Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 PC does not boot after malware removal


  • This topic is locked This topic is locked
64 replies to this topic

#1 George_

George_

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 03:24 AM

Hello
Yesterday I opened .exe file, after opening it my computer started slowing down. There was svchost.exe with high CPU usage. I deleted it in task manager and blue screen appeared saying - "a problem has been detected and windows has been shutdown to prevent damage to your computer".
 
PC restarted automatically but svchost.exe was still there. Then I ran Malwarebytes anti-malware scan, Hitman Pro scan, they found Trojan and Malware, I deleted them, but svchost.exe was still there and when I hit end process in task manager again, blue screen appeared again and PC tried to restart but it was not able to boot.

I followed instructions from other posts here and did FRST scan.

Here is the result.

Thanks

 

-------------------------------
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10.03.2018
Ran by SYSTEM on MININT-T2FTIGU (11-03-2018 11:54:22)
Running from j:\
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet002
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [315880 2018-01-04] (Adobe Systems, Incorporated)
HKLM\...\RunOnce: [!MOF64] => cmd.exe /c "cd %windir%\microsoft.net\framework64\v4.0.30319 & mofcomp.exe -autorecover mof\servicemodel.mof & mofcomp.exe -autorecover mof\servicemodel35.mof & mofcomp.exe -autorecover aspnet.mof & c (the data entry has 182 more characters).
HKU\Gio\...\Run: [Intel Graphic Loader Extension] => C:\ProgramData\Intel\IntelGFX.exe [2288616 2017-07-24] ()
HKU\Gio\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [4005944 2017-03-28] (Tonec Inc.)
HKU\Gio\...\Run: [Upwork] => C:\Program Files (x86)\Upwork\upwork.exe [2227496 2017-03-22] ()
HKU\Gio\...\Run: [AME Start] => C:\ProgramData\AME\AME.exe [2753536 2016-12-28] ()
HKU\Gio\...\Run: [Intel] => C:\ProgramData\Intel\IntelADTSvc.exe [2586039 2018-02-22] ()
HKU\Gio\...\Run: [KfccHBPnPn] => "C:\Users\Gio\AppData\Local\KAHBPS~1\svchost.exe" <==== ATTENTION
HKU\Gio\...\Run: [dwm] => c:\users\gio\appdata\roaming\26646386\dwm.exe <==== ATTENTION
HKU\Gio\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\Gio\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\Gio\...\Policies\Explorer: [NoResolveSearch] 1
HKU\Gio\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\Gio\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\SysWOW64\3PLANE~1.SCR [5037216 2017-12-23] (3Planesoft)
Startup: C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk [2018-03-10]
ShortcutTarget: tdbdichi.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-04] (Adobe Systems, Incorporated)
S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-01-27] ()
S2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.23\aaHMSvc.exe [963536 2017-04-19] (ASUSTeK Computer Inc.)
S4 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.08.15\AsusFanControlService.exe [419288 2017-04-19] (ASUSTeK Computer Inc.)
S4 Droid4XService; C:\Program Files (x86)\Droid4X\Droid4XService.exe [285616 2017-08-14] ()
S2 ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [824592 2017-03-07] ()
S2 Foundry FLEXlm Server; C:\Program Files (x86)\The Foundry\\LicensingTools7.0\bin\FLEXlm\lmgrd.foundry.exe [1392016 2012-10-29] (Acresso Software Inc.)
S2 Foundry License Server; C:\Program Files (x86)\The Foundry\\LicensingTools7.0\bin\RLM\rlm.foundry.exe [1474560 2013-04-08] (Reprise Software Inc.)
S2 HoudiniLicenseServer; C:\Windows\system32\sesinetd.exe [4155392 2017-06-29] (Side Effects Software Inc.)
S2 HoudiniServer; C:\Windows\system32\hserver.exe [4127744 2017-02-18] (Side Effects Software Inc.)
S2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140936 2013-05-14] ()
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-04-29] (Intel Corporation)
S3 mi-raysat_3dsmax2015_64; C:\Program Files\Autodesk\3ds Max 2015\NVIDIA\Satellite\raysat_3dsmax2015_64server.exe [86016 2011-09-14] ()
S2 NortonSecurity; C:\Program Files\Norton Security\Engine\22.12.0.104\NortonSecurity.exe [328712 2018-01-25] (Symantec Corporation)
S2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [519240 2018-02-24] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [519240 2018-02-24] (NVIDIA Corporation)
S2 oesaebmj; C:\Windows\SysWOW64\oesaebmj\npdesacm.exe [14852096 2018-03-10] ()
S3 RaySat2016Server; C:\Program Files\Autodesk\mrsat3.13.1-maya2016\bin\raysat2016server.exe [106240 2015-05-26] (NVIDIA ARC GmbH)
S2 RLM-Arnold; C:\solidangle\solidangle_rlm_win\rlm.exe [2123264 2017-02-18] (Reprise Software Inc.)
S2 RLM-Redshift; C:\redshift\rlm.exe [2123264 2016-10-12] (Reprise Software Inc.)
S2 SystemUsageReportSvc_QUEENCREEK; C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe [157456 2017-03-07] ()
S3 USER_ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [824592 2017-03-07] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2016-05-15] (Microsoft Corporation)
S2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
S2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2017-04-19] ()
S3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2017-04-19] (MCCI Corporation)
S1 BHDrvx64; C:\Program Files\Norton Security\NortonData\22.12.0.104\Definitions\BASHDefs\20171115.003\BHDrvx64.sys [1872024 2018-01-24] (Symantec Corporation)
S3 BstkDrv; C:\Program Files (x86)\BlueStacks\BstkDrv.sys [269408 2017-12-05] (Bluestack System Inc. )
S1 ccSet_NGC; C:\Windows\system32\drivers\NGCx64\160C000.068\ccSetx64.sys [187544 2018-01-24] (Symantec Corporation)
S3 GPCIDrv; C:\Program Files (x86)\GIGABYTE\GIGABYTE OC_GURU II\GPCIDrv64.sys [14376 2014-08-28] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [55232 2018-03-10] ()
S1 IDSVia64; C:\Program Files\Norton Security\NortonData\22.12.0.104\Definitions\IPSDefs\20171013.101\IDSVia64.sys [1056920 2018-01-24] (Symantec Corporation)
S1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115448 2013-11-20] (EZB Systems, Inc.)
S0 kexi; C:\Windows\System32\drivers\nloswjb.sys [79064 2018-03-10] ()
S2 lirsgt; C:\Windows\SysWOW64\DRIVERS\lirsgt.sys [18048 2018-01-19] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [113880 2018-03-10] (Malwarebytes Corporation)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-04-29] (Intel Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30280 2018-02-24] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [59240 2018-02-24] (NVIDIA Corporation)
S3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57928 2018-02-24] (NVIDIA Corporation)
S2 PHYMEM; C:\Windows\system32\ami_ipower.sys [15992 2017-12-16] ()
S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [58512 2012-07-03] (Realtek Corporation)
S4 secdrv; C:\Windows\SysWow64\Drivers\secdrv.sys [12464 2017-08-13] (Macrovision Europe Ltd)
S3 semav6msr64; C:\Windows\system32\drivers\semav6msr64.sys [21984 2016-10-18] ()
S3 SRTSP; C:\Windows\system32\drivers\NGCx64\160C000.068\SRTSP64.SYS [817816 2018-01-24] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NGCx64\160C000.068\SRTSPX64.SYS [49304 2018-01-24] (Symantec Corporation)
S0 SymEFASI; C:\Windows\System32\drivers\NGCx64\160C000.068\SYMEFASI64.SYS [1942168 2018-01-24] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [102552 2018-03-10] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NGCx64\160C000.068\Ironx64.SYS [307864 2018-01-24] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\NGCx64\160C000.068\SYMNETS.SYS [566936 2018-01-24] (Symantec Corporation)
S3 tun3326; C:\Windows\System32\DRIVERS\tun3326.sys [32368 2013-03-22] (The OpenVPN Project)
S3 vvftav303; C:\Windows\System32\drivers\vvftav303.sys [308096 2007-06-23] (Vimicro Corporation)
S2 WIBUKEY; C:\Windows\System32\DRIVERS\WibuKey64.sys [106760 2017-04-20] (WIBU-SYSTEMS AG)
S3 ZSMC0303; C:\Windows\System32\Drivers\usbVM303.sys [1494656 2007-03-25] (Vimicro Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-11 11:50 - 2018-03-11 11:50 - 000000000 ____D C:\FRST
2018-03-10 03:51 - 2018-03-10 03:51 - 000000000 ____D C:\Windows\System32\Tasks\Norton Security
2018-03-10 03:49 - 2018-03-10 03:49 - 000102552 _____ (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2018-03-10 03:49 - 2018-03-10 03:49 - 000008471 _____ C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2018-03-10 03:49 - 2018-03-10 03:49 - 000003208 _____ C:\Windows\System32\Tasks\Norton WSC Integration
2018-03-10 03:49 - 2018-03-10 03:49 - 000002169 _____ C:\Users\Public\Desktop\Norton Security.lnk
2018-03-10 03:49 - 2018-03-10 03:49 - 000000000 ____D C:\Program Files\Common Files\Symantec Shared
2018-03-10 03:48 - 2018-03-10 03:49 - 000000000 ____D C:\Program Files\Norton Security
2018-03-10 03:48 - 2018-03-10 03:48 - 000000000 ____D C:\Windows\System32\Drivers\NGCx64
2018-03-10 03:46 - 2018-03-10 03:50 - 000000000 ____D C:\ProgramData\Norton
2018-03-10 03:45 - 2018-03-10 03:48 - 000000000 ____D C:\Program Files (x86)\NortonInstaller
2018-03-10 03:45 - 2018-03-10 03:45 - 000000000 ____D C:\ProgramData\NortonInstaller
2018-03-10 02:10 - 2018-03-10 02:10 - 000079064 _____ C:\Windows\System32\Drivers\nloswjb.sys
2018-03-10 02:09 - 2018-03-10 02:09 - 000003760 _____ C:\malware.txt
2018-03-10 01:26 - 2018-03-10 01:26 - 000003424 _____ C:\Windows\System32\Tasks\OneDriveUpdateTask
2018-03-10 01:17 - 2018-03-10 02:11 - 000000000 ____D C:\Users\Gio\AppData\Local\kahBPslLln
2018-03-10 01:16 - 2018-03-10 01:16 - 000003452 _____ C:\Windows\System32\Tasks\OneDriveUpdateTaskMachine
2018-03-10 01:06 - 2018-03-10 01:06 - 052626270 _____ C:\Users\Gio\Downloads\Green Screen example.mp4
2018-03-10 00:45 - 2018-03-10 00:45 - 000055232 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2018-03-10 00:43 - 2018-03-10 00:43 - 000001528 _____ C:\Windows\System32\.crusader
2018-03-10 00:36 - 2018-03-10 00:44 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-10 00:28 - 2018-03-10 00:32 - 000000000 ____D C:\AdwCleaner
2018-03-10 00:17 - 2018-03-10 02:12 - 000003576 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 2796787680
2018-03-10 00:17 - 2018-03-10 00:18 - 000000000 ____D C:\Users\Gio\AppData\LocalLow\Unity
2018-03-10 00:17 - 2018-03-10 00:18 - 000000000 ____D C:\Users\Gio\AppData\Local\Lite
2018-03-10 00:17 - 2018-03-10 00:17 - 000003210 _____ C:\Windows\System32\Tasks\Windows Defender
2018-03-10 00:17 - 2018-03-10 00:17 - 000000000 ___HD C:\Users\Gio\AppData\Roaming\klogs
2018-03-10 00:17 - 2018-03-10 00:17 - 000000000 ___HD C:\Users\Gio\AppData\Roaming\driver
2018-03-10 00:17 - 2018-03-10 00:17 - 000000000 ____D C:\Windows\SysWOW64\oesaebmj
2018-03-10 00:16 - 2018-03-10 00:23 - 006795264 _____ (Softplicity Inc.) C:\ProgramData\AudioConverter.exe
2018-03-10 00:16 - 2018-03-10 00:16 - 000003572 _____ C:\Windows\System32\Tasks\{28867E9B-CAA5-4BE7-B758-9FCAD380567A}
2018-03-10 00:16 - 2018-03-10 00:16 - 000003418 _____ C:\Windows\System32\Tasks\{EF2C8558-3869-4FE4-911F-2D9475411616}
2018-03-10 00:16 - 2018-03-10 00:16 - 000000116 _____ C:\ProgramData\check.txt
2018-03-10 00:16 - 2018-03-10 00:16 - 000000003 _____ C:\Users\Gio\AppData\Local\wbem.ini
2018-03-10 00:08 - 2018-03-10 00:08 - 076531676 _____ C:\Users\Gio\Downloads\Making of AYA - Green Screen.mov
2018-03-09 15:20 - 2018-03-09 15:20 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignc6f3bd46dccb8faa
2018-03-09 15:20 - 2018-03-09 15:20 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign86eec32b9f41fb95
2018-03-09 15:15 - 2018-03-09 15:15 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign8979812082e3e12a
2018-03-09 15:15 - 2018-03-09 15:15 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign74c21861bf75ecb6
2018-03-09 02:18 - 2018-03-09 02:18 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign4714617635281771
2018-03-09 02:18 - 2018-03-09 02:18 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign058d9518b123b425
2018-03-08 06:20 - 2018-03-08 06:21 - 222952848 _____ C:\Users\Gio\Downloads\Emilea_MA1005-N-22O_WithShades_W.tif
2018-03-08 00:23 - 2018-03-08 00:43 - 120496900 _____ C:\Users\Gio\Downloads\Headus_UVLayout_Pro_2.09.04_WinMac.rar
2018-03-07 23:24 - 2018-03-07 23:24 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignd4465f3f8e2b31b2
2018-03-07 23:24 - 2018-03-07 23:24 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsigncb8b4da754df5129
