Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

win32 malware gen

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Zpráva
Autor
AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

win32 malware gen

#1 Příspěvek od AaronP »

Ahoj,
prosím o pomoc s výše uvedeným potvorem. Evidentně nejsem ani přibližně první, ale všude čtu varování, že řešení jsou individualizovaná, takže nechci naslepo jet podle nějakého návodu. Už jsem vyzkoušel většinu obvyklých komerčních řešení, ale neustále se vrací. Mám několik složek v c:\windows\temp, kam se neustále odněkud kopírují nakažené soubory.
Mohu dodat log? A z čeho?
Díky!

Conder
VIP
VIP
Příspěvky: 4399
Registrován: 30 pro 2013 22:29
Bydliště: Bratislava

Re: win32 malware gen

#2 Příspěvek od Conder »

Ahoj :)

:arrow: V akom umiestneni ti antivirus hlasi tento malware?

:arrow: Poprosim o obidva logy z FRST podla tohto navodu (FRST.txt a Addition.txt): https://forum.viry.cz/viewtopic.php?f=13&t=152707

:arrow: V pripade, ze sa FRSTLauncher nebude dat stiahnut alebo spustit, pouzi iba samotny FRST.

:arrow: Ak sa logy nezmestia do jedneho prispevku, zabal ich do archivu RAR alebo ZIP a posli ako prilohu.
Absolvent skoly pre novacikov :)
E-mail: conder (zavinac) forum.viry.cz

Ak nieco nie je jasne, pytaj sa. Odporucam mat vzdy zalohovat dolezite data (dokumenty, fotky a ine).

Fixlisty a ine scripty su pisane len pre konkretny PC. Nepouzivajte ich na inych zariadeniach, inak hrozi poskodenie systemu alebo strata dat.
Ak mate podobny problem ako iny uzivatel, prosim, zalozte si vlastnu temu.

V pripade spokojnosti je mozne podporit forum. Dakujeme!

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#3 Příspěvek od AaronP »

Conder píše:Ahoj :)

:arrow: V akom umiestneni ti antivirus hlasi tento malware?

:arrow: Poprosim o obidva logy z FRST podla tohto navodu (FRST.txt a Addition.txt): https://forum.viry.cz/viewtopic.php?f=13&t=152707

:arrow: V pripade, ze sa FRSTLauncher nebude dat stiahnut alebo spustit, pouzi iba samotny FRST.

:arrow: Ak sa logy nezmestia do jedneho prispevku, zabal ich do archivu RAR alebo ZIP a posli ako prilohu.
Dík za bleskovou reakci. Těch několik řvoucích alertů na viry.xf.cz se mi ani trochu nelíbí, ale přinejhorším se zastřelím a budu vás chodit strašit.

antivirus malware hlasi v c:\windows\temp\

FRST.TXT:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by GWC (administrator) on SMOKIE (17-03-2018 20:03:46)
Running from C:\Users\GWC\Desktop
Loaded Profiles: GWC (Available Profiles: GWC)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Čeština (Česká republika)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
() C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(CANON INC.) C:\Windows\System32\spool\drivers\x64\3\CNAP2LAK.EXE
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DTAgent.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(CANON INC.) C:\Windows\System32\spool\drivers\x64\3\CNAP2RPK.EXE
(CANON INC.) C:\Windows\System32\spool\drivers\x64\3\CNAC8SWK.EXE
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
() \\kuikdelivery.com\SYSVOL\kuikdelivery.com\scripts\distx.exe
() \\kuikdelivery.com\SYSVOL\kuikdelivery.com\scripts\dist.exe
(Microsoft Corporation) C:\Windows\SysWOW64\more.com
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
() C:\Windows\Temp\IXP002.TMP\COM Surrogate.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(forum.viry.cz) C:\Users\GWC\Desktop\FRSTLauncher.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16697352 2016-08-26] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [321096 2017-03-29] (Intel Corporation)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [245608 2018-03-13] (AVAST Software)
HKLM\...\Run: [CNAP2 Launcher] => C:\Windows\system32\spool\DRIVERS\x64\3\CNAP2LAK.EXE [226784 2010-10-14] (CANON INC.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe [299504 2016-08-18] (Intel Corporation)
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [FileZilla Server Interface] => C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe [2770088 2017-02-08] (FileZilla Project)
HKLM-x32\...\Run: [NeroFilterCheck] => C:\Windows\SysWOW64\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP002.TMP\" <==== ATTENTION
HKLM-x32\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4836032 2017-08-14] (Disc Soft Ltd)
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe [50100160 2018-03-02] (Skype Technologies S.A.)
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{04D9C501-E130-438A-8B0B-4119AAB2E210}: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer] 8.8.8.8

