Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection and Nothing is Detecting It


  • This topic is locked This topic is locked
24 replies to this topic

#1 Poptartjake

Poptartjake

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 21 March 2018 - 10:59 AM

Computer seems to be infected still despite hitting it with pretty much every anti-virus I've ever used... I've manually removed a lot of different points of infection, as well, but permission issues are preventing me from finishing the job (I believe). System restore was disabled upon infection and I've yet to get it re-enabled since. 
 
Currently, I am seeing processes like "zaonmdt.exe" and "vselrot.exe" which are unknown to me and cannot be killed due to access denied (using Admin account). I've already removed Ladybug.exe, Autoimmune.exe, Anonymizergadget, infected chrome334/firefox334, but the computer is still starting at 40-50% RAM usage by default and is extremely sluggish/hangs/unresponsive (average RAM usage w/o programs running is about 20%).
 
Any help would be appreciated. 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by Jenah (administrator) on JLAPTOP (21-03-2018 09:52:44)
Running from F:\
Loaded Profiles: Jenah (Available Profiles: Jenah)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(TOSHIBA CORPORATION) C:\Windows\System32\wdmhzessvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Intel Corporation) C:\Windows\SysWOW64\esif_uf.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
() C:\Users\Jenah\AppData\Local\vselrot\vselrot.exe
() C:\Program Files (x86)\Adobe\Adobe Sync\CoreSync\CoreSync.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe
(Node.js) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\CCLibrary.exe
(Node.js) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\libs\node.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Users\Jenah\AppData\Local\vselrot\zaonmdt.exe
() C:\Users\Jenah\AppData\Local\vselrot\zaonmdt.exe
() C:\Users\Jenah\AppData\Local\vselrot\zaonmdt.exe
() C:\Users\Jenah\AppData\Local\vselrot\zaonmdt.exe
() C:\Users\Jenah\AppData\Local\vselrot\zaonmdt.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3348712 2016-02-23] (ELAN Microelectronics Corp.)
HKLM\...\Run: [backslashbanjoist] => "C:\Program Files (x86)\eagleburger\autoimmune.exe" dyNF
HKLM\...\Run: [backslashbackslash] => "C:\Program Files (x86)\Unmolested\ladybug.exe" dyNF
HKLM\...\Run: [backslash] => "C:\Program Files (x86)\Basten\ladybug.exe" dyNF
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [315880 2018-01-05] (Adobe Systems, Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-07-01] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe [299520 2017-05-11] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2409936 2018-02-14] (Adobe Systems Incorporated)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [17074688 2018-03-06] (Piriform Ltd)
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\...\MountPoints2: E - E:\LaunchU3.exe -a
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\...\MountPoints2: {4d521ec1-1a85-11e8-9ba2-28c2ddb44426} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\...\MountPoints2: {749c887d-2b25-11e8-8bc1-28c2ddb44426} - E:\LaunchU3.exe -a
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{27517F3F-1465-4C11-96C1-A96951666822}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{27517F3F-1465-4C11-96C1-A96951666822}: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{9F64C531-1BC7-44B4-B29C-3B4BAC1D6D7A}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{C7072A61-7D05-4F63-B600-A92DB24B76BA}: [NameServer] 8.8.8.8
 
Internet Explorer:
==================
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: 2ingrsl6.default-1521231613617
FF ProfilePath: C:\Users\Jenah\AppData\Roaming\Mozilla\Firefox\Profiles\2ingrsl6.default-1521231613617 [2018-03-21]
FF Homepage: Mozilla\Firefox\Profiles\2ingrsl6.default-1521231613617 -> google.com/
FF Extension: (TAAR Experiment v2 Shield Study) - C:\Users\Jenah\AppData\Roaming\Mozilla\Firefox\Profiles\2ingrsl6.default-1521231613617\Extensions\taarexpv2@shield.mozilla.org.xpi [2018-03-16] [Legacy]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_29_0_0_113.dll [2018-03-19] ()
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2018-02-14] (Adobe Systems)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_29_0_0_113.dll [2018-03-19] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-21] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-21] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2018-02-14] (Adobe Systems)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\secure_cert.js [2018-03-19]
 
Chrome: 
=======
CHR Profile: C:\Users\Jenah\AppData\Local\Google\Chrome\User Data\Default [2018-03-21]
CHR Extension: (Chrome Media Router) - C:\Users\Jenah\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-21]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
HKLM\SYSTEM\CurrentControlSet\Services\gmekiwc <==== ATTENTION (Rootkit!)
 