2018-03-07 08:09 - 2018-03-07 08:09 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignd53ad42beee5b650
2018-03-07 08:09 - 2018-03-07 08:09 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign9ca7fc7c91748b61
2018-03-07 07:51 - 2018-03-07 07:51 - 000000000 ____D C:\Users\Gio\ansel
2018-03-07 07:44 - 2018-03-07 07:44 - 000000000 ____D C:\Windows\System32\Drivers\NVIDIA Corporation
2018-03-07 07:44 - 2018-03-07 07:44 - 000000000 ____D C:\Program Files (x86)\VulkanRT
2018-03-07 07:44 - 2018-02-23 11:28 - 000136536 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2018-03-07 07:44 - 2017-12-08 14:25 - 000798520 _____ C:\Windows\SysWOW64\vulkan-1.dll
2018-03-07 07:44 - 2017-12-08 14:25 - 000490808 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2018-03-07 07:44 - 2017-12-08 14:24 - 000928568 _____ C:\Windows\System32\vulkan-1.dll
2018-03-07 07:44 - 2017-12-08 14:24 - 000591672 _____ C:\Windows\System32\vulkaninfo.exe
2018-03-07 07:43 - 2018-02-24 21:40 - 028201048 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2018-03-07 07:43 - 2018-02-24 21:40 - 017353248 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
2018-03-07 07:43 - 2018-02-24 21:40 - 000996768 _____ (NVIDIA Corporation) C:\Windows\System32\NvIFR64.dll
2018-03-07 07:43 - 2018-02-24 21:40 - 000625512 _____ (NVIDIA Corporation) C:\Windows\System32\NvIFROpenGL.dll
2018-03-07 07:43 - 2018-02-24 21:40 - 000514544 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2018-03-07 07:43 - 2018-02-24 21:39 - 000948128 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 040277488 _____ (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 003913016 _____ (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 003443800 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 001985384 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispco6439101.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 001684000 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispgenco6439101.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 001137512 _____ (NVIDIA Corporation) C:\Windows\System32\NvFBC64.dll
2018-03-07 07:43 - 2018-02-24 21:38 - 001064760 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2018-03-07 07:43 - 2018-02-24 21:37 - 035188640 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2018-03-07 07:43 - 2018-02-24 21:36 - 019854312 _____ (NVIDIA Corporation) C:\Windows\System32\nvopencl.dll
2018-03-07 07:43 - 2018-02-24 21:36 - 013571008 _____ (NVIDIA Corporation) C:\Windows\System32\nvptxJitCompiler.dll
2018-03-07 07:43 - 2018-02-24 21:36 - 011131696 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvptxJitCompiler.dll
2018-03-07 07:43 - 2018-02-24 21:36 - 000419488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 016496080 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000902280 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvfatbinaryLoader.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000541672 _____ (NVIDIA Corporation) C:\Windows\System32\nvEncodeAPI64.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000460024 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000182600 _____ (NVIDIA Corporation) C:\Windows\System32\nvinitx.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000164952 _____ (NVIDIA Corporation) C:\Windows\System32\nvoglshim64.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000159712 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2018-03-07 07:43 - 2018-02-24 21:35 - 000142816 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2018-03-07 07:43 - 2018-02-24 21:34 - 011000288 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2018-03-07 07:43 - 2018-02-24 04:46 - 000226760 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda64v.sys
2018-03-07 07:43 - 2018-02-24 04:46 - 000059240 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvvad64v.sys
2018-03-07 07:43 - 2018-02-24 04:46 - 000057928 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvvhci.sys
2018-03-07 07:43 - 2018-02-24 04:46 - 000045600 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdap64.dll
2018-03-07 07:43 - 2018-02-24 04:46 - 000000669 _____ C:\Windows\SysWOW64\nv-vk32.json
2018-03-07 07:43 - 2018-02-24 04:46 - 000000669 _____ C:\Windows\System32\nv-vk64.json
2018-03-07 07:42 - 2018-03-07 07:42 - 000000000 ____D C:\NVIDIA
2018-03-07 06:07 - 2018-03-07 06:07 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignbc1fc466ee54391e
2018-03-07 06:07 - 2018-03-07 06:07 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign6f4ea9d5863a583e
2018-03-07 05:52 - 2018-03-07 05:53 - 000000000 ____D C:\Program Files (x86)\Upwork
2018-03-06 13:34 - 2018-03-06 13:34 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignfd67ae2538eaefe8
2018-03-06 13:34 - 2018-03-06 13:34 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign1d6f87f03e5abd48
2018-03-06 06:24 - 2018-03-06 06:24 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsigndbcff5a5b6ae8014
2018-03-06 06:24 - 2018-03-06 06:24 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign65a77a0f2499d0f1
2018-03-06 06:19 - 2018-03-06 06:19 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign904e929e570099ef
2018-03-06 06:19 - 2018-03-06 06:19 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign5c39a21b1cbe2788
2018-03-06 06:10 - 2018-03-06 06:10 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsigne7b28832da5ff3f8
2018-03-06 06:10 - 2018-03-06 06:10 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign3c8561b3964d31d6
2018-03-06 02:47 - 2018-03-06 02:47 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign3da5e4f3b750f00e
2018-03-06 02:47 - 2018-03-06 02:47 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign0c1425faf1163a6e
2018-03-06 02:12 - 2018-03-06 02:26 - 088783682 _____ C:\Users\Gio\Downloads\1472932900.epub
2018-03-05 08:07 - 2018-03-05 08:07 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignaeeec2027230b6d2
2018-03-05 08:07 - 2018-03-05 08:07 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign1c5d80e2adb1b666
2018-03-05 03:04 - 2018-03-05 03:04 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignca0577e908ccae3d
2018-03-05 03:04 - 2018-03-05 03:04 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignc5f342094610b4e8
2018-03-05 01:20 - 2018-03-05 01:20 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignc4fce52f550e5c47
2018-03-05 00:21 - 2018-03-05 00:21 - 000042572 _____ C:\Users\Gio\Downloads\reflectance.jpeg
2018-03-04 08:35 - 2018-03-04 08:35 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign6abc6f7e7022fb30
2018-03-04 08:35 - 2018-03-04 08:35 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign063c4ab31f385bbf
2018-03-02 10:09 - 2017-08-13 22:00 - 002220872 _____ C:\winrar-x64-550.exe
2018-03-02 10:09 - 2017-08-13 22:00 - 001997168 _____ C:\wrar550.exe
2018-03-02 10:08 - 2017-08-13 22:00 - 002220872 _____ C:\Users\Gio\Downloads\winrar-x64-550.exe
2018-03-02 10:08 - 2017-08-13 22:00 - 001997168 _____ C:\Users\Gio\Downloads\wrar550.exe
2018-03-02 00:25 - 2018-03-02 00:28 - 004581644 _____ C:\Users\Gio\Downloads\Plant.Solute.Transport.pdf
2018-03-01 00:01 - 2018-03-01 00:01 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignc824733e62d2e423
2018-03-01 00:01 - 2018-03-01 00:01 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign064f44a6a17d4dbf
2018-02-28 01:12 - 2018-02-28 01:14 - 002827660 _____ C:\Users\Gio\Downloads\Your Inner Fish.azw3
2018-02-28 00:13 - 2018-02-28 00:13 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignc3aafe9b49ea2490
2018-02-28 00:13 - 2018-02-28 00:13 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign72b64a5c883b8daf
2018-02-27 16:03 - 2018-02-27 16:03 - 052874729 _____ C:\Users\Gio\Documents\Untitled (58).wma
2018-02-27 04:26 - 2018-02-27 04:26 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsigne62e510e13a81596
2018-02-27 04:26 - 2018-02-27 04:26 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignd04938b540ccadc3
2018-02-26 12:46 - 2018-02-26 12:46 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignba9bc2385b4f2b13
2018-02-26 12:46 - 2018-02-26 12:46 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign387312e220f48b39
2018-02-26 11:14 - 2018-02-26 11:14 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsigneebb574e42a103f2
2018-02-26 07:13 - 2018-02-26 07:13 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign680aadfdad21451c
2018-02-26 07:12 - 2018-02-26 07:12 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign70c775a5fbc03bc5
2018-02-26 06:27 - 2018-02-26 06:27 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignfd0b2125577f41b8
2018-02-26 06:27 - 2018-02-26 06:27 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign982e54f1d0fae008
2018-02-26 06:27 - 2018-02-26 06:27 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign54f4aeffe332ad84
2018-02-26 06:27 - 2018-02-26 06:27 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign3f817ec59fb920a6
2018-02-26 06:11 - 2018-02-26 06:11 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign8497cfb2173ecf93
2018-02-26 06:11 - 2018-02-26 06:11 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign610f6f7216313a73
2018-02-26 05:24 - 2018-02-26 05:24 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignb7ccc641f2d909bd
2018-02-26 05:24 - 2018-02-26 05:24 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign04691ef7f3d733d7
2018-02-26 05:22 - 2018-02-26 05:24 - 239659198 _____ C:\Users\Gio\Downloads\X-K0312_Bagatelle_1248_22-new.psd
2018-02-26 05:22 - 2018-02-26 05:24 - 202927152 _____ C:\Users\Gio\Downloads\X-K0312_Bagatelle_1246_23-done-new.psd
2018-02-26 01:01 - 2018-02-26 01:01 - 000000000 ____D C:\materials
2018-02-25 23:52 - 2018-02-25 23:54 - 000000000 ____D C:\Program Files\Sublime Text 3
2018-02-25 23:46 - 2018-02-25 23:51 - 017688451 _____ C:\Users\Gio\Downloads\Sublime.Text.Build.rar
2018-02-25 10:17 - 2018-02-25 10:17 - 000001274 _____ C:\Users\Gio\Downloads\Node-Sets-for-Nuke-1_1.txt
2018-02-25 08:03 - 2018-02-25 08:10 - 029721546 _____ C:\Users\Gio\Downloads\VeryInteresting.pdf
2018-02-25 07:47 - 2018-02-25 07:47 - 000000000 ____D C:\Users\Gio\Creative Cloud Files
2018-02-25 07:29 - 2018-02-25 07:29 - 000002131 _____ C:\Users\Public\Desktop\Adobe Premiere Pro CC 2018.lnk
2018-02-25 07:29 - 2018-02-25 07:29 - 000000000 ____D C:\Users\Public\Documents\AdobeInstalledCodecs
2018-02-25 05:21 - 2018-02-25 05:21 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign30b3997f4bc6cff6
2018-02-25 05:09 - 2018-02-25 05:09 - 000017272 _____ C:\Users\Gio\Downloads\Railworks 3 Train Simulator 2012.rar
2018-02-25 04:27 - 2018-02-25 04:27 - 000011614 _____ C:\Users\Gio\Downloads\Escape.From.Tarkov.PC.rar
2018-02-25 03:29 - 2018-02-25 03:29 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign980e8b0a8ec1dd09
2018-02-25 00:25 - 2018-02-25 00:52 - 033320593 _____ C:\Users\Gio\Downloads\160406207X.epub
2018-02-24 11:03 - 2018-02-24 11:13 - 041649339 _____ C:\Users\Gio\Downloads\First_Space_Encyclopedia.pdf
2018-02-24 04:34 - 2018-02-24 04:34 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsignf7ea6a9f4cb9dd3a
2018-02-24 04:34 - 2018-02-24 04:34 - 000000000 ____D C:\Users\Gio\AppData\Local\Tempzxpsign205a8d7feb33b5a8
2018-02-24 04:32 - 2018-02-24 04:34 - 783578930 _____ C:\Users\Gio\Downloads\RS8315_22_revised.psd
2018-02-23 11:45 - 2018-02-23 11:45 - 000002400 _____ C:\Users\Gio\Downloads\hdvc1083.htm
2018-02-23 09:46 - 2018-02-23 09:46 - 000025731 _____ C:\Users\Gio\Downloads\cameramovement2.fbx
2018-02-22 13:01 - 2018-02-22 13:40 - 000000000 ____D C:\ProgramData\PTZtmp
2018-02-19 09:05 - 2018-02-19 09:18 - 015157759 _____ C:\Users\Gio\Downloads\Giants of the Lost World.epub
2018-02-19 03:15 - 2018-02-19 03:22 - 042540598 _____ C:\Users\Gio\Downloads\TheVFXMasters2017 (1).pdf
2018-02-18 06:57 - 2018-02-18 07:56 - 072799644 _____ C:\Users\Gio\Downloads\B00OP37IIU.EBOK.-.Unknown.azw3
2018-02-18 05:24 - 2018-02-18 05:25 - 003415325 _____ C:\Users\Gio\Downloads\0470094729.pdf
2018-02-18 04:17 - 2018-02-18 04:24 - 150670777 _____ C:\Users\Gio\Downloads\The_World_Almanac_and_Book_of_Facts_2016.epub
2018-02-18 03:39 - 2018-02-18 03:46 - 008399815 _____ C:\Users\Gio\Downloads\PlantsandtheK-Tboundary.pdf
2018-02-18 03:36 - 2018-02-18 03:36 - 002003618 _____ C:\Users\Gio\Downloads\Levkowitz H. Color theory and modeling for computer graphics (Kluwer,1997)(ISBN 0792399285)(T)©(227s)(300dpi)_CsIp_.djvu