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

FireFox:
========
FF DefaultProfile: 1u1q175r.default
FF ProfilePath: C:\Users\GWC\AppData\Roaming\Mozilla\Firefox\Profiles\1u1q175r.default [2018-03-17]
FF Extension: (Safe Browsing Version 4 (temporary add-on)) - C:\Users\GWC\AppData\Roaming\Mozilla\Firefox\Profiles\1u1q175r.default\Extensions\sbv4-gradual-rollout@mozilla.com.xpi [2017-11-05] [Legacy]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-03-17]
CHR Extension: (Adobe Acrobat) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-03-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-03-17]
CHR Extension: (Chrome Media Router) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-17]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7556704 2018-03-13] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [303728 2018-03-13] (AVAST Software)
R3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [2291904 2017-08-14] (Disc Soft Ltd)
R2 FileZilla Server; C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe [859304 2017-02-08] (FileZilla Project)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [17992 2017-03-29] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [333280 2016-09-26] (Intel Corporation)
R2 NativeDesktopMediaService; C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe [2015744 2018-02-05] () [File not signed] <==== ATTENTION
S3 WatAdminSvc; C:\Windows\system32\Wat\WatAdminSvc.exe [1255736 2017-11-05] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 nmlngcoh; C:\Windows\SysWOW64\nmlngcoh\fgjilvvv.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [196648 2018-03-13] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [227504 2018-03-13] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199440 2018-03-13] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343752 2018-03-13] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57680 2018-03-13] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46968 2018-03-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146656 2018-03-13] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110328 2018-03-13] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84368 2018-03-13] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1026696 2018-03-13] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [460520 2018-03-13] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [205976 2018-03-13] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [380528 2018-03-13] (AVAST Software)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2017-11-05] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2017-11-05] (Disc Soft Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [545776 2017-09-22] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [41472 2017-03-29] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [199736 2016-09-06] (Intel Corporation)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
R3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\EX64.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-17 20:03 - 2018-03-17 20:04 - 000014300 _____ C:\Users\GWC\Desktop\FRST.txt
2018-03-17 20:03 - 2018-03-17 20:03 - 000000000 ____D C:\FRST
2018-03-17 20:01 - 2018-03-17 20:02 - 000112640 _____ (forum.viry.cz) C:\Users\GWC\Desktop\FRSTLauncher.exe
2018-03-17 19:54 - 2018-03-17 19:54 - 002403328 _____ (Farbar) C:\Users\GWC\Desktop\FRST64.exe
2018-03-17 19:26 - 2018-03-17 19:31 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2018-03-17 19:26 - 2018-03-17 19:30 - 000007831 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-03-17 19:26 - 2018-03-17 19:29 - 000018324 _____ C:\Windows\ZAM.krnl.trace
2018-03-17 19:26 - 2018-03-17 19:26 - 000000000 ____D C:\Users\GWC\AppData\Local\Zemana
2018-03-17 17:44 - 2018-03-17 17:44 - 000000000 ____D C:\ProgramData\Emsisoft
2018-03-17 17:25 - 2018-03-17 17:33 - 000000000 ____D C:\ProgramData\HitmanPro
2018-03-17 17:20 - 2018-03-17 17:21 - 069823608 _____ (Malwarebytes ) C:\Users\GWC\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4380.exe
2018-03-17 16:28 - 2018-03-17 16:28 - 000000000 _____ C:\autoexec.bat
2018-03-17 16:24 - 2018-03-17 16:24 - 002411920 _____ C:\Users\GWC\Downloads\winrar-x64-550cz.exe
2018-03-17 16:24 - 2018-03-17 16:24 - 000000000 ____D C:\Program Files\WinRAR
2018-03-17 16:23 - 2018-03-17 16:23 - 000002306 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-03-17 16:23 - 2018-03-17 16:23 - 000002265 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-03-17 16:22 - 2018-03-17 16:22 - 000003384 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-17 16:22 - 2018-03-17 16:22 - 000003256 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-17 16:19 - 2018-03-17 16:19 - 000000000 ____D C:\Windows\system32\appmgmt
2018-03-17 15:10 - 2018-03-17 17:25 - 000001006 __RSH C:\ProgramData\ntuser.pol
2018-03-17 15:08 - 2018-03-09 04:39 - 005580992 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2018-03-17 15:08 - 2018-03-09 04:39 - 000708288 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2018-03-17 15:08 - 2018-03-09 04:39 - 000262336 _____ (Microsoft Corporation) C:\Windows\system32\hal.dll
2018-03-17 15:08 - 2018-03-09 04:39 - 000154816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2018-03-17 15:08 - 2018-03-09 04:39 - 000095424 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2018-03-17 15:08 - 2018-03-09 04:18 - 000631640 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2018-03-17 15:08 - 2018-03-09 04:14 - 004044992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2018-03-17 15:08 - 2018-03-09 04:14 - 004025536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2018-03-17 15:08 - 2018-03-09 04:09 - 001665336 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 001461248 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 001212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 001163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000731648 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000361984 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000094720 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:47 - 001314064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 001114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000554496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000070144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:38 - 000148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2018-03-17 15:08 - 2018-03-09 03:38 - 000062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2018-03-17 15:08 - 2018-03-09 03:38 - 000017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2018-03-17 15:08 - 2018-03-09 03:37 - 000064512 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2018-03-17 15:08 - 2018-03-09 03:34 - 000338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2018-03-17 15:08 - 2018-03-09 03:34 - 000129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\videoprt.sys
2018-03-17 15:08 - 2018-03-09 03:33 - 000296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2018-03-17 15:08 - 2018-03-09 03:31 - 000160256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2018-03-17 15:08 - 2018-03-09 03:30 - 000291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2018-03-17 15:08 - 2018-03-09 03:30 - 000129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2018-03-17 15:08 - 2018-03-09 03:29 - 000112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2018-03-17 15:08 - 2018-03-09 03:29 - 000030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2018-03-17 15:08 - 2018-03-09 03:26 - 000050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2018-03-17 15:08 - 2018-03-09 03:22 - 000036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2018-03-17 15:08 - 2018-03-09 03:22 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2018-03-17 15:08 - 2018-03-09 03:22 - 000014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2018-03-17 15:08 - 2018-03-09 03:22 - 000007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2018-03-17 15:08 - 2018-03-09 03:22 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2018-03-17 15:08 - 2018-03-09 03:21 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:21 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:21 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:21 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2018-03-17 15:08 - 2018-03-01 09:36 - 003226112 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2018-03-17 15:08 - 2018-02-22 04:28 - 000217600 _____ (Microsoft Corporation) C:\Windows\system32\WinSCard.dll
2018-03-17 15:08 - 2018-02-22 04:06 - 000134656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WinSCard.dll
2018-03-17 15:08 - 2018-02-18 22:34 - 000634272 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2018-03-17 15:08 - 2018-02-17 05:27 - 000395928 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2018-03-17 15:08 - 2018-02-17 04:36 - 000340088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2018-03-17 15:08 - 2018-02-16 16:51 - 000489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2018-03-17 15:08 - 2018-02-16 16:51 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2018-03-17 15:08 - 2018-02-16 16:51 - 000092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2018-03-17 15:08 - 2018-02-16 16:45 - 025742848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2018-03-17 15:08 - 2018-02-16 16:44 - 013678080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2018-03-17 15:08 - 2018-02-16 16:24 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2018-03-17 15:08 - 2018-02-16 16:24 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2018-03-17 15:08 - 2018-02-16 16:24 - 000076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2018-03-17 15:08 - 2018-02-16 16:19 - 020286976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2018-03-17 15:08 - 2018-02-16 15:37 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2018-03-17 15:08 - 2018-02-16 15:37 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2018-03-17 15:08 - 2018-02-15 16:15 - 003241472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2018-03-17 15:08 - 2018-02-15 15:57 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2018-03-17 15:08 - 2018-02-10 19:35 - 000367296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msrpc.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000334528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\acpi.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000185024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pci.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000122560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\NV_AGP.SYS
2018-03-17 15:08 - 2018-02-10 19:35 - 000068288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volmgr.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000064192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ULIAGPKX.SYS
2018-03-17 15:08 - 2018-02-10 19:35 - 000063168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\termdd.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000060608 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\AGP440.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000036032 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vdrvroot.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000031936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mssmbios.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000023744 _____ (Microsoft Corporation) C:\Windows\system32\streamci.dll
2018-03-17 15:08 - 2018-02-10 19:35 - 000020160 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\isapnp.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000015040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msisadrv.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000012096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\swenum.sys
2018-03-17 15:08 - 2018-02-10 19:23 - 002292224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll
2018-03-17 15:08 - 2018-02-10 19:23 - 000330240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\zipfldr.dll
2018-03-17 15:08 - 2018-02-10 19:23 - 000111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\racpldlg.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 003665920 _____ (Microsoft Corporation) C:\Windows\system32\MSVidCtl.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 000369664 _____ (Microsoft Corporation) C:\Windows\system32\zipfldr.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 000133120 _____ (Microsoft Corporation) C:\Windows\system32\msrahc.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 000119296 _____ (Microsoft Corporation) C:\Windows\system32\racpldlg.dll
2018-03-17 15:08 - 2018-02-10 18:55 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2018-03-17 15:08 - 2018-02-10 18:55 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 002901504 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 000577536 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 000417280 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2018-03-17 15:08 - 2018-02-10 18:40 - 000066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2018-03-17 15:08 - 2018-02-10 18:37 - 005779968 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2018-03-17 15:08 - 2018-02-10 18:36 - 000108032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msra.exe
2018-03-17 15:08 - 2018-02-10 18:36 - 000040960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sdchange.exe
2018-03-17 15:08 - 2018-02-10 18:36 - 000007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsraLegacy.tlb
2018-03-17 15:08 - 2018-02-10 18:32 - 000054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2018-03-17 15:08 - 2018-02-10 18:31 - 000034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2018-03-17 15:08 - 2018-02-10 18:29 - 000615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2018-03-17 15:08 - 2018-02-10 18:28 - 000144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2018-03-17 15:08 - 2018-02-10 18:28 - 000116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2018-03-17 15:08 - 2018-02-10 18:27 - 000817152 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2018-03-17 15:08 - 2018-02-10 18:27 - 000814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2018-03-17 15:08 - 2018-02-10 18:26 - 000653312 _____ (Microsoft Corporation) C:\Windows\system32\msra.exe
2018-03-17 15:08 - 2018-02-10 18:26 - 000051712 _____ (Microsoft Corporation) C:\Windows\system32\sdchange.exe
2018-03-17 15:08 - 2018-02-10 18:25 - 000014336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wmiacpi.sys
2018-03-17 15:08 - 2018-02-10 18:25 - 000009728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\errdev.sys
2018-03-17 15:08 - 2018-02-10 18:25 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\MsraLegacy.tlb
2018-03-17 15:08 - 2018-02-10 18:22 - 002724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2018-03-17 15:08 - 2018-02-10 18:20 - 000969216 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2018-03-17 15:08 - 2018-02-10 18:10 - 000499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2018-03-17 15:08 - 2018-02-10 18:10 - 000077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2018-03-17 15:08 - 2018-02-10 18:10 - 000062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2018-03-17 15:08 - 2018-02-10 18:09 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2018-03-17 15:08 - 2018-02-10 18:09 - 000107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2018-03-17 15:08 - 2018-02-10 18:09 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2018-03-17 15:08 - 2018-02-10 18:09 - 000047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2018-03-17 15:08 - 2018-02-10 18:06 - 002295296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2018-03-17 15:08 - 2018-02-10 18:06 - 000199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2018-03-17 15:08 - 2018-02-10 18:03 - 000047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2018-03-17 15:08 - 2018-02-10 18:03 - 000030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2018-03-17 15:08 - 2018-02-10 18:01 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2018-03-17 15:08 - 2018-02-10 18:01 - 000152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2018-03-17 15:08 - 2018-02-10 18:00 - 000661504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2018-03-17 15:08 - 2018-02-10 18:00 - 000620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2018-03-17 15:08 - 2018-02-10 18:00 - 000115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2018-03-17 15:08 - 2018-02-10 17:57 - 015281664 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2018-03-17 15:08 - 2018-02-10 17:52 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2018-03-17 15:08 - 2018-02-10 17:50 - 000807936 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2018-03-17 15:08 - 2018-02-10 17:50 - 000726528 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2018-03-17 15:08 - 2018-02-10 17:47 - 002134016 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2018-03-17 15:08 - 2018-02-10 17:47 - 001359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2018-03-17 15:08 - 2018-02-10 17:47 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2018-03-17 15:08 - 2018-02-10 17:47 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2018-03-17 15:08 - 2018-02-10 17:46 - 000091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2018-03-17 15:08 - 2018-02-10 17:44 - 000168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2018-03-17 15:08 - 2018-02-10 17:41 - 000130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2018-03-17 15:08 - 2018-02-10 17:40 - 004496384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2018-03-17 15:08 - 2018-02-10 17:35 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2018-03-17 15:08 - 2018-02-10 17:34 - 000694784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2018-03-17 15:08 - 2018-02-10 17:33 - 002058240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2018-03-17 15:08 - 2018-02-10 17:33 - 001155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2018-03-17 15:08 - 2018-02-10 17:23 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2018-03-17 15:08 - 2018-02-10 17:12 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2018-03-17 15:08 - 2018-02-10 17:11 - 001313792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2018-03-17 15:08 - 2018-02-10 17:09 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2018-03-17 15:08 - 2018-02-02 19:40 - 000114368 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2018-03-17 15:08 - 2018-02-02 19:29 - 002365952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2018-03-17 15:08 - 2018-02-02 19:29 - 000337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2018-03-17 15:08 - 2018-02-02 19:29 - 000025088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msimsg.dll
2018-03-17 15:08 - 2018-02-02 19:28 - 001806848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2018-03-17 15:08 - 2018-02-02 19:16 - 003246080 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2018-03-17 15:08 - 2018-02-02 19:16 - 000504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2018-03-17 15:08 - 2018-02-02 19:16 - 000025088 _____ (Microsoft Corporation) C:\Windows\system32\msimsg.dll
2018-03-17 15:08 - 2018-02-02 19:14 - 001942016 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2018-03-17 15:08 - 2018-02-02 19:14 - 000070144 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2018-03-17 15:08 - 2018-02-02 18:46 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
2018-03-17 15:08 - 2018-02-02 18:36 - 000128512 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2018-03-17 14:47 - 2018-01-15 20:59 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2018-03-17 14:47 - 2018-01-15 20:40 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2018-03-17 14:47 - 2018-01-12 17:40 - 000407040 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2018-03-17 14:47 - 2018-01-12 17:26 - 000308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2018-03-17 14:02 - 2018-03-17 14:12 - 000000000 ____D C:\ComboFix
2018-03-17 14:02 - 2018-03-17 14:05 - 000000000 ____D C:\Windows\erdnt
2018-03-17 14:02 - 2018-03-17 14:02 - 000000000 ____D C:\Qoobox
2018-03-17 14:02 - 2011-06-26 07:45 - 000256000 _____ C:\Windows\PEV.exe
2018-03-17 14:02 - 2010-11-07 18:20 - 000208896 _____ C:\Windows\MBR.exe
2018-03-17 14:02 - 2009-04-20 05:56 - 000060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000098816 _____ C:\Windows\sed.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000080412 _____ C:\Windows\grep.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000068096 _____ C:\Windows\zip.exe
2018-03-14 06:56 - 2018-02-13 19:17 - 000136384 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-03-14 06:56 - 2018-02-13 19:10 - 000655872 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 001994752 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-03-14 06:56 - 2018-02-13 15:05 - 001560064 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000740864 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000600576 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000451072 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000380928 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000237568 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000380768 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-17 20:01 - 2017-11-05 17:19 - 000000000 ____D C:\Users\GWC\AppData\LocalLow\Mozilla
2018-03-17 19:37 - 2009-07-14 16:18 - 000669580 _____ C:\Windows\system32\perfh005.dat
2018-03-17 19:37 - 2009-07-14 16:18 - 000141738 _____ C:\Windows\system32\perfc005.dat
2018-03-17 19:37 - 2009-07-14 06:13 - 001586648 _____ C:\Windows\system32\PerfStringBackup.INI
2018-03-17 19:37 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\inf
2018-03-17 19:31 - 2017-12-05 20:28 - 000000144 _____ C:\Windows\system32\config\netlogon.ftl
2018-03-17 19:31 - 2017-11-05 18:24 - 000000000 __SHD C:\Users\GWC\IntelGraphicsProfiles
2018-03-17 19:31 - 2009-07-14 06:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-17 19:29 - 2009-07-14 05:45 - 000014304 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-17 19:29 - 2009-07-14 05:45 - 000014304 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-17 19:26 - 2017-11-05 13:29 - 000000000 ____D C:\Users\GWC
2018-03-17 16:24 - 2017-11-05 21:32 - 000000000 ____D C:\Users\GWC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-03-17 16:24 - 2017-11-05 21:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-03-17 16:23 - 2017-11-05 15:22 - 000000000 ____D C:\Users\GWC\AppData\Local\Google
2018-03-17 16:23 - 2017-11-05 15:21 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-17 15:35 - 2009-07-14 05:45 - 000400320 _____ C:\Windows\system32\FNTCACHE.DAT
2018-03-17 15:30 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\PolicyDefinitions
2018-03-17 15:29 - 2017-12-05 20:29 - 000000000 ____D C:\Windows\System32\Tasks\System
2018-03-17 15:29 - 2017-12-05 20:25 - 000000000 ____D C:\Windat
2018-03-17 15:16 - 2017-11-05 13:36 - 001561362 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-03-17 14:12 - 2009-07-14 03:34 - 000000215 _____ C:\Windows\system.ini
2018-03-17 13:35 - 2017-11-05 17:19 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-03-17 13:18 - 2017-12-05 20:21 - 000000000 ____D C:\Program Files (x86)\Removewat 2.2.7
2018-03-17 13:07 - 2018-01-31 11:49 - 000000000 ____D C:\Windows\Minidump
2018-03-17 13:07 - 2017-11-07 10:59 - 000000000 ____D C:\Users\GWC\AppData\Local\CrashDumps
2018-03-17 13:07 - 2017-11-05 13:13 - 000000000 ____D C:\Windows\Panther
2018-03-17 13:04 - 2017-11-05 21:06 - 000003870 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-03-17 13:03 - 2017-11-05 17:18 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-03-17 13:02 - 2018-01-04 12:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2018-03-17 13:02 - 2017-11-06 11:05 - 000001316 _____ C:\Users\Public\Desktop\Skype.lnk
2018-03-17 08:58 - 2017-11-05 21:31 - 000000000 ____D C:\Users\GWC\AppData\Roaming\vlc
2018-03-17 08:15 - 2017-11-05 18:48 - 000000000 ____D C:\Windows\system32\appraiser
2018-03-16 08:03 - 2017-11-05 15:28 - 000000000 ____D C:\Windows\system32\MRT
2018-03-16 08:02 - 2017-11-05 15:28 - 130364688 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-03-16 08:02 - 2017-11-05 15:28 - 130364688 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-03-13 10:21 - 2017-11-11 07:11 - 000196648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-03-13 10:21 - 2017-11-05 16:46 - 000003910 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-03-13 10:21 - 2017-11-05 16:45 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000146656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000110328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-03-04 07:37 - 2017-12-22 20:32 - 000000000 ____D C:\Users\GWC\AppData\Local\FAAC803C-5568-3D21-1D1A-A24BB975A082
2018-03-03 05:36 - 2017-12-22 20:32 - 000000000 ____D C:\ProgramData\d4934f24
2018-02-27 19:59 - 2017-11-07 10:59 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-02-26 09:59 - 2017-11-07 10:58 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-02-17 09:11 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\rescache