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [818128 2018-02-14] (Adobe Systems Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-05] (Adobe Systems, Incorporated)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation)
R2 esifsvc; C:\Windows\SysWOW64\esif_uf.exe [1419424 2017-01-09] (Intel Corporation)
S2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [346152 2018-01-10] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [742864 2016-03-21] (Wacom Technology, Corp.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 BtFilter; C:\Windows\System32\DRIVERS\btfilter.sys [609696 2016-11-28] (Qualcomm)
R3 dptf_cpu; C:\Windows\System32\DRIVERS\dptf_cpu.sys [52208 2017-01-09] (Intel Corporation)
R3 esif_lf; C:\Windows\System32\DRIVERS\esif_lf.sys [260080 2017-01-09] (Intel Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [76200 2018-01-18] ()
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [40448 2017-04-19] (Intel Corporation)
R3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [17280 2012-08-05] ( )
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193248 2018-03-20] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [109800 2018-03-21] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [45960 2018-03-21] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-03-21] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [92280 2018-03-21] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [201296 2017-11-27] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R1 MpKsl433c3b43; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9ADFDD88-35D5-4A03-BD3B-538773B44305}\MpKsl433c3b43.sys [58120 2018-03-21] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R3 RTSUER; C:\Windows\System32\Drivers\RtsUer.sys [421312 2017-10-18] (Realsil Semiconductor Corporation)
S3 WacHidRouterPro; C:\Windows\System32\DRIVERS\wachidrouter.sys [102864 2016-03-02] (Wacom Technology)
U3 aswbdisk; no ImagePath
R3 rvybfi; system32\drivers\ybeilo.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S4 vkgnrl; System32\drivers\aueocrpz.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-21 09:14 - 2018-03-21 09:14 - 000000000 ____D C:\ProgramData\Emsisoft
2018-03-21 09:13 - 2018-03-21 09:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\cworesa
2018-03-21 09:10 - 2018-03-21 09:10 - 000045960 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-03-21 09:06 - 2018-03-21 09:06 - 000142672 ____N C:\Windows\system32\Drivers\spsuybeh.sys
2018-03-21 09:04 - 2011-06-03 00:57 - 000362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2018-03-21 09:04 - 2011-06-03 00:57 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2018-03-21 09:04 - 2011-06-03 00:57 - 000214528 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2018-03-21 09:04 - 2011-06-03 00:57 - 000016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2018-03-21 09:04 - 2011-06-03 00:57 - 000013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2018-03-21 09:04 - 2011-06-03 00:53 - 000338944 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2018-03-21 09:04 - 2011-06-03 00:00 - 000014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2018-03-21 09:04 - 2011-06-02 23:57 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2018-03-21 09:04 - 2011-06-02 23:56 - 000005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2018-03-21 09:04 - 2011-06-02 21:53 - 000007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2018-03-21 09:04 - 2011-06-02 21:53 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2018-03-21 09:04 - 2011-05-14 01:20 - 001162752 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2018-03-21 09:04 - 2011-05-14 01:20 - 000421888 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 01:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:22 - 000837632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2018-03-21 09:04 - 2011-05-14 00:22 - 000272384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2018-03-21 09:04 - 2011-05-14 00:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2018-03-21 09:04 - 2011-05-13 22:15 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2018-03-21 09:04 - 2011-05-13 22:15 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-21 09:04 - 2011-05-13 22:15 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2018-03-21 09:04 - 2011-05-13 22:15 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2018-03-21 09:03 - 2018-03-21 09:04 - 002314805 _____ C:\Users\Jenah\Downloads\Windows6.1-KB2533623-x64.msu
2018-03-21 09:01 - 2018-03-21 09:26 - 000000000 ____D C:\EEK
2018-03-21 09:00 - 2018-03-21 08:51 - 320381672 _____ C:\Users\Jenah\Desktop\EmsisoftEmergencyKit.exe
2018-03-21 08:56 - 2018-03-21 08:56 - 000000000 ____D C:\Users\Jenah\AppData\Local\dwbloxk
2018-03-21 08:36 - 2018-03-21 08:36 - 000003870 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-03-21 08:36 - 2018-03-21 08:36 - 000002788 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-03-21 08:36 - 2018-03-21 08:36 - 000002298 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-03-21 08:36 - 2018-03-21 08:36 - 000002257 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-03-21 08:36 - 2018-03-21 08:36 - 000000824 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-03-21 08:36 - 2018-03-21 08:36 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2018-03-21 08:36 - 2018-03-21 08:36 - 000000000 ____D C:\Program Files\CCleaner
2018-03-21 08:35 - 2018-03-21 08:52 - 000000000 ____D C:\Program Files\Google
2018-03-21 08:35 - 2018-03-21 08:40 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-21 08:35 - 2018-03-21 08:40 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-21 08:10 - 2018-03-21 08:12 - 000017866 _____ C:\TDSSKiller.3.1.0.16_21.03.2018_08.10.41_log.txt
2018-03-21 08:10 - 2018-03-21 08:10 - 000000000 ____D C:\Users\Jenah\AppData\Local\cgrevbw
2018-03-21 08:08 - 2018-03-21 08:10 - 000018018 _____ C:\TDSSKiller.3.1.0.16_21.03.2018_08.08.43_log.txt
2018-03-21 07:23 - 2013-10-14 18:00 - 000028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
2018-03-21 06:09 - 2018-03-21 06:09 - 000000000 ____D C:\Users\Jenah\AppData\Local\cwdxtbo
2018-03-20 22:02 - 2018-03-20 22:02 - 000000000 __SHD C:\found.000
2018-03-20 19:26 - 2018-03-20 19:26 - 000000000 ____D C:\Users\Jenah\AppData\Local\spiuhdw
2018-03-20 19:01 - 2018-03-20 19:01 - 000000000 ____D C:\Users\Jenah\AppData\Local\iaarxhd
2018-03-20 19:00 - 2018-03-21 09:10 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-03-20 19:00 - 2018-03-21 09:10 - 000109800 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-03-20 19:00 - 2018-03-20 19:00 - 000001869 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-20 18:59 - 2018-03-20 19:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-03-20 18:59 - 2018-01-18 08:03 - 000076200 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-03-20 18:24 - 2018-03-20 18:24 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\371873AF.sys
2018-03-20 18:23 - 2018-03-20 19:22 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-03-20 16:21 - 2018-03-20 18:59 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-20 16:15 - 2018-03-20 16:15 - 000000000 ____D C:\Users\Jenah\AppData\Local\dwsgozr
2018-03-20 16:08 - 2018-03-21 09:08 - 002888704 _____ (TOSHIBA CORPORATION) C:\Windows\system32\wdmhzessvc.exe
2018-03-20 15:45 - 2018-03-20 15:45 - 000000000 ____D C:\Users\Jenah\AppData\Local\mshwbeg
2018-03-20 15:14 - 2011-04-09 00:58 - 000142336 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2018-03-20 15:14 - 2011-04-08 23:56 - 000123904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2018-03-20 15:03 - 2018-03-20 15:03 - 000000000 ____D C:\Users\Jenah\AppData\Local\exencrd
2018-03-20 14:26 - 2018-03-20 14:26 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbdwcex
2018-03-20 14:23 - 2018-03-21 09:10 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-20 14:23 - 2018-03-20 14:23 - 000003114 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-03-20 12:07 - 2018-03-20 12:07 - 000000000 ____D C:\Users\Jenah\AppData\Local\nihzems
2018-03-20 12:03 - 2018-03-21 08:43 - 000000000 ____D C:\Users\Jenah\AppData\Local\CrashDumps
2018-03-20 11:42 - 2015-02-03 21:16 - 000392192 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2018-03-20 11:42 - 2015-02-03 20:54 - 000318464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2018-03-20 11:40 - 2018-03-20 11:40 - 000000000 ____D C:\Users\Jenah\AppData\Local\wmmszli
2018-03-20 11:14 - 2018-03-20 11:14 - 000000000 ____D C:\Users\Jenah\AppData\Local\vdmhzxn
2018-03-20 11:04 - 2018-03-20 15:02 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-03-20 11:04 - 2018-03-20 11:30 - 000000000 ____D C:\ProgramData\RogueKiller
2018-03-20 11:01 - 2018-03-20 11:01 - 000000000 ____D C:\Users\Jenah\AppData\Local\exbckta
2018-03-20 10:48 - 2018-03-20 14:57 - 000000000 ____D C:\AdwCleaner
2018-03-20 10:34 - 2018-03-20 10:34 - 000000000 ____D C:\Users\Jenah\AppData\Local\uskgzep
2018-03-20 10:19 - 2018-03-20 10:19 - 000000000 ____D C:\Users\Jenah\AppData\Local\siinoeh
2018-03-20 10:06 - 2018-03-20 10:06 - 000000000 ____D C:\Users\Jenah\AppData\Local\dtbuliw
2018-03-19 22:09 - 2018-03-19 22:09 - 000000000 ____D C:\Users\Jenah\AppData\Local\psotbar
2018-03-19 21:54 - 2014-05-14 10:23 - 002477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2018-03-19 21:54 - 2014-05-14 10:23 - 000058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2018-03-19 21:54 - 2014-05-14 10:23 - 000044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2018-03-19 21:54 - 2014-05-14 10:21 - 002620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2018-03-19 21:53 - 2014-05-14 10:23 - 000700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2018-03-19 21:53 - 2014-05-14 10:23 - 000581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2018-03-19 21:53 - 2014-05-14 10:23 - 000038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2018-03-19 21:53 - 2014-05-14 10:23 - 000036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2018-03-19 21:53 - 2014-05-14 10:20 - 000097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2018-03-19 21:53 - 2014-05-14 10:17 - 000092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2018-03-19 21:53 - 2014-05-14 09:23 - 000198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2018-03-19 21:53 - 2014-05-14 09:23 - 000179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2018-03-19 21:53 - 2014-05-14 09:20 - 000036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2018-03-19 21:53 - 2014-05-14 09:17 - 000033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2018-03-19 21:42 - 2018-03-19 21:42 - 000002119 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2018-03-19 21:42 - 2018-03-19 21:42 - 000000000 ____D C:\Users\Jenah\AppData\Local\wimnksr
2018-03-19 21:41 - 2018-03-19 21:42 - 000000000 ____D C:\Program Files\Microsoft Security Client
2018-03-19 21:41 - 2018-03-19 21:41 - 000000000 ____D C:\Program Files (x86)\Microsoft Security Client
2018-03-19 21:37 - 2018-03-21 08:21 - 000002205 _____ C:\Windows\epplauncher.mif
2018-03-19 20:33 - 2018-03-19 20:33 - 000000000 ____D C:\Users\Jenah\AppData\Local\svmeawh