2018-02-18 03:14 - 2018-02-18 03:16 - 039528935 _____ C:\Users\Gio\Downloads\Champions of Illusion The Science Behind Mind-Boggling Images and Mystifying Brain Puzzles.epub
2018-02-18 03:14 - 2018-02-18 03:14 - 010714616 _____ C:\Users\Gio\Downloads\Magnitude The Scale of the Universe.azw3
2018-02-18 03:13 - 2018-02-18 03:14 - 018217887 _____ C:\Users\Gio\Downloads\Why_are_Orangutans_Orange_Science_Puzzles_in_Pictures_-_With_Fascinating_Answers.epub
2018-02-18 02:10 - 2018-02-18 02:14 - 028260038 _____ C:\Users\Gio\Downloads\TheBiologyofPolarRegions.pdf
2018-02-17 05:50 - 2018-02-17 05:51 - 000000000 ____D C:\Users\Gio\AppData\Roaming\SumatraPDF
2018-02-17 05:50 - 2018-02-17 05:50 - 000000000 ____D C:\Program Files\SumatraPDF
2018-02-17 05:50 - 2018-02-02 22:56 - 001811012 _____ C:\Users\Gio\Downloads\9780767917018(1).mobi
2018-02-17 04:56 - 2017-12-19 08:46 - 029791189 _____ C:\Users\Gio\Downloads\9780071629980(1).epub
2018-02-17 03:06 - 2018-02-17 03:06 - 001180744 _____ C:\Users\Gio\Downloads\10.1.1.83.7697.pdf
2018-02-17 02:35 - 2018-02-17 02:35 - 001738306 _____ C:\Users\Gio\Downloads\pg33504-images.epub
2018-02-17 02:29 - 2018-02-17 02:29 - 002113964 _____ C:\Users\Gio\Downloads\pg50572-images.mobi
2018-02-17 02:29 - 2018-02-17 02:29 - 000776526 _____ C:\Users\Gio\Downloads\pg50572-images.epub
2018-02-17 00:38 - 2018-02-17 00:38 - 000064902 _____ C:\Users\Gio\Downloads\8QY.htm
2018-02-15 01:26 - 2018-02-15 01:26 - 000000000 ____D C:\ProgramData\Age of Empires 3
2018-02-15 00:10 - 2018-02-15 00:14 - 005346314 _____ C:\Users\Gio\Downloads\3319516841.cd..pdf
2018-02-12 23:38 - 2015-09-17 05:24 - 043657044 _____ C:\Users\Gio\Downloads\Skeleton.ZTL
2018-02-12 23:35 - 2018-02-12 23:36 - 062417338 _____ C:\Users\Gio\Downloads\tomNewbury_anatomyStudy.ZTL
2018-02-12 02:28 - 2018-02-12 02:38 - 012478020 _____ C:\Users\Gio\Downloads\Words for the GRE - Philip Geer.pdf
2018-02-11 07:55 - 2018-02-11 08:09 - 018076017 _____ C:\Users\Gio\Downloads\084930900X.rar
2018-02-11 06:16 - 2018-02-11 06:17 - 018893169 _____ C:\Users\Gio\Downloads\20_-02-01 Maximum PC.pdf
2018-02-11 05:06 - 2018-02-11 05:16 - 061298796 _____ C:\Users\Gio\Downloads\English_for_life_Intermediate_Workbook.rar
2018-02-11 05:06 - 2018-02-11 05:06 - 000012455 _____ C:\Users\Gio\Downloads\captcha.htm
2018-02-10 02:13 - 2018-02-10 02:13 - 000002595 _____ C:\Users\Public\Desktop\TubePlayer.lnk
2018-02-10 02:13 - 2018-02-10 02:13 - 000000000 ____D C:\Users\Gio\AppData\Roaming\TOMYO
2018-02-10 02:13 - 2018-02-10 02:13 - 000000000 ____D C:\Program Files (x86)\TOMYO
2018-02-09 13:29 - 2018-02-09 13:29 - 015859169 _____ C:\Users\Gio\Documents\brain games warmosaxva.wma
2018-02-09 05:12 - 2018-02-09 05:20 - 009704735 _____ C:\Users\Gio\Downloads\SAy it better.rar
2018-02-09 05:11 - 2018-02-09 05:21 - 043826554 _____ C:\Users\Gio\Downloads\Sounds_English.rar
2018-02-09 04:12 - 2018-02-09 04:12 - 000000000 ____D C:\Users\Gio\Desktop\NFS Underground 2
2018-02-09 00:49 - 2018-02-09 00:53 - 000000000 ____D C:\ProgramData\Betternet
2018-02-09 00:48 - 2018-02-12 01:48 - 000000000 ____D C:\Program Files (x86)\Betternet
2018-02-09 00:19 - 2018-02-09 00:19 - 000000000 ____D C:\Program Files (x86)\SumRando
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-10 03:53 - 2017-04-19 11:49 - 000000000 ____D C:\Users\Gio\AppData\Roaming\DMCache
2018-03-10 03:50 - 2017-04-19 22:44 - 000000000 ____D C:\Users\Gio\AppData\Roaming\uTorrent
2018-03-10 03:49 - 2017-05-18 00:01 - 000000000 ____D C:\ProgramData\AME
2018-03-10 03:42 - 2018-01-12 07:30 - 000002608 _____ C:\Users\Gio\Desktop\Rkill.txt
2018-03-10 02:19 - 2009-07-13 20:45 - 000021072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-10 02:19 - 2009-07-13 20:45 - 000021072 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-10 02:12 - 2017-04-26 06:07 - 000000000 ____D C:\Users\Gio\Documents\temp
2018-03-10 02:11 - 2017-12-17 13:07 - 000000000 _____ C:\hsrv.txt
2018-03-10 02:11 - 2017-04-21 02:18 - 000000000 ____D C:\redshift
2018-03-10 02:11 - 2017-04-20 00:09 - 000000000 ____D C:\ProgramData\Reprise
2018-03-10 02:11 - 2017-04-19 09:31 - 000000000 ____D C:\ProgramData\NVIDIA
2018-03-10 02:11 - 2017-04-19 08:36 - 000000000 ____D C:\ProgramData\Intel
2018-03-10 02:11 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-10 02:10 - 2017-04-19 08:57 - 000000000 ____D C:\Windows\Install
2018-03-10 01:47 - 2017-09-04 04:20 - 000113880 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2018-03-10 01:10 - 2017-04-19 11:49 - 000000000 ___HD C:\Users\Gio\Downloads\Video
2018-03-10 00:50 - 2017-04-19 11:23 - 000000000 ____D C:\Program Files\Opera
2018-03-10 00:17 - 2017-04-19 14:16 - 000000000 ____D C:\Users\Gio\AppData\Local\CrashDumps
2018-03-10 00:16 - 2009-07-13 19:20 - 000000000 ___HD C:\Windows\System32\GroupPolicy
2018-03-10 00:16 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2018-03-09 11:38 - 2017-04-20 04:04 - 000000000 ____D C:\Users\Gio\Documents\3dsMax
2018-03-09 05:46 - 2017-04-19 11:23 - 000003830 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1492629802
2018-03-07 08:09 - 2017-04-20 00:26 - 000000000 ____D C:\Users\Gio\AppData\Local\NVIDIA
2018-03-07 07:51 - 2017-04-19 08:17 - 000000000 ____D C:\users\Gio
2018-03-07 07:47 - 2017-04-19 09:32 - 000001422 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2018-03-07 07:47 - 2017-04-19 09:31 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2018-03-07 07:47 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2018-03-07 07:46 - 2016-05-15 12:39 - 002104488 _____ C:\Windows\System32\PerfStringBackup.INI
2018-03-07 07:46 - 2016-04-18 13:26 - 000712990 _____ C:\Windows\System32\perfh00C.dat
2018-03-07 07:46 - 2016-04-18 13:26 - 000451526 _____ C:\Windows\System32\perfh001.dat
2018-03-07 07:46 - 2016-04-18 13:26 - 000135864 _____ C:\Windows\System32\perfc00C.dat
2018-03-07 07:46 - 2016-04-18 13:26 - 000083124 _____ C:\Windows\System32\perfc001.dat
2018-03-07 07:45 - 2017-07-24 11:21 - 000003814 _____ C:\Windows\System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000004146 _____ C:\Windows\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000003798 _____ C:\Windows\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000003738 _____ C:\Windows\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000003738 _____ C:\Windows\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000003730 _____ C:\Windows\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000003554 _____ C:\Windows\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:31 - 000003494 _____ C:\Windows\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2018-03-07 07:45 - 2017-04-19 09:30 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2018-03-07 07:45 - 2017-04-19 09:30 - 000000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2018-03-07 05:53 - 2017-11-28 08:54 - 000000000 ____D C:\Users\Gio\AppData\Local\Upwork
2018-03-06 13:42 - 2017-11-12 22:52 - 000000112 _____ C:\Users\Gio\AppData\Roaming\JP2K CS6 Prefs
2018-03-06 05:13 - 2017-04-19 11:55 - 000000000 ____D C:\Users\Gio\AppData\Roaming\Skype
2018-03-05 04:19 - 2009-07-13 21:08 - 000032528 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-03-02 10:11 - 2017-04-19 09:48 - 000000000 ____D C:\Program Files\WinRAR
2018-03-02 10:10 - 2017-04-19 09:49 - 000000000 ____D C:\Users\Gio\AppData\Roaming\WinRAR
2018-02-28 04:43 - 2017-04-19 08:20 - 000002193 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-02-28 01:18 - 2017-04-19 11:49 - 000000000 ____D C:\Users\Gio\Downloads\Compressed
2018-02-26 06:30 - 2017-12-07 04:55 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-02-26 06:27 - 2017-05-11 06:42 - 000000033 _____ C:\Users\Gio\AppData\Roaming\AdobeWLCMCache.dat
2018-02-26 00:03 - 2017-04-20 02:13 - 000000000 ____D C:\Users\Gio\.nuke
2018-02-25 07:29 - 2017-04-20 04:28 - 000000000 ____D C:\Users\Gio\Documents\Adobe
2018-02-25 07:29 - 2017-04-20 04:27 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-02-25 07:29 - 2017-04-20 04:27 - 000000000 ____D C:\Program Files\Adobe
2018-02-25 07:29 - 2017-04-19 08:17 - 000000000 ____D C:\Users\Gio\AppData\Roaming\Adobe
2018-02-25 05:40 - 2017-05-25 01:38 - 000000000 ____D C:\Users\Gio\Documents\My Games
2018-02-25 05:22 - 2017-05-14 00:41 - 000000000 ____D C:\Users\Gio\AppData\Local\SKIDROW
2018-02-24 21:41 - 2017-04-19 09:30 - 035619872 _____ (NVIDIA Corporation) C:\Windows\System32\nvoglv64.dll
2018-02-24 21:36 - 2017-04-19 09:30 - 022845992 _____ (NVIDIA Corporation) C:\Windows\System32\nvwgf2umx.dll
2018-02-24 21:36 - 2017-04-19 09:30 - 019925592 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2018-02-24 21:36 - 2017-04-19 09:30 - 000505232 _____ (NVIDIA Corporation) C:\Windows\System32\nvumdshimx.dll
2018-02-24 21:35 - 2017-04-19 09:30 - 001153752 _____ (NVIDIA Corporation) C:\Windows\System32\nvfatbinaryLoader.dll
2018-02-24 21:34 - 2017-04-19 09:30 - 018910384 _____ (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll
2018-02-24 21:34 - 2017-04-19 09:30 - 015558416 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2018-02-24 21:34 - 2017-04-19 09:30 - 012966032 _____ (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
2018-02-24 21:34 - 2017-04-19 09:30 - 004424400 _____ (NVIDIA Corporation) C:\Windows\System32\nvapi64.dll
2018-02-24 21:34 - 2017-04-19 09:30 - 003918512 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2018-02-24 09:16 - 2017-04-20 05:29 - 000000000 ____D C:\Users\Gio\AppData\Roaming\vlc
2018-02-24 04:46 - 2017-07-24 11:21 - 000187704 _____ (NVIDIA Corporation) C:\Windows\System32\nvaudcap64v.dll
2018-02-24 04:46 - 2017-07-24 11:21 - 000152976 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2018-02-24 04:46 - 2017-04-26 08:08 - 000001951 _____ C:\Windows\NvTelemetryContainerRecovery.bat
2018-02-24 04:46 - 2017-04-19 09:31 - 002424904 _____ (NVIDIA Corporation) C:\Windows\System32\nvspcap64.dll
2018-02-24 04:46 - 2017-04-19 09:31 - 002090056 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2018-02-24 04:46 - 2017-04-19 09:31 - 001309256 _____ (NVIDIA Corporation) C:\Windows\System32\NvRtmpStreamer64.dll
2018-02-24 04:46 - 2017-04-19 09:31 - 000001951 _____ C:\Windows\NvContainerRecovery.bat
2018-02-24 04:46 - 2017-04-19 09:30 - 001682288 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdagenco6420103.dll
2018-02-24 04:46 - 2017-04-19 09:30 - 000045511 _____ C:\Windows\System32\nvinfo.pb
2018-02-23 11:22 - 2017-04-19 09:31 - 005953096 _____ (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll
2018-02-23 11:22 - 2017-04-19 09:31 - 002587992 _____ (NVIDIA Corporation) C:\Windows\System32\nvsvc64.dll
2018-02-23 11:22 - 2017-04-19 09:31 - 001768008 _____ (NVIDIA Corporation) C:\Windows\System32\nvsvcr.dll
2018-02-23 11:22 - 2017-04-19 09:31 - 000633984 _____ (NVIDIA Corporation) C:\Windows\System32\nv3dappshext.dll
2018-02-23 11:22 - 2017-04-19 09:31 - 000451144 _____ (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll
2018-02-23 11:22 - 2017-04-19 09:31 - 000122896 _____ (NVIDIA Corporation) C:\Windows\System32\nvshext.dll
2018-02-23 11:22 - 2017-04-19 09:31 - 000081752 _____ (NVIDIA Corporation) C:\Windows\System32\nv3dappshextr.dll
2018-02-20 12:42 - 2017-08-25 02:59 - 000000000 ____D C:\ProgramData\TEMP
2018-02-19 23:30 - 2017-04-24 09:32 - 000000000 ____D C:\Users\Gio\AppData\LocalLow\Mozilla
2018-02-18 04:40 - 2017-04-23 07:50 - 000000000 ___HD C:\Users\Gio\Downloads\vds
2018-02-17 23:40 - 2017-12-18 09:34 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-02-17 23:40 - 2017-04-24 09:32 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-02-16 06:48 - 2017-04-19 09:31 - 008083703 _____ C:\Windows\System32\nvcoproc.bin
2018-02-15 09:20 - 2017-04-26 06:05 - 000000000 ____D C:\Program Files (x86)\RivaTuner Statistics Server
2018-02-15 00:13 - 2017-04-19 09:24 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-02-15 00:13 - 2017-04-19 09:24 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-02-15 00:13 - 2017-04-19 09:24 - 000004466 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2018-02-15 00:13 - 2017-04-19 09:24 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-02-15 00:13 - 2017-04-19 09:24 - 000000000 ____D C:\Windows\System32\Macromed
2018-02-15 00:13 - 2017-04-19 09:23 - 000000000 ____D C:\Users\Gio\AppData\Local\Adobe
 