==================== Files in the root of some directories =======


Some files in TEMP:
====================
2018-03-17 15:06 - 2017-12-05 20:27 - 000099892 _____ () C:\Users\GWC\AppData\Local\Temp\Uninstall.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2017-11-05 18:36] - [2017-12-05 21:33] - 001008640 _____ (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2017-11-05 18:36] - [2017-12-05 21:33] - 000833024 _____ (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-03-17 16:49

==================== End of FRST.txt ============================



===***===***===***=== Extract of Additional scan result of Farbar Recovery Scan Tool ===***===***===***===

==================== Drive and Memory info ===================

Drive c: (SYSTEM) (Fixed) (Total:167.58 GB) (Free:112.25 GB) NTFS
Drive f: (SAMSUNG1) (Fixed) (Total:916.98 GB) (Free:104.68 GB) NTFS
Drive g: (SAMSUNG2) (Fixed) (Total:14.53 GB) (Free:3.69 GB) NTFS
\\?\Volume{c8679e43-c222-11e7-b4ca-806e6f6e6963}\ () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

Available physical RAM: 462.46 MB
Total physical RAM: 3795.28 MB
Percentage of memory in use: 87%

==================== MBR and Partition Table ==================

Disk: 0 (Size: 931.5 GB) (Disk ID: B10B3246)
Partition 1: (Active) - (Size=917 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=14.5 GB) - (Type=05)
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 167.7 GB) (Disk ID: 09EEB114)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=167.6 GB) - (Type=07 NTFS)

==================== Scheduled Tasks (whitelisted) ==================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Alternate Data Streams (whitelisted) ==================


==================== Security Center ==================

AV: Avast Antivirus (Disabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Disabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}



===***===***===***=== Supplementary Scan createdy by FRSTLauncher ===***===***===***===
Posledni aktualizace FRSTLauncheru: 25_11_2013 (01)
Posledni aktualizace Modifikacniho skriptu: 30_09_2013 (01)


***** Velikost "Plochy" *****

Velikost slozky "C:\Users\GWC\Desktop" je 2141 MB.


***** Startup Programs *****


***** Firewall rules *****

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x1
DoNotAllowExceptions REG_DWORD 0x0
DisableUnicastResponsesToMulticastBroadcast REG_DWORD 0x0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
DisableNotifications REG_DWORD 0x0
EnableFirewall REG_DWORD 0x1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]


***** System Restore *****

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"Generalize_DisableSR"=dword:00000000


==================== End Of Log ==============================

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#4 Příspěvek od AaronP »

Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by GWC (17-03-2018 20:04:17)
Running from C:\Users\GWC\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2017-11-05 12:20:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2450825360-3699682863-3957725698-500 - Administrator - Disabled)
Guest (S-1-5-21-2450825360-3699682863-3957725698-501 - Limited - Disabled)
GWC (S-1-5-21-2450825360-3699682863-3957725698-1000 - Administrator - Enabled) => C:\Users\GWC

