Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[appname]mgr.exe Maleware


  • This topic is locked This topic is locked
30 replies to this topic

#1 Muslim

Muslim

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 24 July 2018 - 01:43 AM

Hello, 

sometime earlier, when I was scanning my PC, My AV found a trojan/agent maleware called explorermgr.exe, and sort of [appname]mgr.exe, and i normally deleted them but when i scan again the explorermgr continue  appears in the scan result

no matter how much times i remove it,

I've search that best solution is put another OS, or format it, but i afarid that my USBs had the same infection,

 

Im new here so im sorry if i forget anythin' 

 

and thanks for listen to me <3



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 24 July 2018 - 07:27 AM

Hi Muslim :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt). You can attach them in your next post, or copy/paste their content.

https://www.bleepingcomputer.com/forums/topic34773.html

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 24 July 2018 - 03:58 PM

Hello Yoan <3 

thanks for helping my through my problem, and thanks for your time as well, the logs u asked: 

FRST.txt 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21.07.2018
Ran by Administrator (administrator) on ADMIN (24-07-2018 22:54:29)
Running from D:\FRST
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows 7 Super Lite  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(@ByELDI) C:\Program Files\KMSpico\Service_KMS.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-21-1287901566-2271983155-1883644339-500\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [3961968 2018-07-09] (Tonec Inc.)
HKU\S-1-5-21-1287901566-2271983155-1883644339-500\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1287901566-2271983155-1883644339-500\...\Policies\Explorer: [HideSCAHealth] 1
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{A66E294E-39A4-4E19-9250-DADA6AB22AD2}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{CFDC6703-9F25-4B6C-AFF3-578D5C155FDF}: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-1287901566-2271983155-1883644339-500\Software\Microsoft\Internet Explorer\Main,Start Page = phienbanmoi.com
SearchScopes: HKLM -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\.DEFAULT -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1287901566-2271983155-1883644339-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1287901566-2271983155-1883644339-500 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1287901566-2271983155-1883644339-500 -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2018-06-20] (Internet Download Manager, Tonec Inc.)
 