Some files in TEMP:
====================
2018-03-10 02:04 - 2018-03-10 02:04 - 000633856 _____ () C:\Users\Gio\AppData\Local\Temp\14431.exe
2018-03-10 02:05 - 2018-03-10 02:05 - 000146432 _____ () C:\Users\Gio\AppData\Local\Temp\14532.exe
2018-03-10 01:16 - 2018-03-10 01:16 - 000922719 ___SH () C:\Users\Gio\AppData\Local\Temp\3562.tmp.exe
2018-03-10 01:16 - 2018-03-10 01:16 - 000244736 _____ () C:\Users\Gio\AppData\Local\Temp\3B8A.tmp.exe
2018-03-10 01:16 - 2018-03-10 01:16 - 000835067 _____ () C:\Users\Gio\AppData\Local\Temp\4387.tmp.exe
2018-03-10 00:16 - 2018-03-10 00:16 - 000822272 _____ () C:\Users\Gio\AppData\Local\Temp\AudioConverter.exe
2018-02-07 23:23 - 2018-02-07 23:23 - 000010240 _____ () C:\Users\Gio\AppData\Local\Temp\GrLauncherTempSetup.exe
2018-03-10 00:16 - 2018-03-10 00:16 - 002138112 _____ (Microsoft Corporation) C:\Users\Gio\AppData\Local\Temp\installer_mi.exe
2018-03-10 00:16 - 2018-03-10 00:16 - 000572408 _____ (Mail.Ru) C:\Users\Gio\AppData\Local\Temp\LiteDistrib.exe
2017-04-19 09:31 - 2017-03-16 14:56 - 000867968 _____ (NVIDIA Corporation) C:\Users\Gio\AppData\Local\Temp\nvSCPAPI64.dll
2018-03-07 07:43 - 2017-03-16 14:56 - 000352704 _____ (NVIDIA Corporation) C:\Users\Gio\AppData\Local\Temp\nvStInst.exe
2018-02-09 00:20 - 2018-02-09 00:20 - 001862144 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_2018292040125.dll
2018-02-09 00:20 - 2018-02-09 00:20 - 001862144 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_201829204043.dll
2018-02-09 00:20 - 2018-02-09 00:20 - 001862144 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_201829204065.dll
2018-02-09 00:20 - 2018-02-09 00:20 - 001862144 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_2018292059246.dll
2018-02-09 00:21 - 2018-02-09 00:21 - 001862144 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_201829210700.dll
2018-02-09 00:21 - 2018-02-09 00:21 - 001862144 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_201829210720.dll
2018-02-09 00:21 - 2018-02-09 00:21 - 002156544 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_201829214612.dll
2018-02-09 00:21 - 2018-02-09 00:21 - 002156544 _____ (Opera Software) C:\Users\Gio\AppData\Local\Temp\Opera_installer_201829214951.dll
2017-07-23 15:28 - 2017-07-23 15:28 - 000145184 ____R (Microsoft Corporation) C:\Users\Gio\AppData\Local\Temp\ose00000.exe
2018-02-04 06:49 - 2016-11-25 06:42 - 000032768 _____ () C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe
2018-03-10 03:48 - 2018-03-10 03:45 - 001514568 _____ (Symantec Corporation) C:\Users\Gio\AppData\Local\Temp\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}_NGC__{4778D284-AA9C-4456-B4D1-90D124F1ECB6}.exe
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points  =========================
 