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Disabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Disabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.57 (HKLM-x32\...\7-Zip) (Version: - )
Adobe Acrobat Reader DC - Czech (HKLM-x32\...\{AC76BA86-7AD7-1029-7B44-AC0F074E4100}) (Version: 18.011.20038 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Archivátor WinRAR (HKLM-x32\...\WinRAR archiver) (Version: - )
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 18.2.2328 - AVAST Software)
Canon LBP5050 (HKLM\...\Canon LBP5050) (Version: - )
Canon MF8500C Series (HKLM\...\{025ACC0E-B6F7-4cb8-B1B2-29DBEEFE0C4A}) (Version: 4.2.0.0 - CANON INC.)
CCleaner (HKLM\...\CCleaner) (Version: 5.41 - Piriform)
Corel Graphics Suite 11 (HKLM-x32\...\{07A540AB-D785-11D5-8E89-0090275862A0}) (Version: 11 - Corel Corporation) Hidden
CorelDRAW Graphics Suite 11 (HKLM-x32\...\InstallShield_{07A540AB-D785-11D5-8E89-0090275862A0}) (Version: 11 - Corel Corporation)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.6.0.0283 - Disc Soft Ltd)
FileZilla Server (HKLM-x32\...\FileZilla Server) (Version: beta 0.9.60 - FileZilla Project)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.162 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.6.0.1030 - Intel Corporation)
Intel(R) Network Connections 21.1.29.0 (HKLM\...\PROSetDX) (Version: 21.1.29.0 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 21.20.16.4526 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 15.5.0.1051 - Intel Corporation)
Intel(R) USB 3.0\3.1 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 5.0.0.32 - Intel Corporation)
Microsoft .NET Framework 4.7.1 (čeština) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1029) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
MiniTool Partition Wizard Free 10.2.2 (HKLM\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version: - MiniTool Solution Ltd.)
Mozilla Firefox 59.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0.1 (x64 en-US)) (Version: 59.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 59.0.1.6648 - Mozilla)
Mozilla Thunderbird 52.6.0 (x86 cs) (HKLM-x32\...\Mozilla Thunderbird 52.6.0 (x86 cs)) (Version: 52.6.0 - Mozilla)
NativeDesktopMediaService (HKLM\...\{7AE7827C-57AB-4A9E-A598-8D8142D28EB3}) (Version: 2.1.5 - Jetmedia) <==== ATTENTION
Nero 6 Demo (HKLM-x32\...\Nero - Burning Rom!UninstallKey) (Version: - )
No-IP DUC (HKLM-x32\...\NoIPDUC) (Version: 4.0.2 - Vitalwerks Internet Solutions LLC)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7917 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.23.0 - Renesas Electronics Corporation) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.23.0 - Renesas Electronics Corporation)
ScanToPDF 4.2 (HKLM-x32\...\{CB7B4260-0E23-4444-8376-1D3E74F421D8}_is1) (Version: 4.2.0.23 - O Imaging Corporation)
Skype verze 8.17 (HKLM-x32\...\Skype_is1) (Version: 8.17 - Skype Technologies S.A.)
UltraVnc (HKLM\...\Ultravnc2_is1) (Version: 1.2.1.6 - uvnc bvba)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
wufuc (HKLM\...\{AF23CE93-4FB0-4A8A-A8D6-7A97151BCC14}) (Version: 0.7.1.81 - zeffy)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2007-12-06] (Igor Pavlov)
ContextMenuHandlers1-x32: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers1-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2007-12-06] (Igor Pavlov)
ContextMenuHandlers4-x32-x32: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2016-09-26] (Intel Corporation)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {132CDDE8-5BFD-4982-A02D-AAF86066CF90} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask => C:\Windows\system32\Wat\WatAdminSvc.exe [2017-11-05] ()
Task: {14AB9D00-CC32-47D4-99C8-70A4CB724655} - System32\Tasks\wufuc.{72EEE38B-9997-42BD-85D3-2DD96DA17307} => C:\Windows\system32\rundll32.exe "C:\Program Files\wufuc\wufuc.dll",Rundll32Entry
Task: {19B8AFC4-2007-4C92-9C31-362AE58A37B4} - System32\Tasks\{0693E0B5-1EAA-4CA5-8308-4BDB02945579} => C:\Windows\system32\pcalua.exe -a D:\Drivers\VGA\Intel\(v21.20.16.4542)\Setup.exe -d D:\ -c -s
Task: {319AECC8-7FB5-470F-80F5-D23211F60947} - \{0B484A4C-DCBD-C1DD-B93C-310CDFF94670} -> No File <==== ATTENTION
Task: {4D1229A7-FEF2-4ED4-8125-D3442EDE5FC6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-17] (Google Inc.)
Task: {4DBAAC27-258E-4B50-8CFC-7D9C56BF3F87} - \FD2CA9BE-6A6A-42D5-F6AE-666562847A8D -> No File <==== ATTENTION
Task: {5A7193EE-DFC7-4B9A-805C-D05A4C495BC3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-03-06] (Piriform Ltd)
Task: {85A010E3-C7DA-4D3E-ADD4-EF946CE95C54} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-03-13] (AVAST Software)
Task: {8BB421C8-E9CB-42B1-BB7C-21024020BF0F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-17] (Google Inc.)
Task: {ACFB1643-9676-4D8D-AA5A-1C1FE735EDA4} - \{087E0C47-0804-087D-7F11-787F7E78117F} -> No File <==== ATTENTION
Task: {B118AE0D-3DF1-481C-9FD4-EEA05DC2E8F7} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-03-06] (Piriform Ltd)
Task: {C6CF8F21-B32B-4996-AE3F-0820BA85FDCA} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {FEC51537-01AE-4198-800D-C1516C8AAB4D} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-01-06] (AVAST Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2018-02-05 15:24 - 2018-02-05 15:24 - 002015744 _____ () C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
2017-12-22 21:00 - 2017-12-22 21:00 - 000641024 _____ () C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
2017-12-22 20:53 - 2017-12-22 20:53 - 012514304 _____ () C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
2017-12-22 20:53 - 2017-12-22 20:53 - 000465920 _____ () C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll
2018-03-17 16:23 - 2018-03-13 01:39 - 004435288 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.162\libglesv2.dll
2018-03-17 16:23 - 2018-03-13 01:39 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.162\libegl.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000287960 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000280280 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2018-03-17 13:02 - 2018-03-17 13:02 - 005800080 _____ () C:\Program Files\AVAST Software\Avast\defs\18031700\algo.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000756952 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000964824 _____ () C:\Program Files\AVAST Software\Avast\shepherdsync.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000475352 _____ () C:\Program Files\AVAST Software\Avast\gui_cache.dll
2018-01-04 12:21 - 2018-03-02 21:44 - 001782904 _____ () C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
2018-03-17 13:02 - 2018-03-02 21:44 - 000097224 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node
2018-03-13 10:21 - 2018-03-13 10:21 - 067126928 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2018-01-04 12:21 - 2018-03-02 21:44 - 002559608 _____ () C:\Program Files (x86)\Microsoft\Skype for Desktop\libglesv2.dll
2018-01-04 12:21 - 2018-03-02 21:44 - 000031864 _____ () C:\Program Files (x86)\Microsoft\Skype for Desktop\libegl.dll
2018-03-17 13:02 - 2018-03-02 21:44 - 000216520 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\electron-ssid\build\Release\electron-ssid.node
2018-03-17 13:02 - 2018-03-02 21:44 - 000409544 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\@paulcbetts\spellchecker\build\Release\spellchecker.node
2018-03-17 13:02 - 2018-03-02 21:44 - 000138688 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node
2018-03-17 13:02 - 2018-03-02 21:44 - 002188800 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2018-03-17 14:12 - 000000027 ____N C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\GWC\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.0.0.138
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{67ED3475-682D-4B56-9AF7-A3AF72E400B3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{4814F9B2-4C0B-4B97-B134-2628D5913B97}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{89BC81C5-400F-4EEC-9DAD-775825D5E858}] => (Allow) LPort=5900
FirewallRules: [{8C840CCD-B61A-4D29-A1A7-2347BB4617A3}] => (Allow) LPort=5800
FirewallRules: [{E99F6DFF-E90B-4A84-90EF-471FF880C373}] => (Allow) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
FirewallRules: [{A4E35030-265D-4F83-ADDA-AA036040FE5C}] => (Allow) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
FirewallRules: [{ABA478B4-43DB-4782-8C7E-85DBCA8892FD}] => (Allow) LPort=21
FirewallRules: [TCP Query User{186341F9-CD80-4C6B-A19C-CB870D563AA9}C:\program files (x86)\microsoft\skype for desktop\skype.exe] => (Block) C:\program files (x86)\microsoft\skype for desktop\skype.exe
FirewallRules: [UDP Query User{C83735F9-475F-4CB6-BC9F-6C897C0337A9}C:\program files (x86)\microsoft\skype for desktop\skype.exe] => (Block) C:\program files (x86)\microsoft\skype for desktop\skype.exe
FirewallRules: [{9EB1A12C-B118-434F-8E86-B67BF79700D3}] => (Allow) C:\Windows\SysWOW64\TCPSVCS.EXE
FirewallRules: [{D2435A29-E035-421E-859F-7A83D405CAB5}] => (Allow) C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
FirewallRules: [{500D082A-11C2-4A89-BCA7-1D3F07E2459A}] => (Allow) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
FirewallRules: [{8AC3E74B-8406-4909-80C8-62E2E5153B8A}] => (Allow) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
FirewallRules: [{1D188FCD-3F46-4FB2-9778-902A5A151497}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

17-03-2018 13:03:00 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 13:39:06 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 13:56:19 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 14:40:12 Windows Update
17-03-2018 14:40:26 Windows Update
17-03-2018 14:47:44 Windows Update
17-03-2018 15:09:13 Windows Update
17-03-2018 15:36:52 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 17:11:37 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 17:29:05 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 17:32:28 Checkpoint by HitmanPro
17-03-2018 19:34:03 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026

==================== Faulty Device Manager Devices =============

Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM_Guard
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Řadič paměti na sběrnici PCI
Description: Řadič paměti na sběrnici PCI
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Řadič sběrnice SM
Description: Řadič sběrnice SM
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Řadič PCI pro získávání dat a zpracování signálu
Description: Řadič PCI pro získávání dat a zpracování signálu
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/17/2018 07:31:37 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 07:17:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Název chybující aplikace: distx.exe, verze: 0.0.0.0, časové razítko: 0x545301ef
Název chybujícího modulu: unknown, verze: 0.0.0.0, časové razítko: 0x00000000
Kód výjimky: 0xc0000005
Posun chyby: 0x7483e514
ID chybujícího procesu: 0x14d8
Čas spuštění chybující aplikace: 0x01d3be0cf6746ad3
Cesta k chybující aplikaci: \\kuikdelivery.com\SYSVOL\kuikdelivery.com\scripts\distx.exe
Cesta k chybujícímu modulu: unknown
ID zprávy: 73c03e48-2a0f-11e8-9500-7085c25358f0

Error: (03/17/2018 05:28:05 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 05:08:55 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 04:16:05 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 03:40:20 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 03:36:04 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 02:57:10 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.