2018-03-19 20:32 - 2018-03-20 19:00 - 000193248 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-03-19 20:17 - 2018-03-19 20:17 - 000000000 ____D C:\Users\Jenah\AppData\Local\mskxzew
2018-03-19 19:49 - 2018-03-21 09:52 - 000000000 ____D C:\FRST
2018-03-19 19:48 - 2018-03-19 19:48 - 000004460 _____ C:\Windows\System32\Tasks\Adobe Flash Player NPAPI Notifier
2018-03-19 19:38 - 2018-03-19 19:38 - 000000000 ____D C:\Users\Jenah\AppData\Local\mshpikl
2018-03-19 19:29 - 2018-03-19 19:29 - 000000000 ____D C:\Users\Jenah\AppData\Local\wmoglbt
2018-03-19 18:39 - 2018-03-19 18:39 - 000000000 ____D C:\Users\Jenah\AppData\Local\cobamzk
2018-03-19 17:52 - 2018-03-19 17:52 - 000000000 ____D C:\Users\Jenah\AppData\Local\vdouenw
2018-03-19 17:32 - 2018-03-19 17:46 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-19 17:31 - 2018-03-19 17:31 - 000003910 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-03-19 17:31 - 2018-03-19 17:31 - 000000000 ____D C:\Windows\System32\Tasks\Avast Software
2018-03-19 17:30 - 2018-03-19 17:30 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-03-19 17:26 - 2018-03-20 11:37 - 000000000 ____D C:\ProgramData\AVAST Software
2018-03-19 17:20 - 2018-03-19 17:20 - 000000000 ____D C:\Users\Jenah\AppData\Local\wmcogze
2018-03-19 17:16 - 2018-03-19 17:16 - 000000000 ____D C:\Users\Jenah\AppData\Local\dtabrle
2018-03-19 16:58 - 2018-03-19 16:58 - 000000000 ____D C:\Users\Jenah\AppData\Local\snmhepk
2018-03-19 16:32 - 2018-03-19 16:32 - 000000000 ____D C:\Users\Jenah\AppData\Local\ushmlzd
2018-03-19 16:19 - 2018-03-19 16:19 - 000000000 ____D C:\Users\Jenah\AppData\Local\coibvxs
2018-03-19 16:13 - 2018-03-19 16:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbodznc
2018-03-19 14:29 - 2018-03-20 16:09 - 000000000 ____D C:\SUPERDelete
2018-03-19 14:22 - 2018-03-19 14:22 - 000000000 ____D C:\Users\Jenah\AppData\Local\psexdwn
2018-03-19 14:19 - 2018-03-19 14:19 - 000000000 ____D C:\Windows\Minidump
2018-03-19 13:55 - 2018-03-19 13:55 - 000000000 ____D C:\Users\Jenah\AppData\Local\spkatoi
2018-03-19 13:22 - 2018-03-19 13:22 - 000000000 ____D C:\Users\Jenah\AppData\Local\dtdwcmp
2018-03-19 12:54 - 2018-03-19 12:54 - 000000000 ____D C:\Users\Jenah\AppData\Local\cskburg
2018-03-19 12:31 - 2018-03-19 12:31 - 000000000 ____D C:\Users\Jenah\AppData\Local\ElevatedDiagnostics
2018-03-19 10:23 - 2018-03-19 10:23 - 000000000 ____D C:\Users\Jenah\AppData\Local\siiokwn
2018-03-19 10:19 - 2018-03-19 17:16 - 000000000 ____D C:\Windows\pss
2018-03-19 09:25 - 2018-03-19 09:25 - 000000000 ____D C:\Users\Jenah\AppData\Local\dsekztl
2018-03-19 09:16 - 2018-03-21 09:37 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbsnxlt
2018-03-19 09:16 - 2018-03-19 09:16 - 000000000 ____D C:\Windows\system32\appmgmt
2018-03-19 09:13 - 2018-03-21 09:53 - 000000000 ____D C:\Users\Jenah\AppData\Local\vselrot
2018-03-19 09:13 - 2018-03-19 09:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\usaovkg
2018-03-19 09:12 - 2018-03-19 09:12 - 000000000 ____D C:\Windows\SysWOW64\wmndvxr
2018-03-19 09:12 - 2018-03-19 09:12 - 000000000 ____D C:\Windows\system32\wmndvxr
2018-03-19 09:12 - 2018-03-19 09:12 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\et
2018-03-19 09:11 - 2018-03-19 09:11 - 000000012 _____ C:\Windows\b2844467
2018-03-19 09:08 - 2018-03-19 09:08 - 001231360 _____ C:\Windows\78fe709095142ae294d4ca749f58b3b0.dll
2018-03-19 05:10 - 2018-03-19 05:10 - 000762368 _____ C:\Windows\49d0488ad0cbeecbf9402ded77fbc7a3.exe
2018-03-19 05:10 - 2018-03-19 05:10 - 000047249 _____ C:\Windows\uninstaller.dat
2018-03-18 19:15 - 2018-03-18 19:15 - 000000033 _____ C:\Users\Jenah\AppData\Roaming\AdobeWLCMCache.dat
2018-03-16 18:22 - 2018-03-16 18:22 - 000002465 _____ C:\Users\Jenah\Desktop\Adobe Illustrator CC 2018.lnk
2018-03-16 18:07 - 2018-03-16 18:07 - 000001063 _____ C:\Users\Jenah\Desktop\Adobe Lightroom Classic CC.lnk
2018-03-16 18:07 - 2018-03-16 18:07 - 000001063 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Lightroom Classic CC.lnk
2018-03-16 17:45 - 2018-03-16 17:45 - 000001042 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CC 2018.lnk
2018-03-16 17:20 - 2018-03-16 17:20 - 000002465 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator CC 2018.lnk
2018-03-16 14:20 - 2018-03-19 16:52 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-03-16 14:19 - 2018-03-16 14:19 - 000313544 _____ (Mozilla) C:\Users\Jenah\Downloads\Firefox Installer (1).exe
2018-03-09 10:53 - 2018-03-21 09:10 - 000092280 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-03-09 10:52 - 2018-03-09 10:52 - 069323904 _____ (Malwarebytes ) C:\Users\Jenah\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4256.exe
2018-03-09 10:52 - 2018-03-09 10:52 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-03 11:35 - 2018-03-03 11:35 - 000001004 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CC 2018.lnk
2018-02-27 12:02 - 2018-02-27 12:02 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\EPSON
2018-02-27 10:31 - 2018-03-21 09:31 - 000000909 _____ C:\Windows\Tasks\EPSON Perfection V39 Update.job
2018-02-27 10:31 - 2018-02-27 10:31 - 000003976 _____ C:\Windows\System32\Tasks\EPSON Perfection V39 Update
2018-02-27 10:30 - 2018-02-27 10:30 - 000000932 _____ C:\Users\Public\Desktop\EPSON Scan.lnk
2018-02-27 10:30 - 2018-02-27 10:30 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
2018-02-27 10:30 - 2018-02-27 10:30 - 000000000 ____D C:\Program Files (x86)\epson
2018-02-27 10:30 - 2015-04-30 01:00 - 000216064 _____ (Seiko Epson Corporation) C:\Windows\system32\esxi010c.dll
2018-02-27 10:30 - 2015-02-05 02:00 - 000065793 _____ C:\Windows\system32\esfw010c.bin
2018-02-27 10:30 - 2014-07-11 01:00 - 000472576 _____ (Seiko Epson Corporation) C:\Windows\system32\esxw2ud.dll
2018-02-27 10:30 - 2013-12-18 01:00 - 000065536 _____ C:\Windows\SysWOW64\esint00.dll
2018-02-27 10:30 - 2012-05-17 01:00 - 000144560 _____ (Seiko Epson Corporation) C:\Windows\system32\escsvc64.exe
2018-02-27 10:28 - 2018-02-27 10:28 - 044042168 _____ C:\Users\Jenah\Downloads\epson17634.exe
2018-02-26 16:39 - 2018-02-26 16:39 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2018-02-21 10:43 - 2018-03-19 19:48 - 000804352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-02-21 10:43 - 2018-03-19 19:48 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-02-21 10:43 - 2018-03-19 19:48 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-02-21 10:43 - 2018-03-19 19:48 - 000000000 ____D C:\Windows\system32\Macromed
2018-02-21 10:01 - 2018-02-21 10:01 - 000000000 ____D C:\Users\Jenah\AppData\LocalLow\Adobe
2018-02-20 16:37 - 2018-02-20 16:37 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\WTablet
2018-02-20 16:34 - 2018-02-20 16:34 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wacom Tablet
2018-02-20 16:34 - 2018-02-20 16:34 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wacomrouterfilter_01009.Wdf
2018-02-20 16:34 - 2018-02-20 16:34 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wachidrouter_01009.Wdf
2018-02-20 16:34 - 2018-02-20 16:34 - 000000000 ____D C:\Program Files\TabletPlugins
2018-02-20 16:34 - 2018-02-20 16:34 - 000000000 ____D C:\Program Files (x86)\TabletPlugins
2018-02-20 16:34 - 2016-03-02 17:05 - 000014800 _____ (Wacom Technology) C:\Windows\system32\Drivers\wacomrouterfilter.sys
2018-02-20 16:33 - 2018-02-20 16:34 - 000000000 ____D C:\Program Files\Tablet
2018-02-20 16:33 - 2016-03-21 14:28 - 002116560 _____ (Wacom Technology, Corp.) C:\Windows\system32\WacomMT.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 002090960 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wacom_Tablet.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 002084304 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wacom_Touch_Tablet.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 001979344 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wintab32.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 001695696 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\WacomMT.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 001692624 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wacom_Tablet.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 001685968 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wacom_Touch_Tablet.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 001583568 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wintab32.dll
2018-02-20 16:33 - 2016-03-02 17:05 - 000102864 _____ (Wacom Technology) C:\Windows\system32\Drivers\wachidrouter.sys
2018-02-20 16:33 - 2016-03-02 17:05 - 000013776 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\hidkmdf.sys
2018-02-20 16:33 - 2012-12-11 16:12 - 001721576 _____ (Microsoft Corporation) C:\Windows\system32\wdfcoinstaller01009.dll
2018-02-20 16:33 - 2012-12-11 16:12 - 001721576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wdfcoinstaller01009.dll
2018-02-20 15:12 - 2018-02-20 15:12 - 000000000 ____D C:\Users\Jenah\AppData\Local\Wacom
2018-02-20 15:10 - 2018-02-20 15:10 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wachidrouter_01011.Wdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-21 09:53 - 2009-07-13 20:34 - 020971520 _____ C:\Windows\system32\config\HARDWARE
2018-03-21 09:15 - 2018-02-17 17:15 - 000000000 ___RD C:\Users\Jenah\Creative Cloud Files
2018-03-21 09:15 - 2018-02-17 16:44 - 000000000 ____D C:\Users\Jenah\AppData\Local\Adobe
2018-03-21 09:10 - 2009-07-13 22:45 - 000016640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-21 09:10 - 2009-07-13 22:45 - 000016640 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-21 08:54 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\inf
2018-03-21 08:52 - 2018-02-17 12:40 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-21 08:43 - 2018-02-16 18:07 - 000000000 ____D C:\Windows\Panther
2018-03-21 08:42 - 2018-02-17 16:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\Google
2018-03-21 08:13 - 2009-07-13 23:13 - 000785140 _____ C:\Windows\system32\PerfStringBackup.INI
2018-03-20 19:15 - 2018-02-17 16:20 - 000000000 ____D C:\Users\Jenah\Documents\UserTesting
2018-03-19 21:50 - 2018-02-17 16:13 - 000001074 _____ C:\Users\Jenah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-03-19 21:50 - 2018-02-17 16:13 - 000001044 _____ C:\Users\Jenah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2018-03-19 20:20 - 2009-07-13 21:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-03-19 08:10 - 2018-02-17 17:29 - 000146744 _____ C:\Users\Jenah\AppData\Local\GDIPFONTCACHEV1.DAT
2018-03-18 21:27 - 2009-07-13 22:45 - 000578088 _____ C:\Windows\system32\FNTCACHE.DAT
2018-03-18 19:17 - 2018-02-17 17:29 - 000000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2018-03-18 19:17 - 2018-02-17 17:03 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\Adobe
2018-03-16 18:07 - 2018-02-17 17:25 - 000000000 ____D C:\Program Files\Adobe
2018-03-16 17:45 - 2018-02-17 16:20 - 000000000 ____D C:\Users\Jenah\Documents\Adobe
2018-03-16 17:20 - 2018-02-17 17:24 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-02-20 16:07 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\Registration
2018-02-20 15:41 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\rescache
 