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {9987b498-257f-11e7-9f7a-932196124130}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {9987b498-257f-11e7-9f7a-932196124130}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[C:]\Recovery\9987b49a-257f-11e7-9f7a-932196124130\Winre.wim,{9987b49b-257f-11e7-9f7a-932196124130}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\9987b49a-257f-11e7-9f7a-932196124130\Winre.wim,{9987b49b-257f-11e7-9f7a-932196124130}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {9987b498-257f-11e7-9f7a-932196124130}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {9987b49b-257f-11e7-9f7a-932196124130}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\9987b49a-257f-11e7-9f7a-932196124130\boot.sdi
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 7%
Total physical RAM: 16325.84 MB
Available physical RAM: 15031.63 MB
Total Virtual: 16324.04 MB
Available Virtual: 15038.52 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.54 GB) (Free:8.86 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:433.17 GB) (Free:2.28 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (Cache) (Fixed) (Total:251.17 GB) (Free:1.32 GB) NTFS
Drive f: (Files) (Fixed) (Total:1611.33 GB) (Free:7.52 GB) NTFS
Drive g: (Mars) (Fixed) (Total:1863.01 GB) (Free:589.37 GB) NTFS
Drive i: (Media) (Fixed) (Total:498.34 GB) (Free:2.73 GB) NTFS
Drive j: (FLASH) (Removable) (Total:14.52 GB) (Free:14.51 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.3 GB) NTFS ==>[system with boot components (obtained from drive)]
 