System errors:
=============
Error: (03/17/2018 08:04:02 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Služba Služba Oznámení platformy SPP byla ukončena s následující chybou:
Přístup byl odepřen.

Error: (03/17/2018 07:31:32 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Služba P2P Support neuspěla při spuštění v důsledku následující chyby:
Systém nemůže nalézt uvedený soubor.

Error: (03/17/2018 07:31:31 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: Tento počítač nemohl nastavit zabezpečenou relaci s řadičem
domény v doméně KUIKDELIVERY z následujícího důvodu:
Pro vyřízení žádosti o přihlášení nejsou nyní k dispozici žádné přihlašovací servery.


To může vést k potížím při ověřování. Přesvědčte se, zda je tento
počítač připojen k síti. Pokud potíže trvají,
obraťte se na správce domény.



DALŠÍ INFORMACE

Pokud je tento počítač řadičem domény pro určenou doménu,
nastaví zabezpečenou relaci s emulátorem primárního řadiče domény v určené
doméně. V opačném případě tento počítač nastaví zabezpečenou relaci s libovolným řadičem domény
v určené doméně.

Error: (03/17/2018 07:29:14 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Služba ZAM Controller Service byla neočekávaně ukončena. Tento stav nastal již 1krát.

Error: (03/17/2018 06:59:04 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Služba Služba Oznámení platformy SPP byla ukončena s následující chybou:
Přístup byl odepřen.

Error: (03/17/2018 05:59:04 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Služba Služba Oznámení platformy SPP byla ukončena s následující chybou:
Přístup byl odepřen.

Error: (03/17/2018 05:28:03 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: Zpracování zásad skupiny selhalo v důsledku toho, že se nebylo v síti možné připojit k řadiči domény. Může se jednat o přechodný stav. Po připojení počítače k řadiči domény a úspěšném zpracování zásad skupiny bude odeslána zpráva o úspěšné provedení těchto akcí. Pokud se tato zpráva nezobrazí během několika hodin, obraťte se na správce.

Error: (03/17/2018 05:28:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Služba P2P Support neuspěla při spuštění v důsledku následující chyby:
Systém nemůže nalézt uvedený soubor.


CodeIntegrity:
===================================

Date: 2018-03-17 14:04:58.550
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-03-17 14:04:58.487
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz
Percentage of memory in use: 87%
Total physical RAM: 3795.28 MB
Available physical RAM: 462.46 MB
Total Virtual: 7588.72 MB
Available Virtual: 4309.59 MB

==================== Drives ================================

Drive c: (SYSTEM) (Fixed) (Total:167.58 GB) (Free:112.25 GB) NTFS
Drive f: (SAMSUNG1) (Fixed) (Total:916.98 GB) (Free:104.68 GB) NTFS
Drive g: (SAMSUNG2) (Fixed) (Total:14.53 GB) (Free:3.69 GB) NTFS

\\?\Volume{c8679e43-c222-11e7-b4ca-806e6f6e6963}\ () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: B10B3246)
Partition 1: (Active) - (Size=917 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=14.5 GB) - (Type=05)

========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 167.7 GB) (Disk ID: 09EEB114)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=167.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Conder
VIP
VIP
Příspěvky: 4399
Registrován: 30 pro 2013 22:29
Bydliště: Bratislava

Re: win32 malware gen

#5 Příspěvek od Conder »

:arrow: Odinstaluj program NativeDesktopMediaService

:arrow: Otvor poznamkovy blok (Win+R -> notepad -> enter)
  • Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

    Kód: Vybrat vše

    Start
    CloseProcesses:
    CreateRestorePoint:
    
    Folder: C:\Windows\TEMP\IXP001.TMP
    Folder: C:\Windows\TEMP\IXP002.TMP
    VirusTotal: C:\Windows\system32\advpack.dll
    VirusTotal: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
    VirusTotal: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
    VirusTotal: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
    File: C:\Windows\system32\advpack.dll
    File: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
    File: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
    File: C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll
    File: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
    
    C:\Windows\TEMP
    C:\Program Files\Jetmedia
    
    HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP002.TMP\" <==== ATTENTION
    HKLM-x32\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
    HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    R2 NativeDesktopMediaService; C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe [2015744 2018-02-05] () [File not signed] <==== ATTENTION
    S2 nmlngcoh; C:\Windows\SysWOW64\nmlngcoh\fgjilvvv.exe [X]
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
    S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\ENG64.SYS [X]
    S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\EX64.SYS [X]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
    S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
    2018-03-17 19:26 - 2018-03-17 19:31 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
    2018-03-17 19:26 - 2018-03-17 19:30 - 000007831 _____ C:\Windows\ZAM_Guard.krnl.trace
    2018-03-17 19:26 - 2018-03-17 19:29 - 000018324 _____ C:\Windows\ZAM.krnl.trace
    2018-03-17 19:26 - 2018-03-17 19:26 - 000000000 ____D C:\Users\GWC\AppData\Local\Zemana
    2018-03-17 17:44 - 2018-03-17 17:44 - 000000000 ____D C:\ProgramData\Emsisoft
    2018-03-17 17:25 - 2018-03-17 17:33 - 000000000 ____D C:\ProgramData\HitmanPro
    
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
    Task: {19B8AFC4-2007-4C92-9C31-362AE58A37B4} - System32\Tasks\{0693E0B5-1EAA-4CA5-8308-4BDB02945579} => C:\Windows\system32\pcalua.exe -a D:\Drivers\VGA\Intel\(v21.20.16.4542)\Setup.exe -d D:\ -c -s
    Task: {319AECC8-7FB5-470F-80F5-D23211F60947} - \{0B484A4C-DCBD-C1DD-B93C-310CDFF94670} -> No File <==== ATTENTION
    Task: {4DBAAC27-258E-4B50-8CFC-7D9C56BF3F87} - \FD2CA9BE-6A6A-42D5-F6AE-666562847A8D -> No File <==== ATTENTION
    Task: {ACFB1643-9676-4D8D-AA5A-1C1FE735EDA4} - \{087E0C47-0804-087D-7F11-787F7E78117F} -> No File <==== ATTENTION
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
    FirewallRules: [{D2435A29-E035-421E-859F-7A83D405CAB5}] => (Allow) C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
    
    Hosts:
    EmptyTemp:
    End
  • Uloz na plochu s nazvom fixlist.txt
  • Spusti znovu FRST a klikni na Fix
  • Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
  • Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj
Naposledy upravil(a) Conder dne 17 bře 2018 20:43, celkem upraveno 2 x.
Absolvent skoly pre novacikov :)
E-mail: conder (zavinac) forum.viry.cz

Ak nieco nie je jasne, pytaj sa. Odporucam mat vzdy zalohovat dolezite data (dokumenty, fotky a ine).

Fixlisty a ine scripty su pisane len pre konkretny PC. Nepouzivajte ich na inych zariadeniach, inak hrozi poskodenie systemu alebo strata dat.
Ak mate podobny problem ako iny uzivatel, prosim, zalozte si vlastnu temu.

V pripade spokojnosti je mozne podporit forum. Dakujeme!

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#6 Příspěvek od AaronP »

Conder píše::arrow: Odinstaluj program NativeDesktopMediaService

:arrow: Otvor poznamkovy blok (Win+R -> notepad -> enter)
  • Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

    Kód: Vybrat vše

    Start
    CloseProcesses:
    CreateRestorePoint:
    
    Folder: C:\Windows\TEMP\IXP001.TMP
    Folder: C:\Windows\TEMP\IXP002.TMP
    VirusTotal: C:\Windows\system32\advpack.dll
    VirusTotal: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
    VirusTotal: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
    VirusTotal: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
    File: C:\Windows\system32\advpack.dll
    File: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
    File: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
    File: C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll
    File: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
    
    C:\Windows\TEMP
    C:\Program Files\Jetmedia
    
    HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP002.TMP\" <==== ATTENTION
    HKLM-x32\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
    HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    R2 NativeDesktopMediaService; C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe [2015744 2018-02-05] () [File not signed] <==== ATTENTION
    S2 nmlngcoh; C:\Windows\SysWOW64\nmlngcoh\fgjilvvv.exe [X]
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
    S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\ENG64.SYS [X]
    S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\EX64.SYS [X]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
    S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
    2018-03-17 19:26 - 2018-03-17 19:31 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
    2018-03-17 19:26 - 2018-03-17 19:30 - 000007831 _____ C:\Windows\ZAM_Guard.krnl.trace
    2018-03-17 19:26 - 2018-03-17 19:29 - 000018324 _____ C:\Windows\ZAM.krnl.trace
    2018-03-17 19:26 - 2018-03-17 19:26 - 000000000 ____D C:\Users\GWC\AppData\Local\Zemana
    2018-03-17 17:44 - 2018-03-17 17:44 - 000000000 ____D C:\ProgramData\Emsisoft
    2018-03-17 17:25 - 2018-03-17 17:33 - 000000000 ____D C:\ProgramData\HitmanPro
    