FireFox:
========
FF DefaultProfile: gqzp00uv.default
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gqzp00uv.default [2018-07-23]
FF Extension: (No Name) - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gqzp00uv.default\Extensions\uBlock0@raymondhill.net.xpi [2018-07-22] [not signed]
FF Extension: (No Name) - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\gqzp00uv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2018-07-22] [not signed]
FF Extension: (No Name) - C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi [2018-07-04] [not signed]
FF HKU\S-1-5-21-1287901566-2271983155-1883644339-500\...\Firefox\Extensions: [mozilla_cc3@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc3.xpi
FF Extension: (No Name) - C:\Program Files\Internet Download Manager\idmmzcc3.xpi [2018-06-25] [not signed]
FF HKU\S-1-5-21-1287901566-2271983155-1883644339-500\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Administrator\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\Administrator\AppData\Roaming\IDM\idmmzcc5 [2018-07-23] [Legacy] [not signed]
FF HKU\S-1-5-21-1287901566-2271983155-1883644339-500\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi
FF Extension: (No Name) - C:\Program Files\Internet Download Manager\idmmzcc2.xpi [2017-12-20] [not signed]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-07-23] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-07-23] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default [2018-07-24]
CHR Extension: (Slides) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-07-23]
CHR Extension: (Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-07-23]
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-07-23]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-07-23]
CHR Extension: (Sheets) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-07-23]
CHR Extension: (Google Docs Offline) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-07-23]
CHR Extension: (IDM Integration Module) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngpampappnmepgilojfohadhhmbhlaek [2018-07-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-07-23]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-07-23]
CHR Extension: (Chrome Media Router) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-07-23]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2018-07-10]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4753104 2018-05-09] (Malwarebytes)
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [737984 2015-08-30] (@ByELDI) [File not signed]
R2 Themes; C:\Windows\system32\themeservice.dll [37888 2009-08-02] (Microsoft Corporation) [File not signed]
S4 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae.sys [129248 2018-06-19] (Malwarebytes)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [165608 2018-07-24] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [95488 2018-07-24] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [42728 2018-07-24] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [220896 2018-07-24] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [73336 2018-07-24] (Malwarebytes)
U2 BDESVC; no ImagePath
U4 CscService; no ImagePath
U3 PeerDistSvc; no ImagePath
U3 StorSvc; no ImagePath
U3 UmRdpService; no ImagePath
S3 XDva538; \??\C:\Windows\system32\XDva538.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-24 22:39 - 2018-07-24 22:39 - 000000000 ____D C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
2018-07-24 13:33 - 2018-07-24 22:47 - 000073336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-07-24 13:33 - 2018-07-24 22:43 - 000095488 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-07-24 13:33 - 2018-07-24 22:43 - 000042728 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-07-24 08:55 - 2018-07-24 08:55 - 203813996 _____ C:\Windows\MEMORY.DMP
2018-07-24 08:55 - 2018-07-24 08:55 - 000000000 ____D C:\Windows\Minidump
2018-07-24 08:50 - 2018-07-24 22:43 - 000220896 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-07-24 08:50 - 2018-07-24 08:50 - 000165608 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-07-24 02:42 - 2018-07-24 22:54 - 000000000 ____D C:\FRST
2018-07-24 01:28 - 2018-07-24 01:28 - 000002024 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-07-24 01:28 - 2018-07-24 01:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-07-24 01:28 - 2018-07-24 01:28 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-07-24 01:28 - 2018-07-24 01:28 - 000000000 ____D C:\Program Files\Malwarebytes
2018-07-24 01:28 - 2018-06-19 14:09 - 000129248 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae.sys
2018-07-24 01:26 - 2018-07-24 01:28 - 076975376 _____ (Malwarebytes ) C:\Users\Administrator\Downloads\mb3-setup-consumer-3.5.1.2522-1.0.391-1.0.6021.exe
2018-07-24 01:18 - 2018-07-24 01:18 - 000001216 _____ C:\Users\Administrator\Desktop\CFLauncher.lnk
2018-07-24 01:09 - 2018-07-24 01:09 - 000000000 _____ C:\Hello.txt
2018-07-23 22:19 - 2018-07-23 22:19 - 000000000 __SHD C:\found.000
2018-07-23 19:50 - 2018-07-24 22:40 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\DMCache
2018-07-23 19:50 - 2018-07-24 01:36 - 000000000 ____D C:\Program Files\Internet Download Manager
2018-07-23 19:50 - 2018-07-24 00:33 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\IDM
2018-07-23 19:50 - 2018-07-24 00:26 - 000000000 ____D C:\Users\Administrator\Downloads\Compressed
2018-07-23 19:50 - 2018-07-23 19:50 - 000000983 _____ C:\Users\Administrator\Desktop\Internet Download Manager.lnk
2018-07-23 19:50 - 2018-07-23 19:50 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2018-07-23 19:50 - 2018-07-23 19:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager
2018-07-23 19:50 - 2018-07-23 19:50 - 000000000 ____D C:\ProgramData\IDM
2018-07-23 07:03 - 2018-07-22 16:09 - 000000000 ____D C:\Windows\Panther
2018-07-23 07:02 - 2018-07-23 07:02 - 000008192 __RSH C:\BOOTSECT.BAK
2018-07-23 07:02 - 2010-11-20 23:29 - 000383786 __RSH C:\bootmgr
2018-07-23 06:04 - 2018-07-23 06:04 - 000216856 _____ C:\Windows\system32\FNTCACHE.DAT
2018-07-23 03:42 - 2018-07-24 08:49 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\vlc
2018-07-23 02:45 - 2018-07-23 03:05 - 000000000 ____D C:\ProgramData\Package Cache
2018-07-23 02:45 - 2015-07-18 15:08 - 000901264 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000066400 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000022368 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2018-07-23 02:45 - 2015-07-18 15:08 - 000011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2018-07-23 02:15 - 2018-07-24 22:39 - 000000040 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2018-07-23 02:15 - 2018-07-23 02:15 - 000000000 ____D C:\Users\Administrator\Documents\Pharaoh CF