\\?\Volume{3dfa2b10-3c7b-4f68-a060-4e1d5ff3091d}\ (Recovery) (Fixed) (Total:0.29 GB) (Free:0.04 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 232.9 GB) (Disk ID: 1A31AD76)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 2E36CC17)
Partition 1: (Active) - (Size=433.2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=498.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (Protective MBR) (Size: 1863 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
========================================================
Disk: 3 (MBR Code: Windows 7/8/10) (Size: 1863 GB) (Disk ID: 5147F586)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)
 
========================================================
Disk: 4 (Size: 14.5 GB) (Disk ID: 007DBD96)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)
 
LastRegBack: 2018-03-09 08:33
 
==================== End of FRST.txt ============================

Attached Files

  • Attached File  FRST.txt   48.95KB   0 downloads


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 06:11 AM

George_:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time. Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.

I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies. Please do not use "code" or "quote" boxes. Thank you for your anticipated cooperation.

I will need some time to review your FRST logs. That could take a day or two, but I do hope to post back this afternoon to you.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#3 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 06:37 AM

Hello Phil
Thank you very much for trying to help me.
I am graphic artist and I have my work on this PC, tomorrow is Monday and I have so much work to do. What a bad time to be hit by malware.
I know how much time it takes to review these logs.

I look forward to your assistance.
Thank you again.

 



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 06:46 AM

George_:
 
Thank you for your post.  I will do my best to assist you in a timely manner, but tomorrow might be a bit soon for a full disinfection.  This being Sunday, I will be away this morning, but I will do my best to get you an initial "fix" this afternoon.
 
In the meantime, would you run SystemLook for me?
 
:step1: Please download SystemLook from one of the links below and save it to your Desktop.
For 32-bit versions of Windows: SystemLook.exe
For 64-bit versions of Windows: SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
mofcomp.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please copy and paste the contents of this log into your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt.

.

Thank you and have a great day.

Regards,
-Phil
 


Member of the Unified Network of Instructors and Trusted Eliminators


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 06:53 AM

George_:

 

Do you have System Restore points activated?  If so, you could boot into Windows 7 Recovery mode and try to do a system restore from before the computer was infected.  If you can get into Safe Mode, or to the Command Prompt (rstrui.exe), you could try to restore your computer to an earlier time.

 

Good luck and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 07:29 AM

I think I can not get into Safe Mode. System restore window says: no restore points have been created on your computer's system drive.

I can not run 
SystemLook.exe because PC does not boot. It brings me to startup repair window, which says that it can not repair this computer autmatically.

 

All I can do is:
Startup Repair
System restore
System image recovery
Windows memory diagnostic
Command prompt

Thanks



#7 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 07:33 AM

Or maybe I can run SystemLook from flash drive like I did for FRST. Can you confirm this?



#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 07:34 AM

George_:

 

Thank you for your post and the update.  Sounds like your computer is seriously compromised and that this will not be a simple, quick fix.