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
    Task: {19B8AFC4-2007-4C92-9C31-362AE58A37B4} - System32\Tasks\{0693E0B5-1EAA-4CA5-8308-4BDB02945579} => C:\Windows\system32\pcalua.exe -a D:\Drivers\VGA\Intel\(v21.20.16.4542)\Setup.exe -d D:\ -c -s
    Task: {319AECC8-7FB5-470F-80F5-D23211F60947} - \{0B484A4C-DCBD-C1DD-B93C-310CDFF94670} -> No File <==== ATTENTION
    Task: {4DBAAC27-258E-4B50-8CFC-7D9C56BF3F87} - \FD2CA9BE-6A6A-42D5-F6AE-666562847A8D -> No File <==== ATTENTION
    Task: {ACFB1643-9676-4D8D-AA5A-1C1FE735EDA4} - \{087E0C47-0804-087D-7F11-787F7E78117F} -> No File <==== ATTENTION
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
    FirewallRules: [{D2435A29-E035-421E-859F-7A83D405CAB5}] => (Allow) C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
    
    Hosts:
    EmptyTemp:
    End
  • Uloz na plochu s nazvom fixlist.txt
  • Spusti znovu FRST a klikni na Fix
  • Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
  • Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj
Nejde odinstalovat, už jsem to několikrát zkoušel. "The feature you are tying to use is on a network resource that is unavailable." Když to potvrdím, dostanu hlášku "Zdroj instalace není u tohoto produktu k dispozici."
Jdu udělat tu druhou polovinu.

Conder
VIP
VIP
Příspěvky: 4399
Registrován: 30 pro 2013 22:29
Bydliště: Bratislava

Re: win32 malware gen

#7 Příspěvek od Conder »

:arrow: OK, cakam :)
Absolvent skoly pre novacikov :)
E-mail: conder (zavinac) forum.viry.cz

Ak nieco nie je jasne, pytaj sa. Odporucam mat vzdy zalohovat dolezite data (dokumenty, fotky a ine).

Fixlisty a ine scripty su pisane len pre konkretny PC. Nepouzivajte ich na inych zariadeniach, inak hrozi poskodenie systemu alebo strata dat.
Ak mate podobny problem ako iny uzivatel, prosim, zalozte si vlastnu temu.

V pripade spokojnosti je mozne podporit forum. Dakujeme!

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#8 Příspěvek od AaronP »

Conder píše::arrow: OK, cakam :)
Okamžitě po restartu mě Avast znovu upozornil, že zablokoval Win32:Malware-gen. Stejné umístění.
Fixlog.txt:
Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by GWC (17-03-2018 20:44:05) Run:1
Running from C:\Users\GWC\Desktop
Loaded Profiles: GWC (Available Profiles: GWC)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:

Folder: C:\Windows\TEMP\IXP001.TMP
Folder: C:\Windows\TEMP\IXP002.TMP
VirusTotal: C:\Windows\system32\advpack.dll
VirusTotal: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
VirusTotal: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
VirusTotal: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
File: C:\Windows\system32\advpack.dll
File: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
File: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
File: C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll
File: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe

C:\Windows\TEMP
C:\Program Files\Jetmedia

HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP002.TMP\" <==== ATTENTION
HKLM-x32\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
R2 NativeDesktopMediaService; C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe [2015744 2018-02-05] () [File not signed] <==== ATTENTION
S2 nmlngcoh; C:\Windows\SysWOW64\nmlngcoh\fgjilvvv.exe [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.7.0.76\Definitions\SDSDefs\20171104.021\EX64.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
2018-03-17 19:26 - 2018-03-17 19:31 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2018-03-17 19:26 - 2018-03-17 19:30 - 000007831 _____ C:\Windows\ZAM_Guard.krnl.trace
2018-03-17 19:26 - 2018-03-17 19:29 - 000018324 _____ C:\Windows\ZAM.krnl.trace
2018-03-17 19:26 - 2018-03-17 19:26 - 000000000 ____D C:\Users\GWC\AppData\Local\Zemana
2018-03-17 17:44 - 2018-03-17 17:44 - 000000000 ____D C:\ProgramData\Emsisoft
2018-03-17 17:25 - 2018-03-17 17:33 - 000000000 ____D C:\ProgramData\HitmanPro

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
Task: {19B8AFC4-2007-4C92-9C31-362AE58A37B4} - System32\Tasks\{0693E0B5-1EAA-4CA5-8308-4BDB02945579} => C:\Windows\system32\pcalua.exe -a D:\Drivers\VGA\Intel\(v21.20.16.4542)\Setup.exe -d D:\ -c -s
Task: {319AECC8-7FB5-470F-80F5-D23211F60947} - \{0B484A4C-DCBD-C1DD-B93C-310CDFF94670} -> No File <==== ATTENTION
Task: {4DBAAC27-258E-4B50-8CFC-7D9C56BF3F87} - \FD2CA9BE-6A6A-42D5-F6AE-666562847A8D -> No File <==== ATTENTION
Task: {ACFB1643-9676-4D8D-AA5A-1C1FE735EDA4} - \{087E0C47-0804-087D-7F11-787F7E78117F} -> No File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
FirewallRules: [{D2435A29-E035-421E-859F-7A83D405CAB5}] => (Allow) C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe

Hosts:
EmptyTemp:
End
*****************

Processes closed successfully.
Restore point was successfully created.

========================= Folder: C:\Windows\TEMP\IXP001.TMP ========================

2018-03-04 17:40 - 2018-03-04 17:40 - 004072464 ____A [25C708CA17348975ECE8FFE5C54FE639] () C:\Windows\TEMP\IXP001.TMP\COM Surrogate.exe
2018-03-09 13:55 - 2018-03-09 13:55 - 000009055 ____A [1C3932021DC31CBB1240948D18646387] () C:\Windows\TEMP\IXP001.TMP\config.json
2018-02-20 16:14 - 2018-02-20 16:14 - 000000000 ____A [D41D8CD98F00B204E9800998ECF8427E] () C:\Windows\TEMP\IXP001.TMP\portable
2018-03-09 13:47 - 2018-03-09 13:47 - 000000078 ____A [B9C2DBE70E17F8ACB107987AB8622909] () C:\Windows\TEMP\IXP001.TMP\run.bat
2018-03-17 19:53 - 2018-03-17 20:44 - 000006862 ____A [9CC91F1453E49F6C5D392B84E4CABADF] () C:\Windows\TEMP\IXP001.TMP\update.bat
2018-03-17 19:40 - 2018-03-12 16:32 - 004173840 ____A [6CDB536F6995DA39619D5616964714C5] () C:\Windows\TEMP\IXP001.TMP\WinMiner.exe
2018-03-17 19:40 - 2018-03-12 16:32 - 004173840 ____A [6CDB536F6995DA39619D5616964714C5] () C:\Windows\TEMP\IXP001.TMP\WinMiner.exe.wmupd
2018-03-17 19:33 - 2018-03-17 19:33 - 000000000 ____D [00000000000000000000000000000000] () C:\Windows\TEMP\IXP001.TMP\AppData
2018-03-17 19:33 - 2018-03-17 20:44 - 000009015 ____A [400D739FD0F5E15EE91047538DB685BC] () C:\Windows\TEMP\IXP001.TMP\AppData\config.json
2018-03-17 19:33 - 2018-03-17 20:44 - 000000000 ____D [00000000000000000000000000000000] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [34843AD060FB98B3981068AEE4EB4305] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-04_548.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [BDB7C9944CA18BEF890E69258E29C0F3] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-11_921.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [4BB19F854A53FD65FF8A72D6FAE1DBCE] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-17_466.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [9441FB196FA0CBFDB4756F42B26E1E06] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-24_643.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [41BFA3B44548C1E0921C1CD637DCD9E9] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-31_433.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [9257ED60557C8FB29D3934B91BA91BE5] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-37_450.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [E373A347F218D9BD4FEB287B43AC3051] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-44_930.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000001418 ____A [68C7FB95AA753DF4E4CDE5912FF6A58E] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-51_907.txt
2018-03-17 20:43 - 2018-03-17 20:44 - 000001418 ____A [9A9A40A48DB93757D407A4FA3C7039EB] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-43-58_335.txt
2018-03-17 20:44 - 2018-03-17 20:44 - 000000165 ____A [F57C7ED5D1B9E0E58AF8FBE832501783] () C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_20-44-05_404.txt
2018-03-17 19:33 - 2018-03-17 20:44 - 000000000 ____D [00000000000000000000000000000000] () C:\Windows\TEMP\IXP001.TMP\versions
2018-03-17 19:33 - 2018-03-17 19:33 - 001161859 ____A [2CDF303D13EB25363B30EC0D1611F942] () C:\Windows\TEMP\IXP001.TMP\versions\WinMinerPortable_1.116.6645.29776.zip
2018-03-17 20:44 - 2018-03-17 20:44 - 000000000 ____D [00000000000000000000000000000000] () C:\Windows\TEMP\IXP001.TMP\versions\_extract
2018-03-17 20:44 - 2018-03-12 16:32 - 000000071 ____A [A011151096A6D5A9E6EC1235618C3338] () C:\Windows\TEMP\IXP001.TMP\versions\_extract\checksum.txt
2018-03-17 20:44 - 2017-07-27 14:53 - 000098863 ____A [61811E5DF437A0EC25E745F117D1F025] () C:\Windows\TEMP\IXP001.TMP\versions\_extract\License.rtf
2018-03-17 20:44 - 2018-03-12 16:32 - 000000000 ____A [D41D8CD98F00B204E9800998ECF8427E] () C:\Windows\TEMP\IXP001.TMP\versions\_extract\portable
2018-03-17 20:44 - 2018-03-12 16:32 - 004173840 ____A [6CDB536F6995DA39619D5616964714C5] () C:\Windows\TEMP\IXP001.TMP\versions\_extract\WinMiner.exe

