity:
===================================
  Date: 2017-09-16 16:37:13.666
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-09-04 06:48:30.770
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-09-03 02:35:33.813
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-08-31 17:40:01.427
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-08-28 21:12:51.819
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-08-15 05:25:49.876
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-08-13 09:16:28.032
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-08-08 17:55:00.447
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-08-06 19:25:09.950
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-07-28 05:19:07.383
  Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™ i3-2120 CPU @ 3.30GHz
Percentage of memory in use: 43%
Total physical RAM: 4008.63 MB
Available physical RAM: 2254.16 MB
Total Virtual: 5544.63 MB
Available Virtual: 3933.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:827.75 GB) (Free:722.97 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 5041A443)
Partition 1: (Active) - (Size=827.8 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=450 MB) - (Type=27)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 16 September 2017 - 11:50 PM

Hi Lora_M64 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 17 September 2017 - 12:16 AM

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.1.1002

© Malwarebytes Corporation 2011-2012

OS version: 6.3.9600 Windows 8.1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.18793

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.293000 GHz
Memory total: 4203347968, free: 2141913088

Downloaded database version: v2017.09.17.03
Downloaded database version: v2017.09.13.01
=======================================
Initializing...
Driver version: 4.2.0.132
------------ Kernel report ------------
     09/17/2017 00:02:26
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\system32\drivers\ndistpr64.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\system32\drivers\NDIS.SYS
\SystemRoot\system32\drivers\TDI.SYS
\SystemRoot\system32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\pciide.sys
\SystemRoot\System32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\atapi.sys
\SystemRoot\System32\drivers\ataport.SYS
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\HECIx64.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt630x64.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\WNDA3100v3.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\??\C:\WINDOWS\system32\drivers\2F1F79CC.sys
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2017.09.17.03
  rootkit: v2017.09.13.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffe001326bb5e0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffe001326ba040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffe001326bb5e0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffe001305659c0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffe00130563060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File "C:\Windows\System32\drivers\1394ohci.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\1394ohci.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\acpipagr.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\acpipagr.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\acpipmi.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\acpipmi.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\acpitime.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\acpitime.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\AGP440.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\AGP440.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\amdk8.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\amdk8.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\amdppm.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\amdppm.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\intelppm.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\intelppm.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\isapnp.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\isapnp.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\kdnic.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\kdnic.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\atapi.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\atapi.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\ataport.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\ataport.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\BasicDisplay.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\BasicDisplay.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\battc.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\battc.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\BtaMPM.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\BtaMPM.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\BthAvrcpTg.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\BthAvrcpTg.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\BthhfHid.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\BthhfHid.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\bthmodem.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\bthmodem.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\cdrom.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\cdrom.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\circlass.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\circlass.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\CompositeBus.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\CompositeBus.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\EhStorTcgDrv.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\EhStorTcgDrv.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\errdev.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\errdev.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\fdc.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\fdc.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\flpydisk.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\flpydisk.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\fxppm.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\fxppm.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\CmBatt.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\CmBatt.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\terminpt.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\terminpt.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\monitor.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\monitor.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\msgpiowin32.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\msgpiowin32.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\msisadrv.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\msisadrv.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\mssmbios.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\mssmbios.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\MTConfig.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\MTConfig.sys" is compressed (flags = 1)
File C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys will be destroyed
Infected: C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys --> [Rootkit.Agent.PUA]
File "C:\Windows\System32\drivers\npsvctrig.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\npsvctrig.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\pciide.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\pciide.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\pciidex.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\pciidex.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\pcmcia.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\pcmcia.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\processr.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\processr.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\rdpbus.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\rdpbus.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\uaspstor.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\uaspstor.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\uefi.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\uefi.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\umbus.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\umbus.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\umpass.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\umpass.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\usbprint.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\usbprint.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\vdrvroot.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\vdrvroot.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\wacompen.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\wacompen.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\wmiacpi.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\wmiacpi.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\sbp2port.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\sbp2port.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\sfloppy.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\sfloppy.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\HdAudio.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\HdAudio.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\hidbatt.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\hidbatt.sys" is compressed (flags = 1)
File "C:\Windows\System32\drivers\hidi2c.sys" is compressed (flags = 1)
File "C:\WINDOWS\SYSTEM32\drivers\hidi2c.sys" is compressed (flags = 1)
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 5041A443

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 718848  Numsec = 1735919616
    Partition is bootable
    Partition file system is NTFS

    Partition 1 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1736638464  Numsec = 921600
    Partition is not bootable
    Partition file system is NTFS

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Scan finished
Creating System Restore point...
Cleaning up...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


 



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 17 September 2017 - 09:20 AM

That's the system-log.txt logfile. I need the one called mbar-log-DATE-(TIME).txt and it should be in the MBAR folder.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 17 September 2017 - 04:43 PM

Malwarebytes Anti-Rootkit BETA 1.10.1.1002
www.malwarebytes.org

Database version:
  main:    v2017.09.17.03
  rootkit: v2017.09.13.01

Windows 8.1 x64 NTFS
Internet Explorer 11.0.9600.18793
Lora :: WISE_FAMILY [administrator]

9/17/2017 12:02:33 AM
mbar-log-2017-09-17 (00-02-33).txt

Scan type:
Scan options enabled: Anti-Rootkit | Drivers | MBR
Scan options disabled: Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Objects scanned: 317
Time elapsed: 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [a1184d89fddc3c481bce6ecc1384a192]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#6 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 17 September 2017 - 04:44 PM

I'm sorry Aura...thank you so much for helping me...I appreciate it very much!!!



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 17 September 2017 - 08:02 PM

No problem Lora :) MBAR detected and deleted the offending SmartService driver. Now you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:39 PM

Hi Aura,

 

The log is very big so I'm going to have to paste it in several replies.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/17/17
Scan Time: 12:00 PM
Log File: c648406c-9bc9-11e7-a478-d4bed9bb9fe6.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.188
Update Package Version: 1.0.2785
License: Premium

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: WISE_FAMILY\Lora

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 460538
Threats Detected: 69449
Threats Quarantined: 69449
Time Elapsed: 1 hr, 5 min, 9 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)
 



#9 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:44 PM

Removed to preserve space.

-Aura

Edited by Aura, 19 September 2017 - 02:13 PM.


#10 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:49 PM

Removed to preserve space.

-Aura

Edited by Aura, 19 September 2017 - 02:14 PM.


#11 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:50 PM

Removed to preserve space.

-Aura

Edited by Aura, 19 September 2017 - 02:14 PM.


#12 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:51 PM

Removed to preserve space.

-Aura

Edited by Aura, 19 September 2017 - 02:14 PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 19 September 2017 - 01:55 PM

You can simply attach the log if it's too long.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:55 PM

Removed to preserve space.

-Aura

Edited by Aura, 19 September 2017 - 02:15 PM.


#15 Lora_M64

Lora_M64
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:02:38 AM

Posted 19 September 2017 - 01:57 PM

Removed to preserve space.

-Aura

Edited by Aura, 19 September 2017 - 02:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users