 

Do you have any idea of what you might have downloaded or clicked on?

 

I have only started analyzing your FRST logs and I have already found some very suspicious, probably malicious, entries in the logs.

 

I have to go now, but I will be back online around noon, local time.

 

Thank you for your patience.  Have a great day, despite the sick computer.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 07:40 AM

George_:

 

I don't know if SystemLook will run in Recovery Mode.  You can try.  Nothing ventured, nothing gained.

 

I guess our posts crossed.

 

Good luck and have a great day.  Talk to you later.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 08:46 AM

Thanks for reviewing FRST log.
I tried to run SystemLook from flash drive, I followed your instructions but when I clicked Scan, nothing happened.

Here is what I did before current situation.

I downloaded video converter quickly from the website I do not remember. That's how everything started. Before this download my PC was working fine.
1. First it installed mail.ru services, I removed mail.ru with adware and Rkill from Windows and Chrome.

2. After some time nameless window appeared and required to type password.
3. Then I noticed high CPU usage by svchost.exe - I followed online guides on how to remove svchost.exe from computer but I was not able to open CMD.
4. Then I tried to end svchost.exe with Task Manager. Ending svchost.exe caused blue screen to appear with the warning: a problem has been detected and windows has been shutdown to prevent damage to your computer. (there was more text on the screen)    PC restarted normally.
5. I ran Malwarebytes anti-malware and Hitman Pro scan, they found malware and Trojan. I removed them and restarted PC normally.
6. svchost.exe was still there with 50% CPU usage, I clicked "end process" in Task Manager, again it caused the same blue screen to appear but now PC was not able to boot.
 


Edited by George_, 11 March 2018 - 08:51 AM.


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 11:17 AM

George_:

Thank you for your patience while I analyzed your FRST logs.

Thank you also for your update on what caused the problem to occur. The file svchost.exe4 is a legitimate Windows process; however, it can be, and it is, hijacked by malware, so you have to be careful WHICH instance(s) of svchost.exe4 that you end.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues. Also you should be aware that some of the tools and scripts that will be used, will remove malware detected, without notice.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: Are you familiar with this shortcut? It is suspicious.
 

Startup: C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk [2018-03-10]

.

:step2: You may have a torrent program installed. I can't tell for sure because no "Addition.txt" file is produced in the Recovery Environment.
 

C:\Users\Gio\AppData\Roaming\uTorrent

 
Please consider the following advice to reduce the possibility of being infected when surfing the web.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step3: Please run a FRST fix for me. You will note that I am trying to gather information on some possible suspicious entries.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
HKU\Gio\...\Run: [KfccHBPnPn] => "C:\Users\Gio\AppData\Local\KAHBPS~1\svchost.exe" <==== ATTENTION
HKU\Gio\...\Run: [dwm] => c:\users\gio\appdata\roaming\26646386\dwm.exe <==== ATTENTION
File: C:\ProgramData\Intel\IntelGFX.exe
File: C:\ProgramData\AME\AME.exe
File: C:\ProgramData\Intel\IntelADTSvc.exe
File: C:\Windows\SysWOW64\oesaebmj\npdesacm.exe
File: C:\Windows\System32\drivers\nloswjb.sys
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
Folder: C:\Users\Gio\AppData\Local\kahBPslLln
File: C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard. I have also attached this file as "fixlist.txt" so that you can simply download it and copy it to the USB flash drive from which you are running FRST. There will be no need to copy and paste: FRST will look automatically for a file called "fixlist.txt" and execute it.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

:step4: Many of your parititions have far less than the recommended 15 to 25 percent free space that is recommended for Windows. This means that, at the best of times, the performance of your computer will be very poor. You should try to free up some space, particularly on the OS drive.

 

Drive c: () (Fixed) (Total:232.54 GB) (Free:8.86 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:433.17 GB) (Free:2.28 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (Cache) (Fixed) (Total:251.17 GB) (Free:1.32 GB) NTFS
Drive f: (Files) (Fixed) (Total:1611.33 GB) (Free:7.52 GB) NTFS

 

.

Thank you and have a great day.

Regards,
-Phil

Attached Files


Member of the Unified Network of Instructors and Trusted Eliminators


#12 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 12:03 PM

I appreciate your help.

No, I am not familiar with this shortcut. I think it appeared in my startup list after this problem.

Yes, I have Utorrnet installed and I will remove it. I will never use it again.

I am always out of space because of huge file sizes of my work.

Here is a fixlog


 

Fix result of Farbar Recovery Scan Tool (x64) Version: 10.03.2018
Ran by SYSTEM (11-03-2018 20:51:20) Run:1
Running from j:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
HKU\Gio\...\Run: [KfccHBPnPn] => "C:\Users\Gio\AppData\Local\KAHBPS~1\svchost.exe" <==== ATTENTION
HKU\Gio\...\Run: [dwm] => c:\users\gio\appdata\roaming\26646386\dwm.exe <==== ATTENTION
File: C:\ProgramData\Intel\IntelGFX.exe
File: C:\ProgramData\AME\AME.exe
File: C:\ProgramData\Intel\IntelADTSvc.exe
File: C:\Windows\SysWOW64\oesaebmj\npdesacm.exe
File: C:\Windows\System32\drivers\nloswjb.sys
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
Folder: C:\Users\Gio\AppData\Local\kahBPslLln
File: C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe
 
*****************
 
"HKU\Gio\Software\Microsoft\Windows\CurrentVersion\Run\\KfccHBPnPn" => not found
"HKU\Gio\Software\Microsoft\Windows\CurrentVersion\Run\\dwm" => removed successfully
 
========================= File: C:\ProgramData\Intel\IntelGFX.exe ========================
 
C:\ProgramData\Intel\IntelGFX.exe
MD5: E7A4DDADAECF94AE004941BA8256B776
Creation and modification date: 2017-07-30 07:18 - 2017-07-24 00:50
Size: 002288616
Attributes: ----H
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0
 
====== End of File: ======
 
 
========================= File: C:\ProgramData\AME\AME.exe ========================
 
C:\ProgramData\AME\AME.exe
MD5: 2BAFB32EEE4371DFEA195EAC8E1CB926
Creation and modification date: 2017-05-18 00:02 - 2016-12-28 09:36
Size: 002753536
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0
 
====== End of File: ======
 
 
========================= File: C:\ProgramData\Intel\IntelADTSvc.exe ========================
 
C:\ProgramData\Intel\IntelADTSvc.exe
MD5: 8813ACEF742B0C467698AEA82E04FD24
Creation and modification date: 2018-02-22 13:40 - 2018-02-22 13:40
Size: 002586039
Attributes: ----H
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0
 
====== End of File: ======
 
 
========================= File: C:\Windows\SysWOW64\oesaebmj\npdesacm.exe ========================
 
C:\Windows\SysWOW64\oesaebmj\npdesacm.exe
MD5: F84605A533C9DE5BC64251197810D930
Creation and modification date: 2018-03-10 00:17 - 2018-03-10 00:17
Size: 014852096
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0
 
====== End of File: ======
 
 
========================= File: C:\Windows\System32\drivers\nloswjb.sys ========================
 
C:\Windows\System32\drivers\nloswjb.sys
MD5: 02F898C14C70DDCD9ECC5245AFF86BA4
Creation and modification date: 2018-03-10 02:10 - 2018-03-10 02:10
Size: 000079064
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0
 
====== End of File: ======
 
"HKLM\System\ControlSet002\Services\VGPU" => removed successfully
VGPU => service removed successfully
"HKLM\System\ControlSet002\Services\xhunter1" => removed successfully
xhunter1 => service removed successfully
 
========================= Folder: C:\Users\Gio\AppData\Local\kahBPslLln ========================
 
2018-03-10 01:17 - 2018-03-10 01:57 - 000003272 ____A [BB19D91A3E9E53ED8220EE6F0E9903F6] () C:\Users\Gio\AppData\Local\kahBPslLln\dcf47667da
 
====== End of Folder: ======
 
 
========================= File: C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe ========================
 
C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe
MD5: 86C7C2BA6D3CBCE54E3991D834E24907
Creation and modification date: 2018-02-04 06:49 - 2016-11-25 06:42
Size: 000032768
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
VirusTotal: 0
 
====== End of File: ======
 
 
==== End of Fixlog 20:51:26 ====


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:44 AM

Posted 11 March 2018 - 01:11 PM

George_:

Thank you for your post and for the FRST "fixlog.txt" file contents.