====== End of Folder: ======


========================= Folder: C:\Windows\TEMP\IXP002.TMP ========================

2017-12-22 21:00 - 2017-12-22 21:00 - 000641024 ____A [EC31F0D5935213377C8792B2E9FB0D07] () C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
2017-12-29 00:12 - 2017-12-29 00:12 - 000008900 ____A [DC57FD1C94382CDD691DBB64F0B78F87] () C:\Windows\TEMP\IXP002.TMP\config.txt
2018-03-17 19:34 - 2018-03-17 19:34 - 000001830 ____A [5077AABFB4EAC297FE57970AA9932E99] () C:\Windows\TEMP\IXP002.TMP\cpu.txt
2017-07-22 17:57 - 2017-07-22 17:57 - 002098176 ____A [511ED8D9A131465CCE3CC06E14D14A79] (The OpenSSL Project, http://www.openssl.org/) C:\Windows\TEMP\IXP002.TMP\libeay32.dll
2017-12-29 01:26 - 2017-12-29 01:26 - 000000155 ____A [7BC9EF2CCBD827855F9CC43DFF5232C7] () C:\Windows\TEMP\IXP002.TMP\run.bat
2017-12-29 00:53 - 2017-12-29 00:53 - 000001576 ____A [DAB62CDA622BF931FBD1643B88B4ACED] () C:\Windows\TEMP\IXP002.TMP\set-registry.vbe
2017-07-22 17:57 - 2017-07-22 17:57 - 000355328 ____A [7F031532B4FE6C67B7BB43761716293D] (The OpenSSL Project, http://www.openssl.org/) C:\Windows\TEMP\IXP002.TMP\ssleay32.dll
2017-11-19 21:52 - 2017-11-19 21:52 - 014572000 ____A [27B141AACC2777A82BB3FA9F6E5E5C1C] (Microsoft Corporation) C:\Windows\TEMP\IXP002.TMP\vc_redist.x64.exe
2017-12-22 20:53 - 2017-12-22 20:53 - 012514304 ____A [7C605B4B4D859958CEA108CF8382130B] () C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
2017-12-22 20:53 - 2017-12-22 20:53 - 000465920 ____A [529DBE6A72C1FBAA6B7616A258B48F98] () C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll

====== End of Folder: ======

VirusTotal: C:\Windows\system32\advpack.dll => https://www.virustotal.com/file/2403166 ... 519749754/
VirusTotal: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe => https://www.virustotal.com/file/0a5c217 ... 521298575/
VirusTotal: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll => https://www.virustotal.com/file/a46a6d2 ... 521124212/
VirusTotal: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe => https://www.virustotal.com/file/aa0c562 ... 520297171/

========================= File: C:\Windows\system32\advpack.dll ========================

C:\Windows\system32\advpack.dll
File is digitally signed
MD5: 5FBD7BEC6CD3DCAA6A87A7F70CE8AF44
Creation and modification date: 2009-07-14 00:58 - 2009-07-14 02:40
Size: 000160256
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: ADVPACK.DLL
Original Name: ADVPACK.DLL
Product: Windows® Internet Explorer
Description: ADVPACK
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
Product Version: 8.00.7600.16385
Copyright: © Microsoft Corporation. All rights reserved.
VirusTotal: 0

====== End of File: ======


========================= File: C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe ========================

C:\Windows\TEMP\IXP002.TMP\COM Surrogate.exe
File not signed
MD5: EC31F0D5935213377C8792B2E9FB0D07
Creation and modification date: 2017-12-22 21:00 - 2017-12-22 21:00
Size: 000641024
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:
VirusTotal: 0

====== End of File: ======


========================= File: C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll ========================

C:\Windows\TEMP\IXP002.TMP\xmrstak_cuda_backend.dll
File not signed
MD5: 7C605B4B4D859958CEA108CF8382130B
Creation and modification date: 2017-12-22 20:53 - 2017-12-22 20:53
Size: 012514304
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:
VirusTotal: 0

====== End of File: ======


========================= File: C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll ========================

C:\Windows\TEMP\IXP002.TMP\xmrstak_opencl_backend.dll
File not signed
MD5: 529DBE6A72C1FBAA6B7616A258B48F98
Creation and modification date: 2017-12-22 20:53 - 2017-12-22 20:53
Size: 000465920
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:
VirusTotal: 0

====== End of File: ======


========================= File: C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe ========================

C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
File not signed
MD5: EAD19C490F96B82993EA8D1406456207
Creation and modification date: 2018-02-05 15:24 - 2018-02-05 15:24
Size: 002015744
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:
VirusTotal: 0

====== End of File: ======


"C:\Windows\TEMP" folder move:

Could not move "C:\Windows\TEMP" => Scheduled to move on reboot.

C:\Program Files\Jetmedia => moved successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\wextract_cleanup0" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\wextract_cleanup0" => removed successfully
"HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\SPReview" => removed successfully
"HKLM\SOFTWARE\Policies\Google" => removed successfully
"HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page" => removed successfully
"HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page" => removed successfully
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => removed successfully
"HKLM\System\CurrentControlSet\Services\NativeDesktopMediaService" => removed successfully
NativeDesktopMediaService => service removed successfully
"HKLM\System\CurrentControlSet\Services\nmlngcoh" => removed successfully
nmlngcoh => service removed successfully
"HKLM\System\CurrentControlSet\Services\catchme" => removed successfully
catchme => service removed successfully
"HKLM\System\CurrentControlSet\Services\EsgScanner" => removed successfully
EsgScanner => service removed successfully
"HKLM\System\CurrentControlSet\Services\NAVENG" => removed successfully
NAVENG => service removed successfully
"HKLM\System\CurrentControlSet\Services\NAVEX15" => removed successfully
NAVEX15 => service removed successfully
"HKLM\System\CurrentControlSet\Services\Synth3dVsc" => removed successfully
Synth3dVsc => service removed successfully
"HKLM\System\CurrentControlSet\Services\tsusbhub" => removed successfully
tsusbhub => service removed successfully
"HKLM\System\CurrentControlSet\Services\VGPU" => removed successfully
VGPU => service removed successfully
"HKLM\System\CurrentControlSet\Services\ZAM" => removed successfully
ZAM => service removed successfully
"HKLM\System\CurrentControlSet\Services\ZAM_Guard" => removed successfully
ZAM_Guard => service removed successfully
C:\Program Files (x86)\Zemana AntiMalware => moved successfully
C:\Windows\ZAM_Guard.krnl.trace => moved successfully
C:\Windows\ZAM.krnl.trace => moved successfully
C:\Users\GWC\AppData\Local\Zemana => moved successfully
C:\ProgramData\Emsisoft => moved successfully
C:\ProgramData\HitmanPro => moved successfully
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{19B8AFC4-2007-4C92-9C31-362AE58A37B4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19B8AFC4-2007-4C92-9C31-362AE58A37B4}" => removed successfully
C:\Windows\System32\Tasks\{0693E0B5-1EAA-4CA5-8308-4BDB02945579} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0693E0B5-1EAA-4CA5-8308-4BDB02945579}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{319AECC8-7FB5-470F-80F5-D23211F60947}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{319AECC8-7FB5-470F-80F5-D23211F60947}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0B484A4C-DCBD-C1DD-B93C-310CDFF94670}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4DBAAC27-258E-4B50-8CFC-7D9C56BF3F87}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4DBAAC27-258E-4B50-8CFC-7D9C56BF3F87}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FD2CA9BE-6A6A-42D5-F6AE-666562847A8D" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ACFB1643-9676-4D8D-AA5A-1C1FE735EDA4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ACFB1643-9676-4D8D-AA5A-1C1FE735EDA4}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{087E0C47-0804-087D-7F11-787F7E78117F}" => removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart" => removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D2435A29-E035-421E-859F-7A83D405CAB5}" => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6880583 B
Java, Flash, Steam htmlcache => 555 B
Windows/system/drivers => 93405147 B
Edge => 0 B
Chrome => 71040842 B
Firefox => 57188413 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33125 B
Public => 0 B
ProgramData => 0 B
systemprofile => 33253 B
systemprofile32 => 33253 B
LocalService => 33125 B
NetworkService => 33125 B
GWC => 2520298 B

RecycleBin => 0 B
EmptyTemp: => 228.5 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 17-03-2018 20:46:41)

C:\Windows\TEMP => Could not move

==== End of Fixlog 20:46:43 ====

Conder
VIP
VIP
Příspěvky: 4399
Registrován: 30 pro 2013 22:29
Bydliště: Bratislava

Re: win32 malware gen

#9 Příspěvek od Conder »

:arrow: Poprosim o nove logy z FRST (bez FRSTLauncheru).
Absolvent skoly pre novacikov :)
E-mail: conder (zavinac) forum.viry.cz

Ak nieco nie je jasne, pytaj sa. Odporucam mat vzdy zalohovat dolezite data (dokumenty, fotky a ine).