2018-07-23 02:15 - 2018-07-23 02:15 - 000000000 ____D C:\Users\Administrator\Documents\Elite CF
2018-07-23 02:14 - 2010-06-01 23:55 - 000527192 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2018-07-23 02:14 - 2010-06-01 23:55 - 000239960 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2018-07-23 02:14 - 2010-06-01 23:55 - 000074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2018-07-23 02:14 - 2010-05-26 06:41 - 002106216 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2018-07-23 02:14 - 2010-05-26 06:41 - 001998168 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2018-07-23 02:14 - 2010-05-26 06:41 - 001868128 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2018-07-23 02:14 - 2010-05-26 06:41 - 000470880 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2018-07-23 02:14 - 2010-05-26 06:41 - 000248672 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2018-07-23 02:14 - 2010-02-04 05:01 - 000528216 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_6.dll
2018-07-23 02:14 - 2010-02-04 05:01 - 000238936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_6.dll
2018-07-23 02:14 - 2010-02-04 05:01 - 000074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_4.dll
2018-07-23 02:14 - 2010-02-04 05:01 - 000022360 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2018-07-23 02:14 - 2009-09-04 12:44 - 000515416 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_5.dll
2018-07-23 02:14 - 2009-09-04 12:44 - 000238936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_5.dll
2018-07-23 02:14 - 2009-09-04 12:44 - 000069464 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_3.dll
2018-07-23 02:14 - 2009-09-04 12:29 - 005501792 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_42.dll
2018-07-23 02:14 - 2009-09-04 12:29 - 001974616 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_42.dll
2018-07-23 02:14 - 2009-09-04 12:29 - 001892184 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_42.dll
2018-07-23 02:14 - 2009-09-04 12:29 - 000453456 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_42.dll
2018-07-23 02:14 - 2009-09-04 12:29 - 000235344 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_42.dll
2018-07-23 02:14 - 2009-03-16 09:18 - 000517448 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_4.dll
2018-07-23 02:14 - 2009-03-16 09:18 - 000235352 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_4.dll
2018-07-23 02:14 - 2009-03-16 09:18 - 000022360 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_6.dll
2018-07-23 02:14 - 2009-03-09 10:27 - 004178264 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_41.dll
2018-07-23 02:14 - 2009-03-09 10:27 - 001846632 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_41.dll
2018-07-23 02:14 - 2009-03-09 10:27 - 000453456 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_41.dll
2018-07-23 02:14 - 2008-10-27 05:04 - 000514384 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_3.dll
2018-07-23 02:14 - 2008-10-27 05:04 - 000235856 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_3.dll
2018-07-23 02:14 - 2008-10-27 05:04 - 000070992 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_2.dll
2018-07-23 02:14 - 2008-10-27 05:04 - 000023376 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_5.dll
2018-07-23 02:14 - 2008-10-09 23:52 - 004379984 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2018-07-23 02:14 - 2008-10-09 23:52 - 002036576 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2018-07-23 02:14 - 2008-10-09 23:52 - 000452440 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2018-07-23 02:14 - 2008-07-31 05:41 - 000238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_2.dll
2018-07-23 02:14 - 2008-07-31 05:41 - 000068616 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_1.dll
2018-07-23 02:14 - 2008-07-31 05:40 - 000509448 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_2.dll
2018-07-23 02:14 - 2008-07-10 06:01 - 000467984 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2018-07-23 02:14 - 2008-07-10 06:00 - 003851784 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2018-07-23 02:14 - 2008-07-10 06:00 - 001493528 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2018-07-23 02:14 - 2008-05-30 09:19 - 000507400 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_1.dll
2018-07-23 02:14 - 2008-05-30 09:18 - 000238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_1.dll
2018-07-23 02:14 - 2008-05-30 09:17 - 000065032 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_0.dll
2018-07-23 02:14 - 2008-05-30 09:17 - 000025608 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_4.dll
2018-07-23 02:14 - 2008-05-30 09:11 - 003850760 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_38.dll
2018-07-23 02:14 - 2008-05-30 09:11 - 001491992 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_38.dll
2018-07-23 02:14 - 2008-05-30 09:11 - 000467984 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_38.dll
2018-07-23 02:14 - 2008-03-05 11:03 - 000479752 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_0.dll
2018-07-23 02:14 - 2008-03-05 11:03 - 000238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_0.dll
2018-07-23 02:14 - 2008-03-05 11:00 - 000025608 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_3.dll
2018-07-23 02:14 - 2008-03-05 10:56 - 003786760 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_37.dll
2018-07-23 02:14 - 2008-03-05 10:56 - 001420824 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_37.dll
2018-07-23 02:14 - 2008-02-05 18:07 - 000462864 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_37.dll
2018-07-23 02:14 - 2007-10-21 22:39 - 000267272 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_10.dll
2018-07-23 02:14 - 2007-10-21 22:37 - 000017928 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_2.dll
2018-07-23 02:14 - 2007-10-12 10:14 - 003734536 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_36.dll
2018-07-23 02:14 - 2007-10-12 10:14 - 001374232 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_36.dll
2018-07-23 02:14 - 2007-10-02 04:56 - 000444776 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_36.dll
2018-07-23 02:14 - 2007-07-19 19:57 - 000267112 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_9.dll
2018-07-23 02:14 - 2007-07-19 13:14 - 003727720 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_35.dll
2018-07-23 02:14 - 2007-07-19 13:14 - 001358192 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_35.dll
2018-07-23 02:14 - 2007-07-19 13:14 - 000444776 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_35.dll
2018-07-23 02:14 - 2007-06-20 15:46 - 000266088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_8.dll
2018-07-23 02:14 - 2007-05-16 11:45 - 003497832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_34.dll