==================== Files in the root of some directories =======
 
2018-03-18 19:15 - 2018-03-18 19:15 - 000000033 _____ () C:\Users\Jenah\AppData\Roaming\AdobeWLCMCache.dat
 
Some files in TEMP:
====================
2018-03-21 08:15 - 2018-03-19 17:30 - 011605440 _____ (SurfRight B.V.) C:\Users\Jenah\AppData\Local\Temp\HitmanPro.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\drivers\spsuybeh.sys -> Access Denied <======= ATTENTION
 
LastRegBack: 2018-03-09 10:50
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Jenah (21-03-2018 09:53:36)
Running from F:\
Windows 7 Ultimate Service Pack 1 (X64) (2018-02-17 00:00:10)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-382637057-1818866184-2265473509-500 - Administrator - Disabled)
Guest (S-1-5-21-382637057-1818866184-2265473509-501 - Limited - Disabled)
Jenah (S-1-5-21-382637057-1818866184-2265473509-1003 - Administrator - Enabled) => C:\Users\Jenah
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Bridge CC 2018 (HKLM-x32\...\KBRG_8_0_1) (Version: 8.0.1 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.4.1.298 - Adobe Systems Incorporated)
Adobe Flash Player 29 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 29.0.0.113 - Adobe Systems Incorporated)
Adobe Illustrator CC 2018 (HKLM-x32\...\ILST_22_1) (Version: 22.1 - Adobe Systems Incorporated)
Adobe Lightroom Classic CC (HKLM-x32\...\LTRM_7_2) (Version: 7.2 - Adobe Systems Incorporated)
Adobe Photoshop CC 2018 (HKLM-x32\...\PHSP_19_1_2) (Version: 19.1.2 - Adobe Systems Incorporated)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.41 - Piriform)
ELAN Touchpad 11.5.22.2_X64_WHQL (HKLM\...\Elantech) (Version: 11.5.22.2 - ELAN Microelectronic Corp.)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.21.169 - Google Inc.) Hidden
Intel® Chipset Device Software (HKLM-x32\...\{49bc1e38-39b4-4728-9e75-cbe67ba9a329}) (Version: 10.1.1.42 - Intel® Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4889 - Intel Corporation)
Intel® USB 3.0\3.1 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 5.0.4.43 - Intel Corporation)
Malwarebytes version 3.4.4.2398 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.4.2398 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (HKLM-x32\...\{e2ee15e2-a480-4bc5-bfb7-e9803d1d9823}) (Version: 14.12.25810.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (HKLM-x32\...\{56e11d69-7cc9-40a5-a4f9-8f6190c4d84d}) (Version: 14.12.25810.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8366 - Realtek Semiconductor Corp.)
Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.16-2 - Wacom Technology Corp.)
WebTablet FB Plugin 32 bit (HKLM-x32\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
WebTablet FB Plugin 64 bit (HKLM\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
Windows Driver Package - INTEL System  (01/03/2017 10.1.1.40) (HKLM\...\C7457EE7240570722E74C5A479C3B6FAA3CDB3C4) (Version: 01/03/2017 10.1.1.40 - INTEL)
Windows Driver Package - INTEL System  (01/03/2017 10.1.1.40) (HKLM\...\D043A3668EC5DB3174F13B2D12258568734C9084) (Version: 01/03/2017 10.1.1.40 - INTEL)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-382637057-1818866184-2265473509-1003_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
ShellIconOverlayIdentifiers: [   AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [   AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [   AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2018-02-10] ()
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {02F3A6A6-4E08-40E4-A2BF-24E6DE0DECF3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-21] (Google Inc.)
Task: {03A11423-B047-4728-ACAE-B11895EC25EA} - System32\Tasks\RtHDVBg_ListenToDevice => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2018-02-07] (Realtek Semiconductor)
Task: {0AB6ED2F-302D-472F-9FE6-6282F3125BA8} - \tserodible darpa adviserserodible darpa advisers -> No File <==== ATTENTION
Task: {11D8C7D0-0A58-46C9-A7B0-F6304BE9EB83} - \liberally_lecher -> No File <==== ATTENTION
Task: {47316A71-C3B2-412F-A5D0-451C39E318B1} - System32\Tasks\EPSON Perfection V39 Update => C:\Program Files (x86)\epson\escndv\update\e_dtsksd.exe [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {4CA19896-12D9-4627-8AE0-597C64CF5580} - \tsmucous-apostrophesmucous-apostrophes -> No File <==== ATTENTION
Task: {5355D2C3-236A-479E-9CBA-7FAC910E796F} - \tsstoical ackermannstoical ackermann -> No File <==== ATTENTION
Task: {54217D92-FA98-4BFF-90E9-5C1DC6F32B0D} - System32\Tasks\AdobeGCInvoker-1.0-JLaptop-Jenah => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2018-01-05] (Adobe Systems, Incorporated)
Task: {56BBF817-2132-432E-9F05-591A0D0798D1} - \anthrax_digits -> No File <==== ATTENTION
Task: {6629E93E-66AF-4E1A-AB4C-57FA2CCF387A} - System32\Tasks\AdobeAAMUpdater-1.0-JLaptop-Jenah => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)
Task: {6CABF8EB-336A-48D7-9921-475E2C35B1E1} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {80F78CB7-E9EE-4A57-B023-CA9AAB50C5CA} - \obtuse -> No File <==== ATTENTION
Task: {9D8F00EE-382E-45DB-8A9B-052D598194B8} - \stoical ackermann -> No File <==== ATTENTION
Task: {A44E84F5-62AA-4C54-937D-524C1604E790} - \erodible darpa advisers -> No File <==== ATTENTION
Task: {A7C0839E-1D9C-41D8-AF77-F8E2B3C7BC58} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2018-02-07] (Realtek Semiconductor)
Task: {B87EA9EC-7634-412D-A6E5-C02CADD99149} - \tsanthrax_digitsanthrax_digits -> No File <==== ATTENTION
Task: {C1F95DFA-8FFC-4BD8-AD17-9064B46E922A} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
Task: {C3FD38DB-F05F-4292-BF0C-80F625F4632A} - \mucous-apostrophes -> No File <==== ATTENTION
Task: {DBAADF4F-C06C-4563-9639-C1DD67D8DBA3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-21] (Google Inc.)
Task: {E2CCDF46-05D6-409A-9CFB-57F356778AF3} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_29_0_0_113_Plugin.exe [2018-03-19] (Adobe Systems Incorporated)
Task: {E73DBACF-E89F-4F28-9CDD-40C6B9F80FDE} - System32\Tasks\Avast Software\Overseer => C:\Program Files\AVAST Software\Avast\setup\overseer.exe
Task: {F1729881-F4D6-4CC8-B8A5-D9E467900904} - \tsobtuseobtuse -> No File <==== ATTENTION
Task: {F4580DFF-B7D2-4565-A020-CB9638C33E9F} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-03-06] (Piriform Ltd)
Task: {F6D31186-E7D1-4488-9859-ACF11DD342F3} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-03-06] (Piriform Ltd)
Task: {FEB5F35C-7BC1-4D44-949D-7F879406F781} - \tsliberally_lecherliberally_lecher -> No File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\EPSON Perfection V39 Update.job => C:\Program Files (x86)\epson\escndv\update\e_dtsksd.exe7/EXE_S:EPSON Perfection V39,ES010D.DAT /F:UpdateJenahĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
ShortcutWithArgument: C:\Users\Jenah\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5d696d521de238c3\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe (Google Inc.) -> --profile-directory=Default
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-03-20 18:59 - 2018-03-01 10:31 - 002488608 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2018-03-20 18:59 - 2018-02-05 14:44 - 002299168 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-02-20 16:33 - 2016-03-21 14:28 - 001357264 _____ () C:\Program Files\Tablet\Wacom\libxml2.dll
2018-02-10 02:12 - 2018-02-10 02:12 - 000614856 _____ () C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
2018-02-27 21:08 - 2018-02-27 21:08 - 034523072 _____ () C:\Program Files (x86)\Adobe\Adobe Sync\Coresync\Coresync.exe
2018-02-14 06:03 - 2018-02-14 06:03 - 067115984 _____ () C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\CEF\libcef.dll
2018-01-30 09:38 - 2018-01-30 09:38 - 000118272 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\js\node_modules\fs-ext\build\Release\fs-ext.node
2018-01-30 09:39 - 2018-01-30 09:39 - 000214528 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\js\node_modules\node-vulcanjs\build\Release\VulcanJS.node
2018-01-30 09:38 - 2018-01-30 09:38 - 000117248 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\js\node_modules\ref\build\Release\binding.node
2018-01-30 09:38 - 2018-01-30 09:38 - 000125952 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\js\node_modules\ffi\build\Release\ffi_bindings.node
2018-02-14 06:26 - 2018-02-14 06:26 - 000111056 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\js\node_modules\node-ProxyResolver\build\Release\ProxyResolverWin7.dll
2018-01-30 09:38 - 2018-01-30 09:38 - 000086528 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\js\node_modules\idle-gc\build\Release\idle-gc.node
2018-02-14 06:20 - 2018-02-14 06:20 - 000125904 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\fs-ext\build\Release\fs-ext.node
2018-02-14 06:20 - 2018-02-14 06:20 - 000125392 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\ref\build\Release\binding.node
2018-02-14 06:20 - 2018-02-14 06:20 - 000133072 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\ffi\build\Release\ffi_bindings.node
2018-02-14 06:20 - 2018-02-14 06:20 - 000222160 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\node-vulcanjs\build\Release\VulcanJS.node
2018-02-14 06:20 - 2018-02-14 06:20 - 000111064 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\node-ProxyResolver\build\Release\ProxyResolverWin7.dll
2018-02-14 06:20 - 2018-02-14 06:20 - 000106456 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\bufferutil\build\Release\bufferutil.node
2018-02-14 06:20 - 2018-02-14 06:20 - 000094168 _____ () \\?\C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\js\node_modules\idle-gc\build\Release\idle-gc.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 20:34 - 2018-03-19 13:32 - 000000856 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-382637057-1818866184-2265473509-1003\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{005F15E3-6388-4BBA-8109-EEEC02872424}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2551C5D5-33CC-4F7B-ADAF-9187079A789B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{C8B5A0DE-28BD-4F5C-872F-2300FCFC8644}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{903D6152-1434-419E-A1E7-EAE49B3AE0F7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{A2B9455D-636B-4A76-A5DF-2C592E0AC537}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
21-03-2018 09:04:21 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: MpKsl3d5ac123
Description: MpKsl3d5ac123
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: MpKsl3d5ac123
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/21/2018 09:10:24 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (03/21/2018 09:06:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: AGSService.exe, version: 4.5.0.814, time stamp: 0x5a4f2d48
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x74866c9c
Faulting process id: 0x678
Faulting application start time: 0x01d3c12464f6c329
Faulting application path: C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
Faulting module path: unknown
Report Id: 61796307-2d19-11e8-9caf-28c2ddb44426
 