Based on the non-results of my information gathering in the first FRST "fixlist.txt" script, I think that we can reasonably safely assume that the entries that I identified are not beneficial to your computer. That said, it is your computer, so it is ALWAYS YOUR decision whether you want to proceed.

I am assuming that you have no recent backups or system images from which you could restore? I always try to err on the side of caution when approaching entries that I cannot positively identify as malware, particularly when we have no backups to resort to, in the event of a calamity. Malware removal is not without real risks.

 

So you have a decision as to proceed, or not, with the FRST "fixlist" script that I am attaching. I am placing the code in this post so that you can examine the content. The script will nuke the suspicious entries, but I cannot guarantee those entries are malware-related, so running the script might further disable your computer, leaving you with the task of reinstalling/repairing Windows and reinstalling all of your programs and data.

That said, if it was my computer, I would take the chance because right now we seem to be running out of good options ... :(

:step1: So, if you are willing, please run a FRST "fix" again for me, using the attached "fixlist.txt" file attached to this post. Copy it to the USB flash drive that has FRST64.exe on it.



C:\Users\Gio\AppData\Local\KAHBPS~1
C:\users\gio\appdata\roaming\26646386
HKU\Gio\...\Run: [Intel Graphic Loader Extension] => C:\ProgramData\Intel\IntelGFX.exe [2288616 2017-07-24] ()
C:\ProgramData\Intel\IntelGFX.exe
HKU\Gio\...\Run: [AME Start] => C:\ProgramData\AME\AME.exe [2753536 2016-12-28] ()
C:\ProgramData\AME
HKU\Gio\...\Run: [Intel] => C:\ProgramData\Intel\IntelADTSvc.exe [2586039 2018-02-22] ()
C:\ProgramData\Intel\IntelADTSvc.exe
Startup: C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk [2018-03-10]
ShortcutTarget: tdbdichi.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk
S2 oesaebmj; C:\Windows\SysWOW64\oesaebmj\npdesacm.exe [14852096 2018-03-10] ()
C:\Windows\SysWOW64\oesaebmj
S0 kexi; C:\Windows\System32\drivers\nloswjb.sys [79064 2018-03-10] ()
C:\Windows\System32\drivers\nloswjb.sys
C:\Users\Gio\AppData\Local\kahBPslLln
C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe

.

:step2: Warm booting does not completely clear the computer and reset everything. See this article. It is amazing to me how many really weird problems are resolved by a power reset of your computer. Power resets are my first diagnostic step. If you launch the "Windows Repair (All In One)" tool by Tweaking.com, you will see that power resets is the first of their preliminary diagnostic steps. That tool is available for download here at Bleeping Computer.

With laptops, it also necessary not just to unplug them, but also to remove the battery to ensure that the motherboard loses power, causing components to reset to their default state. Press and hold the "Power" button down for 10 to 20 seconds, when all power sources have been unplugged from the computer/laptop. This ensures that the capacitors on the motherboard, and other boards, such as GPU, drive controllers, etc., also lose any residual electrical power and are reset back to default states. The only thing that doesn't lose power is the BIOS CMOS, because it has its own battery, and removing that is not usually desirable, since the BIOS loses any custom configuration information, as well as the date and time.

Once you have done the power reset, then reinsert the laptop battery, if you have a laptop, and plug the computer back in. Press the "Power" button and the computer should boot normally, with all memory and capacitors cleared by the power reset. This often solves a lot of computer issues by itself.

If your computer boots, we are on the way home! Stop here and report back to me. If the computer does not boot successfully into normal mode, please go to the next Step.

.

:step3: There is a nasty infection out there called the "SmartService" infection. Your symptoms do not appear to be entirely consistent with that infection, but I would like to rule it out. If that is what we are dealing with, then there is a cure.

So what I would like you to do is to go to a known "clean" computer, with a "clean" formatted USB drive. Download a new copy of FRST64.exe to the "clean" USB flash drive.

Finally, please run another FRST64.exe scan on your computer and copy and paste the logs. The reason for my request being that this infection is capable of modifying FRST functionality/detection when FRST64.exe is downloaded to a computer already infected with this malware. By running in Recovery Mode, with a "clean" copy of FRST64.exe, the FRST64.exe file cannot be modified or hindered in its detection capabilities. Do not insert the "clean" formatted USB flash drive into the infected computer, until it has booted into Recovery Mode.

.

:step4: You really should consider trying to free some space on the OS drive. Not having space enough for several restore points at least is a serious vulnerability, as you have discovered. Not only that, but Windows requires some substantive free space to function optimally. Please see this link, if we can get you booted up, or you have access to another web-enabled device, for more information.

.

I wish you the best of luck. I will probably only be online for another couple of hours today, at most, so I hope that we have made some forward progress with this attack.

Thank you and have a great day.

Regards,
-Phil

Attached Files


Member of the Unified Network of Instructors and Trusted Eliminators


#14 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 02:28 PM

First I did power reset. It did not work.

Then I said - all or nothing and I ran FRST with your fix script.

IT WORKED.
Finally I am able to boot into windows 7.


You are a true hero. You identified malware correctly.
Thank you very much. You saved my time and my work.

Now there are two errors, but they are Asus software. I attached screenshot. CPU usage is back to normal.

I will remove uTorrent now and free up some space on local disk.

Here is a fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 10.03.2018
Ran by SYSTEM (11-03-2018 23:02:14) Run:3
Running from j:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
C:\Users\Gio\AppData\Local\KAHBPS~1
C:\users\gio\appdata\roaming\26646386
HKU\Gio\...\Run: [Intel Graphic Loader Extension] => C:\ProgramData\Intel\IntelGFX.exe [2288616 2017-07-24] ()
C:\ProgramData\Intel\IntelGFX.exe
HKU\Gio\...\Run: [AME Start] => C:\ProgramData\AME\AME.exe [2753536 2016-12-28] ()
C:\ProgramData\AME
HKU\Gio\...\Run: [Intel] => C:\ProgramData\Intel\IntelADTSvc.exe [2586039 2018-02-22] ()
C:\ProgramData\Intel\IntelADTSvc.exe
Startup: C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk [2018-03-10]
ShortcutTarget: tdbdichi.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk
S2 oesaebmj; C:\Windows\SysWOW64\oesaebmj\npdesacm.exe [14852096 2018-03-10] ()
C:\Windows\SysWOW64\oesaebmj
S0 kexi; C:\Windows\System32\drivers\nloswjb.sys [79064 2018-03-10] ()
C:\Windows\System32\drivers\nloswjb.sys
C:\Users\Gio\AppData\Local\kahBPslLln
C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe
*****************
 
C:\Users\Gio\AppData\Local\KAHBPS~1 => moved successfully
"C:\users\gio\appdata\roaming\26646386" => not found
"HKU\Gio\Software\Microsoft\Windows\CurrentVersion\Run\\Intel Graphic Loader Extension" => removed successfully
C:\ProgramData\Intel\IntelGFX.exe => moved successfully
"HKU\Gio\Software\Microsoft\Windows\CurrentVersion\Run\\AME Start" => removed successfully
C:\ProgramData\AME => moved successfully
"HKU\Gio\Software\Microsoft\Windows\CurrentVersion\Run\\Intel" => removed successfully
C:\ProgramData\Intel\IntelADTSvc.exe => moved successfully
C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk => moved successfully
C:\Windows\System32\cmd.exe => moved successfully
"C:\Users\Gio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdbdichi.lnk" => not found
"HKLM\System\ControlSet002\Services\oesaebmj" => removed successfully
oesaebmj => service removed successfully
C:\Windows\SysWOW64\oesaebmj => moved successfully
"HKLM\System\ControlSet002\Services\kexi" => removed successfully
kexi => service removed successfully
C:\Windows\System32\drivers\nloswjb.sys => moved successfully
"C:\Users\Gio\AppData\Local\kahBPslLln" => not found
C:\Users\Gio\AppData\Local\Temp\shutdown1517755764.exe => moved successfully
 
==== End of Fixlog 23:02:17 ====

 

Attached Files


Edited by George_, 11 March 2018 - 02:31 PM.


#15 George_

George_
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 March 2018 - 02:40 PM

But now this is what most of my files turned into.

What is this, can I restore these files?

It says: need to make payment or all your files will be deleted critical situation urgent attention 24 hours to pay or everything will be permanently deleted.
I lost everything?

I attached image.

 

Attached Files


Edited by George_, 11 March 2018 - 02:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users