2018-07-23 02:14 - 2007-05-16 11:45 - 001124720 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_34.dll
2018-07-23 02:14 - 2007-05-16 11:45 - 000443752 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_34.dll
2018-07-23 02:14 - 2007-04-04 13:55 - 000261480 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_7.dll
2018-07-23 02:14 - 2007-04-04 13:53 - 000081768 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2018-07-23 02:14 - 2007-03-15 11:57 - 000443752 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_33.dll
2018-07-23 02:14 - 2007-03-12 11:42 - 003495784 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_33.dll
2018-07-23 02:14 - 2007-03-12 11:42 - 001123696 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_33.dll
2018-07-23 02:14 - 2007-03-05 07:42 - 000015128 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_1.dll
2018-07-23 02:14 - 2007-01-24 10:27 - 000255848 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_6.dll
2018-07-23 02:14 - 2006-12-08 07:02 - 000251672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_5.dll
2018-07-23 02:14 - 2006-11-29 08:06 - 003426072 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2018-07-23 02:14 - 2006-11-29 08:06 - 000440080 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10.dll
2018-07-23 02:14 - 2006-09-28 11:05 - 002414360 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_31.dll
2018-07-23 02:14 - 2006-09-28 11:05 - 000237848 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_4.dll
2018-07-23 02:14 - 2006-07-28 04:30 - 000236824 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_3.dll
2018-07-23 02:14 - 2006-07-28 04:30 - 000062744 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_2.dll
2018-07-23 02:14 - 2006-05-31 02:24 - 000230168 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_2.dll
2018-07-23 02:14 - 2006-03-31 07:40 - 002388176 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_30.dll
2018-07-23 02:14 - 2006-03-31 07:39 - 000229584 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_1.dll
2018-07-23 02:14 - 2006-03-31 07:39 - 000062672 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_1.dll
2018-07-23 02:14 - 2006-02-03 03:43 - 002332368 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_29.dll
2018-07-23 02:14 - 2006-02-03 03:42 - 000230096 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_0.dll
2018-07-23 02:14 - 2006-02-03 03:41 - 000014032 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_0.dll
2018-07-23 02:14 - 2005-12-05 13:09 - 002323664 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_28.dll
2018-07-23 02:14 - 2005-07-22 14:59 - 002319568 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_27.dll
2018-07-23 02:14 - 2005-05-26 10:34 - 002297552 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_26.dll
2018-07-23 02:14 - 2005-03-18 12:19 - 002337488 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_25.dll
2018-07-23 02:14 - 2005-02-05 14:45 - 002222800 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_24.dll
2018-07-23 02:01 - 2018-07-23 02:14 - 000000000 ____D C:\Windows\system32\directx
2018-07-23 01:53 - 2018-07-23 01:53 - 000002246 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-07-23 01:53 - 2018-07-23 01:53 - 000002205 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-07-23 01:53 - 2018-07-23 01:53 - 000000941 _____ C:\Users\Public\Desktop\Speccy.lnk
2018-07-23 01:53 - 2018-07-23 01:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2018-07-23 01:53 - 2018-07-23 01:53 - 000000000 ____D C:\Program Files\Speccy
2018-07-23 01:47 - 2018-07-23 02:43 - 000000000 ____D C:\Users\Administrator\AppData\Local\Google
2018-07-23 01:47 - 2018-07-23 01:53 - 000000000 ____D C:\Program Files\Google
2018-07-23 00:05 - 2018-07-23 00:05 - 000330049 __RSH C:\OADXA
2018-07-22 23:52 - 2018-07-24 01:36 - 000000000 ____D C:\Program Files\KMSpico
2018-07-22 23:52 - 2018-07-22 23:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico
2018-07-22 23:52 - 2010-12-06 04:16 - 000090112 _____ (Vestris Inc.) C:\Windows\system32\Vestris.ResourceLib.dll
2018-07-22 23:41 - 2018-07-22 23:44 - 000000000 ____D C:\Windows\AutoKMS
2018-07-22 23:40 - 2018-07-22 23:40 - 000000000 ____D C:\ProgramData\Microsoft Toolkit
2018-07-22 23:33 - 2018-07-24 01:36 - 000000000 ____D C:\Program Files\7-Zip
2018-07-22 23:33 - 2018-07-22 23:33 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2018-07-22 23:29 - 2018-07-23 01:47 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Mozilla
2018-07-22 23:29 - 2018-07-22 23:29 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2018-07-22 23:28 - 2018-07-22 23:36 - 000000000 ____D C:\Users\Administrator\AppData\Local\Mozilla
2018-07-22 23:28 - 2018-07-22 23:28 - 000001121 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-07-22 23:28 - 2018-07-22 23:28 - 000001109 _____ C:\Users\Public\Desktop\Firefox.lnk
2018-07-22 23:28 - 2018-07-22 23:28 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2018-07-22 23:28 - 2018-07-22 23:28 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-07-22 21:52 - 2018-07-24 00:03 - 000000000 ___RD C:\Users\Administrator\Downloads\One Piece
2018-07-22 16:12 - 2018-07-22 16:12 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2018-07-22 16:10 - 2018-07-22 16:10 - 000001425 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-07-22 16:09 - 2018-07-22 16:10 - 000000000 ____D C:\Users\Administrator
2018-07-22 16:09 - 2018-07-22 16:09 - 000026832 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2018-07-22 16:09 - 2018-07-22 16:09 - 000000020 ___SH C:\Users\Administrator\ntuser.ini
2018-07-10 20:02 - 2018-03-01 16:36 - 000149688 _____ (Tonec Inc.) C:\Windows\system32\Drivers\idmwfp.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-24 22:48 - 2009-07-14 06:34 - 000021840 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-07-24 22:48 - 2009-07-14 06:34 - 000021840 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-07-24 22:47 - 2010-11-20 23:01 - 000781298 _____ C:\Windows\system32\PerfStringBackup.INI
2018-07-24 22:47 - 2009-07-14 04:37 - 000000000 ____D C:\Windows\inf
2018-07-24 22:43 - 2009-07-14 06:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-07-23 07:02 - 2009-07-14 06:52 - 000028672 _____ C:\Windows\system32\config\BCD-Template
2018-07-23 06:07 - 2009-07-14 04:37 - 000000000 ____D C:\Windows\system32\sysprep
2018-07-23 06:04 - 2011-08-28 08:03 - 000000000 ____D C:\Windows\setup
2018-07-23 03:14 - 2009-07-14 06:46 - 000001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2018-07-23 02:47 - 2009-07-14 04:37 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-07-23 01:58 - 2009-07-14 06:53 - 000008650 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-07-22 16:09 - 2009-07-14 04:37 - 000000000 ____D C:\Windows\rescache
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-07-24 07:46
 