Error: (03/21/2018 09:06:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: AdobeUpdateService.exe, version: 4.4.1.298, time stamp: 0x5a842d88
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x74866c9c
Faulting process id: 0x59c
Faulting application start time: 0x01d3c12464a372ff
Faulting application path: C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
Faulting module path: unknown
Report Id: 607f728a-2d19-11e8-9caf-28c2ddb44426
 
Error: (03/21/2018 09:04:22 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-382637057-1818866184-2265473509-1000_new).  hr = 0x80070539, The security ID structure is invalid.
.
 
 
Operation:
   OnIdentify event
   Gathering Writer Data
 
Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {f62c2eb1-2aec-4401-abaf-d2109f8a1a89}
 
Error: (03/21/2018 08:54:53 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.
 
Details:
The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
 
Error: (03/21/2018 08:54:53 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.
 
Context: Windows Application
 
Details:
The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
 
Error: (03/21/2018 08:54:53 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
Details:
The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
 
Error: (03/21/2018 08:54:53 AM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
Details:
Element not found.  (HRESULT : 0x80070490) (0x80070490)
 
 
System errors:
=============
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
Error: (03/21/2018 09:53:38 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.
 
 
CodeIntegrity:
===================================
 
Date: 2018-03-21 09:12:43.261
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-21 09:12:43.259
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-21 08:53:00.840
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-21 08:06:04.977
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-21 07:40:39.606
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-21 06:06:10.654
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-20 19:28:43.525
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
Date: 2018-03-20 19:22:11.370
Description: 
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\api-ms-win-core-synch-l1-2-0.dll because the set of per-page image hashes could not be found on the system.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-5200U CPU @ 2.20GHz
Percentage of memory in use: 57%
Total physical RAM: 3995.71 MB
Available physical RAM: 1679.24 MB
Total Virtual: 7989.63 MB
Available Virtual: 5605.85 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:464.68 GB) (Free:302.61 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive f: (MULTIBOOT) (Removable) (Total:3.75 GB) (Free:3.2 GB) NTFS
 
\\?\Volume{87e90c24-2ab2-4b1c-bdb2-d49e1a17ec07}\ () (Fixed) (Total:0.81 GB) (Free:0.38 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 8120AD9B)
 
Partition: GPT.
 
========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: 73736572)
Partition 1: (Not Active) - (Size=866 GB) - (Type=72)
Partition 2: (Not Active) - (Size=931.6 GB) - (Type=6C)
Partition 00: (Not Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
Partition 3: (Not Active) - (Size=224 KB) - (Type=00)
 
==================== End of Addition.txt ============================


BC AdBot (Login to Remove)

 


#2 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 21 March 2018 - 05:35 PM

So, both FRST and GMER identified a rootkit named gmekiwc but I've yet to find any info about this specific rootkit.. Is this just a random/generic string that's generated and assigned each time the rootkit propagates? 

EDIT: I forgot to mention that I found instances of Win32/Blocrypt.C!Neng


Edited by Poptartjake, 21 March 2018 - 05:52 PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 21 March 2018 - 06:31 PM

Hi Poptartjake :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 21 March 2018 - 06:37 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Jenah (21-03-2018 17:36:30) Run:3
Running from F:\
Loaded Profiles: Jenah (Available Profiles: Jenah)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
==== End of Fixlog 17:36:31 ====


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 22 March 2018 - 07:01 AM

For the next part, you'll need to download the FRST executable a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • Another computer (clean of infection)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system from a clean computer:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
Boot in the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  • Once in the Windows RE, plug the USB Flash Drive in the computer
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 March 2018 - 07:47 AM

For the next part, you'll need to download the FRST executable a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • Another computer (clean of infection)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system from a clean computer:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
Boot in the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  • Once in the Windows RE, plug the USB Flash Drive in the computer
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

 

I'm unable to get the machine to recognize any USB device while in the Windows RE. I've tried multiple USB drives, 2.0, and 3.0 ports (only 2.0 should work anyways), but nothing is detected. 



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 22 March 2018 - 07:50 AM

Did you try plugging the USB Flash Drive in a USB port from the motherboard directly (behind the computer), and not from the computer case?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 March 2018 - 07:51 AM

Did you try plugging the USB Flash Drive in a USB port from the motherboard directly (behind the computer), and not from the computer case?

Sorry, probably should have specified this system is a laptop. 

I'm guessing I'm going to need to pickup some blank RW capable CD's since I'm unable to get USB ports working within Windows RE? 


Edited by Poptartjake, 22 March 2018 - 08:04 AM.


#9 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 March 2018 - 09:20 AM

Not sure this will be satisfactory since I technically ran it from the recovery drive, but yeah....