==================== End of FRST.txt ============================ 
 
 
Addition.txt
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21.07.2018
Ran by Administrator (24-07-2018 22:55:10)
Running from D:\FRST
Microsoft Windows 7 Super Lite  Service Pack 1 (X86) (2018-07-22 14:09:34)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1287901566-2271983155-1883644339-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-1287901566-2271983155-1883644339-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 18.05 (HKLM\...\7-Zip) (Version: 18.05 - Igor Pavlov)
Google Chrome (HKLM\...\Google Chrome) (Version: 67.0.3396.99 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.21.169 - Google Inc.) Hidden
Internet Download Manager (HKLM\...\Internet Download Manager) (Version:  - Tonec Inc.)
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24123 (HKLM\...\{206898cc-4b41-4d98-ac28-9f9ae57f91fe}) (Version: 14.0.24123.0 - Microsoft Corporation)
Mozilla Firefox 61.0.1 (x86 ar) (HKLM\...\Mozilla Firefox 61.0.1 (x86 ar)) (Version: 61.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 61.0.1 - Mozilla)
Speccy (HKLM\...\Speccy) (Version: 1.32 - Piriform)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll [2018-05-12] (Tonec Inc.)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-04-30] (Igor Pavlov)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {3F6A04A3-538F-420A-BB2F-67A79C518057} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => d:\program files\windows defender\MpCmdRun.exe
Task: {731E9C62-95B5-4C8C-AB64-4CC591C9FF5B} - System32\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask => C:\Windows\system32\RAServer.exe
Task: {9A55384D-C917-46F1-B675-592E9F2BE62A} - System32\Tasks\AutoKMSCustom => C:\Windows\AutoKMS\AutoKMS.exe [2018-07-22] ()
Task: {AB90720F-854C-4BBE-9F40-3FD630567B4F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2018-07-23] (Google Inc.)
Task: {D314E245-BEF1-4BAC-8277-12B80BD26723} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2018-07-23] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-07-24 01:28 - 2018-06-18 13:32 - 002169040 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-07-24 01:28 - 2018-07-03 12:59 - 002077904 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2018-07-23 01:53 - 2018-06-22 21:04 - 002242904 ____N () C:\Program Files\Google\Chrome\Application\67.0.3396.99\swiftshader\libglesv2.dll
2018-07-23 01:53 - 2018-06-22 21:04 - 000109912 ____N () C:\Program Files\Google\Chrome\Application\67.0.3396.99\swiftshader\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 04:04 - 2009-06-10 23:39 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1287901566-2271983155-1883644339-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 0) (EnableLUA: 0)
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{C6081FA6-258B-482B-8EB5-A44B818AC3A6}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{0929B2ED-FBCE-44B3-BF29-215CC38FB60C}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{1523BA46-A127-4ACC-8FCE-FCBFE75C9C22}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{758BC4C6-B771-4EC4-8097-8EC4CF1F66CA}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{0FD61B0F-7128-4253-AB6F-62C1F983BD93}] => (Allow) LPort=1688
FirewallRules: [{7B8E9197-A6BC-4162-BEC6-12B43BD2AE69}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{B3F47F43-249E-4A15-8AEF-4B016598BE72}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
 
==================== Restore Points =========================
 
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/24/2018 10:45:06 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (07/24/2018 10:45:06 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (07/24/2018 10:45:06 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (07/24/2018 10:45:00 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (07/24/2018 10:45:00 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (07/24/2018 10:39:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (07/24/2018 10:39:22 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (07/24/2018 10:38:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CFLauncher.exe, version: 1.0.1.5, time stamp: 0x5b302430
Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b8f0
Exception code: 0xe0434352
Fault offset: 0x0000b760
Faulting process id: 0xd54
Faulting application start time: 0x01d4238e52bdc7f4
Faulting application path: D:\Mine\My Games\CrossFire Pharaoh\CFLauncher.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 90a5d53b-8f81-11e8-94a4-001eec693bad
 
 
System errors:
=============
Error: (07/24/2018 10:51:46 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:51:46 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:51:46 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:51:46 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:51:46 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:51:46 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:49:34 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
Error: (07/24/2018 10:49:34 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort2.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® Dual CPU T2370 @ 1.73GHz
Percentage of memory in use: 33%
Total physical RAM: 3062.02 MB
Available physical RAM: 2038.47 MB
Total Virtual: 6122.32 MB
Available Virtual: 5063.54 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:49.44 GB) (Free:33.75 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:99.61 GB) (Free:94.06 GB) NTFS
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 149.1 GB) (Disk ID: 1ACA7FDB)
Partition 1: (Active) - (Size=49.4 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=99.6 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================ 
 
Im waiting for your reply :)


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 25 July 2018 - 07:36 AM

What Antivirus are you using? Can you provide me the log showing the appnamemgr.exe detection, so I can see what is being detected exactly?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 25 July 2018 - 04:59 PM

Im Using Malewarebytes AV, if you mean the reports when my AV detects this rojan/agent maleware, ive upload them in the next links

ibb.co/dDyKpT
ibb.co/kHazpT
ibb.co/gF4EOo


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 25 July 2018 - 05:03 PM

In that case, let's run a scan with it and see if it detects anything else.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply
Also, did you just install Windows on that computer?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 25 July 2018 - 10:05 PM

MalewareBytes logs: 

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 7/26/18
Scan Time: 5:00 AM
Log File: ff8adb5e-907f-11e8-b70c-00188b66b2d9.json
Administrator: Yes
 
-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.6067
License: Free
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: ADMIN\Administrator
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 155370
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 2 min, 7 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 1
Trojan.Agent, C:\WINDOWS\EXPLORERMGR.EXE, Quarantined, [393], [217229],1.0.6067
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 
(end)

 

and yes, i think it's my third day on that windows, if you thinking that windows become with that Virus, it's not

I have an old PC that infected with the same virus, and I have move some folder witch infected via USB to my new PC

so I think that the reason/place where "mgr's" comes from.


Edited by Muslim, 25 July 2018 - 10:06 PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 26 July 2018 - 10:34 AM

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator
  • Accept the EULA on opening, then wait for all the entries to load
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file
  • Right-click on the file you saved and select Send to followed by Compressed (zipped) folder
  • Attach the .zip file on your next post, or if it says that it's too big, upload it on SendSpace and post the download URL for it here

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 29 July 2018 - 10:00 AM

Hi Muslim,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 30 July 2018 - 05:09 AM

yes, Im still here

sorry for my late reply it wasn't intentional,

the file you asked for :sendspace.com/file/8oj4oq



#11 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 30 July 2018 - 05:22 AM

and i have also run another Malewarebytes scan today, 

it looks like that trojan has expanded to including more .exe programs 

the Scan log i think it may help 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 7/30/18
Scan Time: 7:27 AM
Log File: 4e0e21c9-93b9-11e8-936d-00188b66b2d9.json
Administrator: Yes
 
-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.391
Update Package Version: 1.0.6067
License: Free
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: ADMIN\Administrator
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 156314
Threats Detected: 7
Threats Quarantined: 7
Time Elapsed: 3 min, 5 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 1
Trojan.Agent.VBS, HKU\S-1-5-21-4245168380-2294002832-3813998034-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MicrosoftRuntimeUpdate, Quarantined, [2767], [536192],1.0.6067
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 6
Trojan.Agent, C:\WINDOWS\EXPLORERMGR.EXE, Quarantined, [393], [217229],1.0.6067
Trojan.Agent.VBS, C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\LIBRARIES\MicrosoftRuntimeUpdate.vbe, Quarantined, [2767], [536192],1.0.6067
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\DLLHOSTMGR.EXE, Quarantined, [0], [392686],1.0.6067
Generic.Malware/Suspicious, C:\WINDOWS\SYSTEM32\TASKMGRMGR.EXE, Quarantined, [0], [392686],1.0.6067
Trojan.Agent, C:\PROGRAM FILES\CHEAT ENGINE 6.8\CHEATENGINE-I386MGR.EXE, Quarantined, [393], [267367],1.0.6067
Trojan.Agent, C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYERMGR.EXE, Quarantined, [393], [267367],1.0.6067
 
Physical Sector: 0
(No malicious items detected)
 
WMI: 0
(No malicious items detected)
 
 

(end) 



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 30 July 2018 - 11:49 AM

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 01 August 2018 - 02:10 AM

Fix result of Farbar Recovery Scan Tool (x86) Version: 21.07.2018
Ran by Administrator (01-08-2018 09:06:17) Run:1
Running from C:\Users\Administrator\Downloads\New folder
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
 
CMD: dir /a "C:\Program Files (x86)"
CMD: dir /a "C:\Program Files"
CMD: dir /a "C:\ProgramData"
CMD: dir /a "C:\Users\Administrator\AppData\Local"
CMD: dir /a "C:\Users\Administrator\AppData\LocalLow"
CMD: dir /a "C:\Users\Administrator\AppData\Roaming"
 
EmptyTemp:
*****************
 
Processes closed successfully.
Error: (0) Failed to create a restore point.
 
========= dir /a "C:\Program Files (x86)" =========
 
 Volume in drive C has no label.
 Volume Serial Number is B437-B23A
 
 Directory of C:\
 
File Not Found
 
========= End of CMD: =========
 
 
========= dir /a "C:\Program Files" =========
 
 Volume in drive C has no label.
 Volume Serial Number is B437-B23A
 
 Directory of C:\Program Files
 
08/01/2018  02:53 AM    <DIR>          .
08/01/2018  02:53 AM    <DIR>          ..
06/22/2018  07:35 AM    <DIR>          Broadcom
07/30/2018  07:31 AM    <DIR>          Cheat Engine 6.8
06/21/2018  01:45 AM    <DIR>          Combined Community Codec Pack
07/30/2018  03:50 PM    <DIR>          Common Files
07/18/2018  07:11 PM    <DIR>          Dell
07/14/2009  06:41 AM               174 desktop.ini
06/24/2018  03:38 PM    <DIR>          Internet Explorer
06/24/2018  04:47 PM    <DIR>          Malwarebytes
08/26/2011  10:29 PM    <DIR>          Microsoft Games
06/11/2018  08:48 AM    <DIR>          Microsoft.NET
08/01/2018  02:47 AM         1,018,864 mirror_go_setup_full1906.exe
07/14/2009  06:52 AM    <DIR>          Reference Assemblies
06/22/2018  07:04 AM    <DIR>          Speccy
06/24/2018  12:48 PM    <DIR>          SWFPlayer
07/14/2009  06:53 AM    <DIR>          Uninstall Information
07/30/2018  04:06 PM    <DIR>          Windows Media Player
08/15/2012  04:47 AM    <DIR>          Windows NT
04/12/2011  04:16 AM    <DIR>          Windows Photo Viewer
11/20/2010  11:33 PM    <DIR>          Windows Portable Devices
04/12/2011  04:16 AM    <DIR>          Windows Sidebar
06/22/2018  01:54 PM    <DIR>          Windscribe
08/01/2018  02:53 AM    <DIR>          Wondershare
               2 File(s)      1,019,038 bytes
              22 Dir(s)   4,339,666,944 bytes free
 