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by SYSTEM on MININT-D21BILQ (22-03-2018 08:13:42)
Running from x:\
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3348712 2016-02-23] (ELAN Microelectronics Corp.)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [315880 2018-01-05] (Adobe Systems, Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-07-01] (Adobe Systems Incorporated)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe [299520 2017-05-11] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2409936 2018-02-14] (Adobe Systems Incorporated)
HKU\Default\...\Run: [OneDriveSetup] => C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup
HKU\Default\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516096 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\Run: [OneDriveSetup] => C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup
HKU\Default User\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516096 2010-11-20] (Microsoft Corporation)
HKU\Jenah\...\Run: [AdobeBridge] => [X]
HKU\Jenah\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [17074688 2018-03-06] (Piriform Ltd)
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [818128 2018-02-14] (Adobe Systems Incorporated)
S2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-05] (Adobe Systems, Incorporated)
S2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-16] (Seiko Epson Corporation)
S2 esifsvc; C:\Windows\SysWOW64\esif_uf.exe [1419424 2017-01-09] (Intel Corporation)
S2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [346152 2018-01-10] (Intel Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [742864 2016-03-21] (Wacom Technology, Corp.)
S2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BtFilter; C:\Windows\System32\DRIVERS\btfilter.sys [609696 2016-11-28] (Qualcomm)
S3 dptf_cpu; C:\Windows\System32\DRIVERS\dptf_cpu.sys [52208 2017-01-09] (Intel Corporation)
S3 esif_lf; C:\Windows\System32\DRIVERS\esif_lf.sys [260080 2017-01-09] (Intel Corporation)
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [40448 2017-04-19] (Intel Corporation)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [17280 2012-08-05] ( )
S2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193248 2018-03-22] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [109800 2018-03-21] (Malwarebytes)
S1 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-03-22] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [92280 2018-03-21] (Malwarebytes)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [201296 2017-11-27] (Intel Corporation)
S3 RTSUER; C:\Windows\System32\Drivers\RtsUer.sys [421312 2017-10-18] (Realsil Semiconductor Corporation)
S3 WacHidRouterPro; C:\Windows\System32\DRIVERS\wachidrouter.sys [102864 2016-03-02] (Wacom Technology)
S1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2018-03-21] (Zemana Ltd.)
S1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2018-03-21] (Zemana Ltd.)
S3 aswbdisk; no ImagePath
S3 MBAMProtection; system32\DRIVERS\mbam.sys [X]
S1 msidntfs; system32\drivers\msidntfs.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S4 vkgnrl; System32\drivers\aueocrpz.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-22 04:21 - 2018-03-22 04:21 - 000000000 ____D C:\Users\Jenah\AppData\Local\msbtdrn
2018-03-21 20:16 - 2018-03-20 08:40 - 027005512 _____ (Adlice Software) C:\Users\Jenah\Desktop\RogueKiller_portable64.exe
2018-03-21 20:15 - 2018-03-21 20:15 - 000000000 ____D C:\Users\Jenah\AppData\Local\csbgvpe
2018-03-21 20:14 - 2018-03-22 03:50 - 000253664 _____ (Malwarebytes) C:\Windows\System32\Drivers\mbamswissarmy.sys
2018-03-21 20:14 - 2018-03-22 03:50 - 000193248 _____ (Malwarebytes) C:\Windows\System32\Drivers\MbamChameleon.sys
2018-03-21 20:14 - 2018-03-21 20:14 - 000109800 _____ (Malwarebytes) C:\Windows\System32\Drivers\farflt.sys
2018-03-21 20:14 - 2018-03-21 20:14 - 000092280 _____ (Malwarebytes) C:\Windows\System32\Drivers\mwac.sys
2018-03-21 19:26 - 2018-03-21 19:26 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbbowlx
2018-03-21 16:43 - 2018-03-21 15:01 - 005659794 ____R (Swearware) C:\Users\Jenah\Desktop\AGRO.com.exe
2018-03-21 16:42 - 2018-03-21 16:42 - 000000000 ____D C:\Users\Jenah\AppData\Local\rabsodn
2018-03-21 16:38 - 2018-03-21 16:38 - 000000000 ____D C:\32788R22FWJFW
2018-03-21 14:46 - 2018-03-21 14:46 - 000000000 ____D C:\Users\Jenah\AppData\Local\rtcpbna
2018-03-21 14:45 - 2018-03-21 14:55 - 000001078 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2018-03-21 14:45 - 2018-03-21 14:45 - 000203680 _____ (Zemana Ltd.) C:\Windows\System32\Drivers\zamguard64.sys
2018-03-21 14:45 - 2018-03-21 14:45 - 000203680 _____ (Zemana Ltd.) C:\Windows\System32\Drivers\zam64.sys
2018-03-21 14:37 - 2018-03-21 14:37 - 000000000 ____D C:\Users\Jenah\AppData\Local\aukgezc
2018-03-21 14:18 - 2018-03-21 14:18 - 000000000 ____D C:\Users\Jenah\AppData\Local\nintvga
2018-03-21 13:22 - 2018-03-21 13:22 - 006968952 _____ (ESET spol. s r.o.) C:\Users\Jenah\Downloads\esetonlinescanner_enu.exe
2018-03-21 13:22 - 2018-03-21 13:22 - 000000000 ____D C:\Users\Jenah\AppData\Local\ESET
2018-03-21 13:08 - 2018-03-21 13:08 - 000000000 ____D C:\Users\Jenah\AppData\Local\raitmxc
2018-03-21 13:00 - 2018-03-21 13:00 - 000000000 ____D C:\Users\Jenah\AppData\Local\comhbra
2018-03-21 10:14 - 2018-03-21 20:48 - 000067032 _____ C:\Windows\ZAM.krnl.trace
2018-03-21 10:14 - 2018-03-21 20:48 - 000038325 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-03-21 10:13 - 2018-03-21 16:40 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2018-03-21 10:13 - 2018-03-21 10:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\Zemana
2018-03-21 10:10 - 2018-03-21 13:08 - 011605440 _____ (SurfRight B.V.) C:\Users\Jenah\Desktop\Take Em Out.exe
2018-03-21 10:10 - 2018-03-21 09:43 - 008222496 _____ (Malwarebytes) C:\Users\Jenah\Desktop\AdwCleaner (1).exe
2018-03-21 10:10 - 2017-07-25 12:56 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\Jenah\Desktop\rkill.exe
2018-03-21 09:48 - 2018-03-21 09:48 - 000000000 ____D C:\Users\Jenah\AppData\Local\upsxabr
2018-03-21 09:47 - 2018-03-21 09:47 - 000255928 _____ (Malwarebytes) C:\Windows\System32\Drivers\8456A180.sys
2018-03-21 09:40 - 2018-03-21 09:40 - 000000000 ____D C:\Users\Jenah\AppData\Local\wenavop
2018-03-21 09:36 - 2018-03-21 09:36 - 000000000 ____D C:\Users\Jenah\AppData\Local\vdexlth
2018-03-21 09:07 - 2018-03-21 09:07 - 000000000 ____D C:\Users\Jenah\AppData\Local\nvhugom
2018-03-21 08:20 - 2018-03-21 10:10 - 000000000 ____D C:\Users\Jenah\Desktop\mbar
2018-03-21 08:20 - 2018-03-21 08:20 - 000255928 _____ (Malwarebytes) C:\Windows\System32\Drivers\881642A2.sys
2018-03-21 08:20 - 2018-03-21 08:20 - 000000000 ____D C:\Users\Jenah\AppData\Local\lmizrvt
2018-03-21 08:19 - 2018-03-22 04:35 - 001027624 _____ C:\Windows\ntbtlog.txt
2018-03-21 07:14 - 2018-03-21 07:14 - 000000000 ____D C:\ProgramData\Emsisoft
2018-03-21 07:13 - 2018-03-21 07:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\cworesa
2018-03-21 07:04 - 2011-06-02 22:57 - 000362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2018-03-21 07:04 - 2011-06-02 22:57 - 000243200 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2018-03-21 07:04 - 2011-06-02 22:57 - 000214528 _____ (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2018-03-21 07:04 - 2011-06-02 22:57 - 000016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2018-03-21 07:04 - 2011-06-02 22:57 - 000013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2018-03-21 07:04 - 2011-06-02 22:53 - 000338944 _____ (Microsoft Corporation) C:\Windows\System32\conhost.exe
2018-03-21 07:04 - 2011-06-02 22:00 - 000014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2018-03-21 07:04 - 2011-06-02 21:57 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2018-03-21 07:04 - 2011-06-02 21:56 - 000005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2018-03-21 07:04 - 2011-06-02 19:53 - 000007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2018-03-21 07:04 - 2011-06-02 19:53 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2018-03-21 07:04 - 2011-05-13 23:20 - 001162752 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2018-03-21 07:04 - 2011-05-13 23:20 - 000421888 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 23:04 - 000003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:22 - 000837632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2018-03-21 07:04 - 2011-05-13 22:22 - 000272384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 22:13 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 20:15 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 20:15 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 20:15 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2018-03-21 07:04 - 2011-05-13 20:15 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2018-03-21 07:03 - 2018-03-21 07:04 - 002314805 _____ C:\Users\Jenah\Downloads\Windows6.1-KB2533623-x64.msu
2018-03-21 07:01 - 2018-03-21 07:26 - 000000000 ____D C:\EEK
2018-03-21 07:00 - 2018-03-21 06:51 - 320381672 _____ C:\Users\Jenah\Desktop\EmsisoftEmergencyKit.exe
2018-03-21 06:56 - 2018-03-21 06:56 - 000000000 ____D C:\Users\Jenah\AppData\Local\dwbloxk
2018-03-21 06:36 - 2018-03-21 06:36 - 000003870 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-03-21 06:36 - 2018-03-21 06:36 - 000002788 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-03-21 06:36 - 2018-03-21 06:36 - 000002257 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-03-21 06:36 - 2018-03-21 06:36 - 000000824 _____ C:\Users\Public\Desktop\CCleaner.lnk
2018-03-21 06:36 - 2018-03-21 06:36 - 000000000 ____D C:\Program Files\CCleaner
2018-03-21 06:35 - 2018-03-21 06:52 - 000000000 ____D C:\Program Files\Google
2018-03-21 06:35 - 2018-03-21 06:40 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-21 06:35 - 2018-03-21 06:40 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-21 06:10 - 2018-03-21 06:12 - 000017866 _____ C:\TDSSKiller.3.1.0.16_21.03.2018_08.10.41_log.txt
2018-03-21 06:10 - 2018-03-21 06:10 - 000000000 ____D C:\Users\Jenah\AppData\Local\cgrevbw
2018-03-21 06:08 - 2018-03-21 06:10 - 000018018 _____ C:\TDSSKiller.3.1.0.16_21.03.2018_08.08.43_log.txt
2018-03-21 05:23 - 2013-10-14 16:00 - 000028368 _____ (Microsoft Corporation) C:\Windows\System32\IEUDINIT.EXE
2018-03-21 04:09 - 2018-03-21 04:09 - 000000000 ____D C:\Users\Jenah\AppData\Local\cwdxtbo
2018-03-20 20:02 - 2018-03-20 20:02 - 000000000 __SHD C:\found.000
2018-03-20 17:26 - 2018-03-20 17:26 - 000000000 ____D C:\Users\Jenah\AppData\Local\spiuhdw
2018-03-20 17:01 - 2018-03-20 17:01 - 000000000 ____D C:\Users\Jenah\AppData\Local\iaarxhd
2018-03-20 17:00 - 2018-03-20 17:00 - 000001869 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-20 16:59 - 2018-01-18 06:03 - 000076200 _____ C:\Windows\System32\Drivers\mbae64.sys
2018-03-20 16:24 - 2018-03-20 16:24 - 000255928 _____ (Malwarebytes) C:\Windows\System32\Drivers\371873AF.sys
2018-03-20 16:23 - 2018-03-21 10:10 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-03-20 14:21 - 2018-03-20 16:59 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-20 14:15 - 2018-03-20 14:15 - 000000000 ____D C:\Users\Jenah\AppData\Local\dwsgozr
2018-03-20 14:08 - 2018-03-22 03:49 - 002888704 _____ C:\Windows\System32\wdmhzessvc.exe
2018-03-20 13:45 - 2018-03-20 13:45 - 000000000 ____D C:\Users\Jenah\AppData\Local\mshwbeg
2018-03-20 13:14 - 2011-04-08 22:58 - 000142336 _____ (Microsoft Corporation) C:\Windows\System32\poqexec.exe
2018-03-20 13:14 - 2011-04-08 21:56 - 000123904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2018-03-20 13:03 - 2018-03-20 13:03 - 000000000 ____D C:\Users\Jenah\AppData\Local\exencrd
2018-03-20 12:26 - 2018-03-20 12:26 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbdwcex
2018-03-20 12:23 - 2018-03-21 20:14 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-20 12:23 - 2018-03-20 12:23 - 000005374 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-03-20 10:07 - 2018-03-20 10:07 - 000000000 ____D C:\Users\Jenah\AppData\Local\nihzems
2018-03-20 10:03 - 2018-03-21 06:43 - 000000000 ____D C:\Users\Jenah\AppData\Local\CrashDumps
2018-03-20 09:42 - 2015-02-03 19:16 - 000392192 _____ (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2018-03-20 09:42 - 2015-02-03 18:54 - 000318464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2018-03-20 09:40 - 2018-03-20 09:40 - 000000000 ____D C:\Users\Jenah\AppData\Local\wmmszli
2018-03-20 09:14 - 2018-03-20 09:14 - 000000000 ____D C:\Users\Jenah\AppData\Local\vdmhzxn
2018-03-20 09:04 - 2018-03-21 20:17 - 000028272 _____ C:\Windows\System32\Drivers\TrueSight.sys