========= End of CMD: =========
 
 
========= dir /a "C:\ProgramData" =========
 
 Volume in drive C has no label.
 Volume Serial Number is B437-B23A
 
 Directory of C:\ProgramData
 
08/01/2018  02:54 AM    <DIR>          .
08/01/2018  02:54 AM    <DIR>          ..
07/30/2018  03:50 PM    <DIR>          Adobe
07/14/2009  06:53 AM    <JUNCTION>     Application Data [C:\ProgramData]
07/18/2018  06:28 PM    <DIR>          Dell Inc
07/14/2009  06:53 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
07/14/2009  06:53 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
07/14/2009  06:53 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
06/11/2018  07:18 PM    <DIR>          IDM
07/18/2018  06:21 PM    <DIR>          Intel
06/24/2018  04:47 PM    <DIR>          Malwarebytes
07/23/2018  03:36 AM    <DIR>          Microsoft
07/21/2018  05:36 AM    <DIR>          Package Cache
07/21/2018  05:37 AM    <DIR>          PCDr
07/02/2018  06:45 PM    <DIR>          Solid State Networks
07/14/2009  06:53 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
07/21/2018  05:37 AM    <DIR>          SupportAssist
07/14/2009  06:53 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
08/01/2018  02:54 AM    <DIR>          Wondershare
               0 File(s)              0 bytes
              19 Dir(s)   4,339,666,944 bytes free
 
========= End of CMD: =========
 
 
========= dir /a "C:\Users\Administrator\AppData\Local" =========
 
 Volume in drive C has no label.
 Volume Serial Number is B437-B23A
 
 Directory of C:\Users\Administrator\AppData\Local
 
07/27/2018  06:25 PM    <DIR>          .
07/27/2018  06:25 PM    <DIR>          ..
07/30/2018  03:50 PM    <DIR>          Adobe
06/24/2018  05:23 PM    <DIR>          aIiXJGQusj
06/11/2018  08:32 AM    <JUNCTION>     Application Data [C:\Users\Administrator\AppData\Local]
07/15/2018  05:37 PM    <DIR>          CEF
06/22/2018  07:18 AM    <DIR>          DriverToolkit
07/29/2018  04:17 AM    <DIR>          ElevatedDiagnostics
06/23/2018  08:49 AM    <DIR>          EpicGamesLauncher
07/15/2018  05:37 PM    <DIR>          Facebook
07/21/2018  06:31 PM            26,832 GDIPFONTCACHEV1.DAT
06/12/2018  10:17 AM    <DIR>          Google
06/11/2018  08:32 AM    <JUNCTION>     History [C:\Users\Administrator\AppData\Local\Microsoft\Windows\History]
07/29/2018  07:28 PM         2,589,406 IconCache.db
07/24/2018  07:05 AM    <DIR>          Microsoft
06/22/2018  12:50 PM    <DIR>          Opera Software
06/22/2018  12:50 PM    <DIR>          Programs
08/01/2018  09:05 AM    <DIR>          Temp
06/11/2018  08:32 AM    <JUNCTION>     Temporary Internet Files [C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files]
06/23/2018  08:49 AM    <DIR>          UnrealEngine
06/18/2018  08:15 AM    <DIR>          Windscribe
               2 File(s)      2,616,238 bytes
              19 Dir(s)   4,339,666,944 bytes free
 
========= End of CMD: =========
 
 
========= dir /a "C:\Users\Administrator\AppData\LocalLow" =========
 
 Volume in drive C has no label.
 Volume Serial Number is B437-B23A
 
 Directory of C:\Users\Administrator\AppData\LocalLow
 
07/15/2018  05:47 PM    <DIR>          .
07/15/2018  05:47 PM    <DIR>          ..
07/15/2018  05:47 PM    <DIR>          MADFINGER Games, a_s_
06/14/2018  04:21 PM    <DIR>          Microsoft
07/22/2018  06:52 PM    <DIR>          Mozilla
               0 File(s)              0 bytes
               5 Dir(s)   4,339,666,944 bytes free
 
========= End of CMD: =========
 
 
========= dir /a "C:\Users\Administrator\AppData\Roaming" =========
 
 Volume in drive C has no label.
 Volume Serial Number is B437-B23A
 
 Directory of C:\Users\Administrator\AppData\Roaming
 
08/01/2018  02:53 AM    <DIR>          .
08/01/2018  02:53 AM    <DIR>          ..
07/30/2018  03:51 PM    <DIR>          Adobe
08/01/2018  07:50 AM    <DIR>          DMCache
06/15/2018  05:50 AM    <DIR>          Google
06/22/2018  01:48 PM    <DIR>          IDM
06/22/2018  07:09 AM    <DIR>          kingdom_rush_frontiers
07/30/2018  07:31 AM    <DIR>          libraries
06/16/2018  01:56 AM    <DIR>          Macromedia
07/18/2018  07:12 PM    <DIR>          Microsoft
06/22/2018  12:50 PM    <DIR>          Opera Software
07/21/2018  02:23 AM    <DIR>          Psiphon3
08/01/2018  08:59 AM    <DIR>          vlc
06/11/2018  07:49 PM    <DIR>          WinRAR
08/01/2018  02:53 AM    <DIR>          Wondershare
               0 File(s)              0 bytes
              15 Dir(s)   4,339,662,848 bytes free
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 41516401 B
Java, Flash, Steam htmlcache => 11635 B
Windows/system/drivers => 110066424 B
Edge => 0 B
Chrome => 44848628 B
Firefox => 0 B
Opera => 254735494 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83391 B
LocalService => 0 B
NetworkService => 0 B
Administrator => 311848104 B
 
RecycleBin => 0 B
EmptyTemp: => 727.8 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 09:06:35 ====


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 01 August 2018 - 07:23 AM

Good!

iO3R662.pngFarbar Recovery Scan Tool (FRST) - File Search
Follow the instructions below to download and execute a file search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • In the Search text area, copy and paste the following:
    *mgr.exe
  • Once done, click on the Search Files button and wait for FRST to finish the search
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Muslim

Muslim
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 01 August 2018 - 02:26 PM

Farbar Recovery Scan Tool (x86) Version: 01.08.2018
Ran by Administrator (01-08-2018 21:25:42)
Running from C:\Users\Administrator\Downloads\New folder
Boot Mode: Normal
 
================== Search Files: "*mgr.exe
" =============
 
C:\Windows.old\Program Files\WinRAR\WinRARmgr.exe
[2018-07-22 19:05][2018-07-28 15:54] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows.old\Program Files\Skillbrains\lightshot\5.4.0.10\Lightshotmgr.exe
[2018-07-01 15:17][2018-07-19 07:23] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows.old\Program Files\K-Lite Codec Pack\MPC-HC\mpc-hcmgr.exe
[2018-06-24 17:32][2018-07-22 18:54] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows.old\Program Files\Internet Download Manager\IDManmgr.exe
[2018-07-22 03:35][2018-07-23 06:08] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows.old\Program Files\Google\Chrome\Application\chromemgr.exe
[2018-06-24 18:27][2018-08-01 09:01] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows.old\Program Files\DVDVideoMedia\Free Video Cutter Joiner\Free Video Cutter Joinermgr.exe
[2018-06-25 06:38][2018-08-01 15:44] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows\explorermgr.exe
[2018-08-01 10:53][2018-08-01 21:24] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\PkgMgr.exe
[2010-11-20 23:12][2010-11-20 23:12] 000209920 _____ (Microsoft Corporation) C06A8EB439D3451DF15828FF1CB7D0F8 [File is digitally signed]
 
C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\PkgMgr.exe
[2009-07-14 04:10][2009-07-14 04:10] 000209920 _____ (Microsoft Corporation) D2B19FE4790BFAB4D921E743B7DD0C17 [File is digitally signed]
 
C:\Windows\winsxs\x86_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_eedf2e0751865eb2\PkgMgr.exe
[2010-11-20 23:29][2010-11-20 23:29] 000209920 _____ (Microsoft Corporation) C06A8EB439D3451DF15828FF1CB7D0F8 [File is digitally signed]
 
C:\Windows\System32\cleanmgr.exe
[2009-07-14 01:40][2009-07-14 03:14] 000212480 _____ (Microsoft Corporation) 500CA0B50ED17BD76F60085F97885AD1 [File is digitally signed]
 
C:\Windows\System32\DllHostmgr.exe
[2018-07-31 06:07][2018-07-31 06:07] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Windows\System32\PkgMgr.exe
[2010-11-20 23:29][2010-11-20 23:29] 000209920 _____ (Microsoft Corporation) C06A8EB439D3451DF15828FF1CB7D0F8 [File is digitally signed]
 
C:\Windows\System32\taskmgr.exe
[2010-11-20 23:29][2010-11-20 23:29] 000227328 _____ (Microsoft Corporation) 545BF7EAA24A9E062857D0742EC0B28A [File is digitally signed]
 
C:\Windows\System32\wermgr.exe
[2009-07-14 01:27][2009-07-14 03:14] 000053760 _____ (Microsoft Corporation) C9905EA4C326DAB778B9297BA5BD1889 [File is digitally signed]
 
C:\Windows\System32\wiaacmgr.exe
[2009-07-14 02:15][2009-07-14 03:14] 000088576 _____ (Microsoft Corporation) 9A4988F8F374388255F52DE5BD8A1B31 [File is digitally signed]
 
C:\Users\Administrator\Desktop\Unemployee\psiphon3mgr.exe
[2018-07-21 02:19][2018-07-21 02:36] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Users\Administrator\Desktop\New Folder\Autorunsmgr.exe
[2018-07-30 12:04][2018-07-30 12:04] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Users\Administrator\AppData\Local\Programs\Opera\53.0.2907.106_0\operamgr.exe
[2018-06-24 18:11][2018-08-01 02:46] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Program Files\Wondershare\WAF\2.4.2.222\WsAppClientmgr.exe
[2018-08-01 03:06][2018-08-01 03:06] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
C:\Program Files\Windows Media Player\wmplayermgr.exe
[2018-07-30 16:06][2018-07-30 16:06] 000135680 _____ () EBC35BF5774A4B75CD45638CECB74DB3 [File not signed]
 
 
====== End of Search ======





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users