2018-03-20 09:04 - 2018-03-20 09:30 - 000000000 ____D C:\ProgramData\RogueKiller
2018-03-20 09:01 - 2018-03-20 09:01 - 000000000 ____D C:\Users\Jenah\AppData\Local\exbckta
2018-03-20 08:48 - 2018-03-21 13:03 - 000000000 ____D C:\AdwCleaner
2018-03-20 08:34 - 2018-03-20 08:34 - 000000000 ____D C:\Users\Jenah\AppData\Local\uskgzep
2018-03-20 08:19 - 2018-03-20 08:19 - 000000000 ____D C:\Users\Jenah\AppData\Local\siinoeh
2018-03-20 08:06 - 2018-03-20 08:06 - 000000000 ____D C:\Users\Jenah\AppData\Local\dtbuliw
2018-03-19 20:09 - 2018-03-19 20:09 - 000000000 ____D C:\Users\Jenah\AppData\Local\psotbar
2018-03-19 19:54 - 2014-05-14 08:23 - 002477536 _____ (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2018-03-19 19:54 - 2014-05-14 08:23 - 000058336 _____ (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2018-03-19 19:54 - 2014-05-14 08:23 - 000044512 _____ (Microsoft Corporation) C:\Windows\System32\wups2.dll
2018-03-19 19:54 - 2014-05-14 08:21 - 002620928 _____ (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2018-03-19 19:53 - 2014-05-14 08:23 - 000700384 _____ (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2018-03-19 19:53 - 2014-05-14 08:23 - 000581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2018-03-19 19:53 - 2014-05-14 08:23 - 000038880 _____ (Microsoft Corporation) C:\Windows\System32\wups.dll
2018-03-19 19:53 - 2014-05-14 08:23 - 000036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2018-03-19 19:53 - 2014-05-14 08:20 - 000097792 _____ (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2018-03-19 19:53 - 2014-05-14 08:17 - 000092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2018-03-19 19:53 - 2014-05-14 07:23 - 000198600 _____ (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2018-03-19 19:53 - 2014-05-14 07:23 - 000179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2018-03-19 19:53 - 2014-05-14 07:20 - 000036864 _____ (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2018-03-19 19:53 - 2014-05-14 07:17 - 000033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2018-03-19 19:42 - 2018-03-19 19:42 - 000000000 ____D C:\Users\Jenah\AppData\Local\wimnksr
2018-03-19 19:41 - 2018-03-21 13:24 - 000000000 ____D C:\Program Files\Microsoft Security Client
2018-03-19 19:37 - 2018-03-21 13:25 - 000001945 _____ C:\Windows\epplauncher.mif
2018-03-19 18:33 - 2018-03-19 18:33 - 000000000 ____D C:\Users\Jenah\AppData\Local\svmeawh
2018-03-19 18:17 - 2018-03-19 18:17 - 000000000 ____D C:\Users\Jenah\AppData\Local\mskxzew
2018-03-19 17:49 - 2018-03-22 08:13 - 000000000 ____D C:\FRST
2018-03-19 17:48 - 2018-03-19 17:48 - 000004460 _____ C:\Windows\System32\Tasks\Adobe Flash Player NPAPI Notifier
2018-03-19 17:38 - 2018-03-19 17:38 - 000000000 ____D C:\Users\Jenah\AppData\Local\mshpikl
2018-03-19 17:29 - 2018-03-19 17:29 - 000000000 ____D C:\Users\Jenah\AppData\Local\wmoglbt
2018-03-19 16:39 - 2018-03-19 16:39 - 000000000 ____D C:\Users\Jenah\AppData\Local\cobamzk
2018-03-19 15:52 - 2018-03-19 15:52 - 000000000 ____D C:\Users\Jenah\AppData\Local\vdouenw
2018-03-19 15:32 - 2018-03-21 13:08 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-19 15:31 - 2018-03-19 15:31 - 000003910 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-03-19 15:31 - 2018-03-19 15:31 - 000000000 ____D C:\Windows\System32\Tasks\Avast Software
2018-03-19 15:30 - 2018-03-19 15:30 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-03-19 15:26 - 2018-03-20 09:37 - 000000000 ____D C:\ProgramData\AVAST Software
2018-03-19 15:20 - 2018-03-19 15:20 - 000000000 ____D C:\Users\Jenah\AppData\Local\wmcogze
2018-03-19 15:16 - 2018-03-19 15:16 - 000000000 ____D C:\Users\Jenah\AppData\Local\dtabrle
2018-03-19 14:58 - 2018-03-19 14:58 - 000000000 ____D C:\Users\Jenah\AppData\Local\snmhepk
2018-03-19 14:32 - 2018-03-19 14:32 - 000000000 ____D C:\Users\Jenah\AppData\Local\ushmlzd
2018-03-19 14:19 - 2018-03-19 14:19 - 000000000 ____D C:\Users\Jenah\AppData\Local\coibvxs
2018-03-19 14:13 - 2018-03-19 14:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbodznc
2018-03-19 12:29 - 2018-03-20 14:09 - 000000000 ____D C:\SUPERDelete
2018-03-19 12:22 - 2018-03-19 12:22 - 000000000 ____D C:\Users\Jenah\AppData\Local\psexdwn
2018-03-19 12:19 - 2018-03-19 12:19 - 000000000 ____D C:\Windows\Minidump
2018-03-19 11:55 - 2018-03-19 11:55 - 000000000 ____D C:\Users\Jenah\AppData\Local\spkatoi
2018-03-19 11:22 - 2018-03-19 11:22 - 000000000 ____D C:\Users\Jenah\AppData\Local\dtdwcmp
2018-03-19 10:54 - 2018-03-19 10:54 - 000000000 ____D C:\Users\Jenah\AppData\Local\cskburg
2018-03-19 10:31 - 2018-03-19 10:31 - 000000000 ____D C:\Users\Jenah\AppData\Local\ElevatedDiagnostics
2018-03-19 08:23 - 2018-03-19 08:23 - 000000000 ____D C:\Users\Jenah\AppData\Local\siiokwn
2018-03-19 08:19 - 2018-03-19 15:16 - 000000000 ____D C:\Windows\pss
2018-03-19 07:25 - 2018-03-19 07:25 - 000000000 ____D C:\Users\Jenah\AppData\Local\dsekztl
2018-03-19 07:16 - 2018-03-21 20:27 - 000000000 ____D C:\Users\Jenah\AppData\Local\mbsnxlt
2018-03-19 07:16 - 2018-03-19 07:16 - 000000000 ____D C:\Windows\System32\appmgmt
2018-03-19 07:13 - 2018-03-22 08:07 - 000000000 ____D C:\Users\Jenah\AppData\Local\vselrot
2018-03-19 07:13 - 2018-03-19 07:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\usaovkg
2018-03-19 07:12 - 2018-03-19 07:12 - 000000000 ____D C:\Windows\SysWOW64\wmndvxr
2018-03-19 07:12 - 2018-03-19 07:12 - 000000000 ____D C:\Windows\System32\wmndvxr
2018-03-19 07:12 - 2018-03-19 07:12 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\et
2018-03-19 07:11 - 2018-03-19 07:11 - 000000012 _____ C:\Windows\b2844467
2018-03-19 07:08 - 2018-03-19 07:08 - 001231360 _____ C:\Windows\78fe709095142ae294d4ca749f58b3b0.dll
2018-03-19 03:10 - 2018-03-19 03:10 - 000762368 _____ C:\Windows\49d0488ad0cbeecbf9402ded77fbc7a3.exe
2018-03-19 03:10 - 2018-03-19 03:10 - 000047249 _____ C:\Windows\uninstaller.dat
2018-03-18 17:15 - 2018-03-18 17:15 - 000000033 _____ C:\Users\Jenah\AppData\Roaming\AdobeWLCMCache.dat
2018-03-16 16:22 - 2018-03-16 16:22 - 000002465 _____ C:\Users\Jenah\Desktop\Adobe Illustrator CC 2018.lnk
2018-03-16 16:07 - 2018-03-16 16:07 - 000001063 _____ C:\Users\Jenah\Desktop\Adobe Lightroom Classic CC.lnk
2018-03-16 12:20 - 2018-03-19 14:52 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-03-16 12:19 - 2018-03-16 12:19 - 000313544 _____ (Mozilla) C:\Users\Jenah\Downloads\Firefox Installer (1).exe
2018-03-09 08:52 - 2018-03-09 08:52 - 069323904 _____ (Malwarebytes ) C:\Users\Jenah\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4256.exe
2018-03-09 08:52 - 2018-03-09 08:52 - 000000000 ____D C:\Program Files\Malwarebytes
2018-02-27 10:02 - 2018-02-27 10:02 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\EPSON
2018-02-27 08:31 - 2018-03-21 20:31 - 000000909 _____ C:\Windows\Tasks\EPSON Perfection V39 Update.job
2018-02-27 08:31 - 2018-02-27 08:31 - 000003976 _____ C:\Windows\System32\Tasks\EPSON Perfection V39 Update
2018-02-27 08:30 - 2018-02-27 08:30 - 000000932 _____ C:\Users\Public\Desktop\EPSON Scan.lnk
2018-02-27 08:30 - 2018-02-27 08:30 - 000000000 ____D C:\Program Files (x86)\epson
2018-02-27 08:30 - 2015-04-29 23:00 - 000216064 _____ (Seiko Epson Corporation) C:\Windows\System32\esxi010c.dll
2018-02-27 08:30 - 2015-02-05 00:00 - 000065793 _____ C:\Windows\System32\esfw010c.bin
2018-02-27 08:30 - 2014-07-10 23:00 - 000472576 _____ (Seiko Epson Corporation) C:\Windows\System32\esxw2ud.dll
2018-02-27 08:30 - 2013-12-17 23:00 - 000065536 _____ C:\Windows\SysWOW64\esint00.dll
2018-02-27 08:30 - 2012-05-16 23:00 - 000144560 _____ (Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
2018-02-27 08:28 - 2018-02-27 08:28 - 044042168 _____ C:\Users\Jenah\Downloads\epson17634.exe
2018-02-26 14:39 - 2018-02-26 14:39 - 000000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2018-02-21 08:43 - 2018-03-19 17:48 - 000804352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-02-21 08:43 - 2018-03-19 17:48 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-02-21 08:43 - 2018-03-19 17:48 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-02-21 08:43 - 2018-03-19 17:48 - 000000000 ____D C:\Windows\System32\Macromed
2018-02-21 08:01 - 2018-02-21 08:01 - 000000000 ____D C:\Users\Jenah\AppData\LocalLow\Adobe
2018-02-20 14:37 - 2018-02-20 14:37 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\WTablet
2018-02-20 14:34 - 2018-02-20 14:34 - 000000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_wacomrouterfilter_01009.Wdf
2018-02-20 14:34 - 2018-02-20 14:34 - 000000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_wachidrouter_01009.Wdf
2018-02-20 14:34 - 2018-02-20 14:34 - 000000000 ____D C:\Program Files\TabletPlugins
2018-02-20 14:34 - 2018-02-20 14:34 - 000000000 ____D C:\Program Files (x86)\TabletPlugins
2018-02-20 14:34 - 2016-03-02 15:05 - 000014800 _____ (Wacom Technology) C:\Windows\System32\Drivers\wacomrouterfilter.sys
2018-02-20 14:33 - 2018-02-20 14:34 - 000000000 ____D C:\Program Files\Tablet
2018-02-20 14:33 - 2016-03-21 12:28 - 002116560 _____ (Wacom Technology, Corp.) C:\Windows\System32\WacomMT.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 002090960 _____ (Wacom Technology, Corp.) C:\Windows\System32\Wacom_Tablet.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 002084304 _____ (Wacom Technology, Corp.) C:\Windows\System32\Wacom_Touch_Tablet.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 001979344 _____ (Wacom Technology, Corp.) C:\Windows\System32\Wintab32.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 001695696 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\WacomMT.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 001692624 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wacom_Tablet.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 001685968 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wacom_Touch_Tablet.dll
2018-02-20 14:33 - 2016-03-21 12:28 - 001583568 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wintab32.dll
2018-02-20 14:33 - 2016-03-02 15:05 - 000102864 _____ (Wacom Technology) C:\Windows\System32\Drivers\wachidrouter.sys
2018-02-20 14:33 - 2016-03-02 15:05 - 000013776 _____ (Windows ® Win 7 DDK provider) C:\Windows\System32\Drivers\hidkmdf.sys
2018-02-20 14:33 - 2012-12-11 14:12 - 001721576 _____ (Microsoft Corporation) C:\Windows\System32\wdfcoinstaller01009.dll
2018-02-20 14:33 - 2012-12-11 14:12 - 001721576 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\wdfcoinstaller01009.dll
2018-02-20 13:12 - 2018-02-20 13:12 - 000000000 ____D C:\Users\Jenah\AppData\Local\Wacom
2018-02-20 13:10 - 2018-02-20 13:10 - 000000000 ____H C:\Windows\System32\Drivers\Msft_Kernel_wachidrouter_01011.Wdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-22 04:36 - 2009-07-13 18:34 - 020709376 _____ C:\Windows\System32\config\HARDWARE
2018-03-21 20:47 - 2009-07-13 20:45 - 000016640 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-21 20:47 - 2009-07-13 20:45 - 000016640 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-21 19:28 - 2018-02-17 15:15 - 000000000 ___RD C:\Users\Jenah\Creative Cloud Files
2018-03-21 19:28 - 2018-02-17 14:44 - 000000000 ____D C:\Users\Jenah\AppData\Local\Adobe
2018-03-21 06:54 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2018-03-21 06:52 - 2018-02-17 10:40 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-21 06:43 - 2018-02-16 16:07 - 000000000 ____D C:\Windows\Panther
2018-03-21 06:42 - 2018-02-17 14:13 - 000000000 ____D C:\Users\Jenah\AppData\Local\Google
2018-03-21 06:13 - 2009-07-13 21:13 - 000785140 _____ C:\Windows\System32\PerfStringBackup.INI
2018-03-20 17:15 - 2018-02-17 14:20 - 000000000 ____D C:\Users\Jenah\Documents\UserTesting
2018-03-19 18:20 - 2009-07-13 19:20 - 000000000 ___HD C:\Windows\System32\GroupPolicy
2018-03-19 06:10 - 2018-02-17 15:29 - 000146744 _____ C:\Users\Jenah\AppData\Local\GDIPFONTCACHEV1.DAT
2018-03-18 19:27 - 2009-07-13 20:45 - 000578088 _____ C:\Windows\System32\FNTCACHE.DAT
2018-03-18 17:17 - 2018-02-17 15:29 - 000000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2018-03-18 17:17 - 2018-02-17 15:03 - 000000000 ____D C:\Users\Jenah\AppData\Roaming\Adobe
2018-03-16 16:07 - 2018-02-17 15:25 - 000000000 ____D C:\Program Files\Adobe
2018-03-16 15:45 - 2018-02-17 14:20 - 000000000 ____D C:\Users\Jenah\Documents\Adobe
2018-03-16 15:20 - 2018-02-17 15:24 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-02-20 14:07 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\Registration
2018-02-20 13:41 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\rescache
 
Some files in TEMP:
====================
2018-03-21 09:07 - 2010-11-20 19:23 - 001731936 _____ (Microsoft Corporation) C:\Users\Jenah\AppData\Local\Temp\dllnt_dump.dll
2018-03-21 06:15 - 2018-03-19 15:30 - 011605440 _____ (SurfRight B.V.) C:\Users\Jenah\AppData\Local\Temp\HitmanPro.exe
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 14%
Total physical RAM: 3995.71 MB
Available physical RAM: 3418.33 MB
Total Virtual: 3993.91 MB
Available Virtual: 3428.69 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:464.68 GB) (Free:304.14 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
\\?\Volume{87e90c24-2ab2-4b1c-bdb2-d49e1a17ec07}\ () (Fixed) (Total:0.81 GB) (Free:0.38 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 8120AD9B)
 
Partition: GPT.
 
LastRegBack: 2018-03-21 15:56
 
==================== End of FRST.txt ============================


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 22 March 2018 - 10:53 AM

Looks like it worked. Now you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 March 2018 - 11:29 AM

I think I got it removed through some combination of attacks (mostly RogueKiller). I've attached my most recent logs from the various tools that had any results. 

I'm no longer seeing the known processes in the task manager and I'm not seeing any instances of VMXclient when I reboot/shutdown. I'm also able to run Zemana's normal scan now, which I couldn't do yesterday. 

Think it's clean? 

Attached Files



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 22 March 2018 - 12:00 PM

Almost :) Let's run AdwCleaner before moving on to a final FRST scan.

zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 March 2018 - 12:27 PM

Almost :) Let's run AdwCleaner before moving on to a final FRST scan.

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

 

I have run AdwCleaner several times in the last 2 days (including this morning), as well as in combination with rKill, but it hasn't found anything. I'll post a log in a sec, though. :)



#14 Poptartjake

Poptartjake
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 22 March 2018 - 12:29 PM

# AdwCleaner 7.0.8.0 - Logfile created on Thu Mar 22 14:49:53 2018
# Updated on 2018/08/02 by Malwarebytes 
# Database: 2018-03-22.1
# Running on Windows 7 Ultimate (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [2292 B] - [2018/3/20 16:53:37]
C:/AdwCleaner/AdwCleaner[C1].txt - [1271 B] - [2018/3/20 17:50:27]
C:/AdwCleaner/AdwCleaner[C2].txt - [1406 B] - [2018/3/20 20:57:44]
C:/AdwCleaner/AdwCleaner[C3].txt - [1540 B] - [2018/3/21 21:3:22]
C:/AdwCleaner/AdwCleaner[S0].txt - [2333 B] - [2018/3/20 16:52:39]
C:/AdwCleaner/AdwCleaner[S1].txt - [1084 B] - [2018/3/20 17:49:33]
C:/AdwCleaner/AdwCleaner[S2].txt - [1220 B] - [2018/3/20 20:57:2]
C:/AdwCleaner/AdwCleaner[S3].txt - [1355 B] - [2018/3/21 21:3:4]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt ##########


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 22 March 2018 - 09:05 PM

That's good :) In that case, please run a new scan with FRST and provide me a fresh set of logs. I'll look for remnants.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users