Fixlisty a ine scripty su pisane len pre konkretny PC. Nepouzivajte ich na inych zariadeniach, inak hrozi poskodenie systemu alebo strata dat.
Ak mate podobny problem ako iny uzivatel, prosim, zalozte si vlastnu temu.

V pripade spokojnosti je mozne podporit forum. Dakujeme!

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#10 Příspěvek od AaronP »

Conder píše::arrow: Poprosim o nove logy z FRST (bez FRSTLauncheru).
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by GWC (administrator) on SMOKIE (17-03-2018 20:57:13)
Running from C:\Users\GWC\Desktop
Loaded Profiles: GWC (Available Profiles: GWC)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Čeština (Česká republika)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
() \\kuikdelivery.com\SYSVOL\kuikdelivery.com\scripts\distx.exe
() \\kuikdelivery.com\SYSVOL\kuikdelivery.com\scripts\dist.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\more.com
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(CANON INC.) C:\Windows\System32\spool\drivers\x64\3\CNAP2LAK.EXE
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DTAgent.exe
(CANON INC.) C:\Windows\System32\spool\drivers\x64\3\CNAP2RPK.EXE
(CANON INC.) C:\Windows\System32\spool\drivers\x64\3\CNAC8SWK.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
() C:\Windows\temp\IXP001.TMP\COM Surrogate.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16697352 2016-08-26] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [321096 2017-03-29] (Intel Corporation)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [245608 2018-03-13] (AVAST Software)
HKLM\...\Run: [CNAP2 Launcher] => C:\Windows\system32\spool\DRIVERS\x64\3\CNAP2LAK.EXE [226784 2010-10-14] (CANON INC.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe [299504 2016-08-18] (Intel Corporation)
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [FileZilla Server Interface] => C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe [2770088 2017-02-08] (FileZilla Project)
HKLM-x32\...\Run: [NeroFilterCheck] => C:\Windows\SysWOW64\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4836032 2017-08-14] (Disc Soft Ltd)
HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\...\Run: [Skype for Desktop] => C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe [50100160 2018-03-02] (Skype Technologies S.A.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{04D9C501-E130-438A-8B0B-4119AAB2E210}: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer] 8.8.8.8

Internet Explorer:
==================

FireFox:
========
FF DefaultProfile: 1u1q175r.default
FF ProfilePath: C:\Users\GWC\AppData\Roaming\Mozilla\Firefox\Profiles\1u1q175r.default [2018-03-17]
FF Extension: (Safe Browsing Version 4 (temporary add-on)) - C:\Users\GWC\AppData\Roaming\Mozilla\Firefox\Profiles\1u1q175r.default\Extensions\sbv4-gradual-rollout@mozilla.com.xpi [2017-11-05] [Legacy]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-02-11] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-03-17]
CHR Extension: (Adobe Acrobat) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-03-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-03-17]
CHR Extension: (No Name) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-03-17]
CHR Extension: (Chrome Media Router) - C:\Users\GWC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-17]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7556704 2018-03-13] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [303728 2018-03-13] (AVAST Software)
R3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [2291904 2017-08-14] (Disc Soft Ltd)
R2 FileZilla Server; C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe [859304 2017-02-08] (FileZilla Project)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [17992 2017-03-29] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [333280 2016-09-26] (Intel Corporation)
S3 WatAdminSvc; C:\Windows\system32\Wat\WatAdminSvc.exe [1255736 2017-11-05] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [196648 2018-03-13] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [227504 2018-03-13] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199440 2018-03-13] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343752 2018-03-13] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57680 2018-03-13] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46968 2018-03-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146656 2018-03-13] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110328 2018-03-13] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84368 2018-03-13] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1026696 2018-03-13] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [460520 2018-03-13] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [205976 2018-03-13] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [380528 2018-03-13] (AVAST Software)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2017-11-05] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2017-11-05] (Disc Soft Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [545776 2017-09-22] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [41472 2017-03-29] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [199736 2016-09-06] (Intel Corporation)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
R3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-17 20:57 - 2018-03-17 20:57 - 000011763 _____ C:\Users\GWC\Desktop\FRST.txt
2018-03-17 20:44 - 2018-03-17 20:46 - 000019491 _____ C:\Users\GWC\Desktop\Fixlog.txt
2018-03-17 20:43 - 2018-03-17 20:43 - 000029696 _____ C:\Users\GWC\AppData\Local\MSGBOX.EXE
2018-03-17 20:43 - 2018-03-17 20:43 - 000015327 _____ C:\Users\GWC\Desktop\LM.bat
2018-03-17 20:05 - 2018-03-17 20:05 - 000000000 _____ C:\Windows\SysWOW64\last.dump
2018-03-17 20:03 - 2018-03-17 20:57 - 000000000 ____D C:\FRST
2018-03-17 20:01 - 2018-03-17 20:02 - 000112640 _____ (forum.viry.cz) C:\Users\GWC\Desktop\FRSTLauncher.exe
2018-03-17 19:54 - 2018-03-17 19:54 - 002403328 _____ (Farbar) C:\Users\GWC\Desktop\FRST64.exe
2018-03-17 17:20 - 2018-03-17 17:21 - 069823608 _____ (Malwarebytes ) C:\Users\GWC\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4380.exe
2018-03-17 16:28 - 2018-03-17 16:28 - 000000000 _____ C:\autoexec.bat
2018-03-17 16:24 - 2018-03-17 16:24 - 002411920 _____ C:\Users\GWC\Downloads\winrar-x64-550cz.exe
2018-03-17 16:24 - 2018-03-17 16:24 - 000000000 ____D C:\Program Files\WinRAR
2018-03-17 16:23 - 2018-03-17 16:23 - 000002306 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-03-17 16:23 - 2018-03-17 16:23 - 000002265 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-03-17 16:22 - 2018-03-17 16:22 - 000003384 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-17 16:22 - 2018-03-17 16:22 - 000003256 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-17 16:19 - 2018-03-17 16:19 - 000000000 ____D C:\Windows\system32\appmgmt
2018-03-17 15:10 - 2018-03-17 17:25 - 000001006 __RSH C:\ProgramData\ntuser.pol
2018-03-17 15:08 - 2018-03-09 04:39 - 005580992 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2018-03-17 15:08 - 2018-03-09 04:39 - 000708288 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2018-03-17 15:08 - 2018-03-09 04:39 - 000262336 _____ (Microsoft Corporation) C:\Windows\system32\hal.dll
2018-03-17 15:08 - 2018-03-09 04:39 - 000154816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2018-03-17 15:08 - 2018-03-09 04:39 - 000095424 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2018-03-17 15:08 - 2018-03-09 04:18 - 000631640 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2018-03-17 15:08 - 2018-03-09 04:14 - 004044992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2018-03-17 15:08 - 2018-03-09 04:14 - 004025536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2018-03-17 15:08 - 2018-03-09 04:09 - 001665336 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 001461248 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 001212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 001163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000731648 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000361984 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000094720 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 04:06 - 000003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:47 - 001314064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 001114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000554496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000070144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:43 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:38 - 000148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2018-03-17 15:08 - 2018-03-09 03:38 - 000062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2018-03-17 15:08 - 2018-03-09 03:38 - 000017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2018-03-17 15:08 - 2018-03-09 03:37 - 000064512 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2018-03-17 15:08 - 2018-03-09 03:34 - 000338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2018-03-17 15:08 - 2018-03-09 03:34 - 000129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\videoprt.sys
2018-03-17 15:08 - 2018-03-09 03:33 - 000296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2018-03-17 15:08 - 2018-03-09 03:31 - 000160256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2018-03-17 15:08 - 2018-03-09 03:30 - 000291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2018-03-17 15:08 - 2018-03-09 03:30 - 000129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2018-03-17 15:08 - 2018-03-09 03:29 - 000112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2018-03-17 15:08 - 2018-03-09 03:29 - 000030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2018-03-17 15:08 - 2018-03-09 03:26 - 000050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2018-03-17 15:08 - 2018-03-09 03:22 - 000036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2018-03-17 15:08 - 2018-03-09 03:22 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2018-03-17 15:08 - 2018-03-09 03:22 - 000014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2018-03-17 15:08 - 2018-03-09 03:22 - 000007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2018-03-17 15:08 - 2018-03-09 03:22 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2018-03-17 15:08 - 2018-03-09 03:21 - 000006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:21 - 000004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:21 - 000003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2018-03-17 15:08 - 2018-03-09 03:21 - 000003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2018-03-17 15:08 - 2018-03-01 09:36 - 003226112 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2018-03-17 15:08 - 2018-02-22 04:28 - 000217600 _____ (Microsoft Corporation) C:\Windows\system32\WinSCard.dll
2018-03-17 15:08 - 2018-02-22 04:06 - 000134656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WinSCard.dll
2018-03-17 15:08 - 2018-02-18 22:34 - 000634272 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2018-03-17 15:08 - 2018-02-17 05:27 - 000395928 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2018-03-17 15:08 - 2018-02-17 04:36 - 000340088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2018-03-17 15:08 - 2018-02-16 16:51 - 000489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2018-03-17 15:08 - 2018-02-16 16:51 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2018-03-17 15:08 - 2018-02-16 16:51 - 000092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2018-03-17 15:08 - 2018-02-16 16:45 - 025742848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2018-03-17 15:08 - 2018-02-16 16:44 - 013678080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2018-03-17 15:08 - 2018-02-16 16:24 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2018-03-17 15:08 - 2018-02-16 16:24 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2018-03-17 15:08 - 2018-02-16 16:24 - 000076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2018-03-17 15:08 - 2018-02-16 16:19 - 020286976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2018-03-17 15:08 - 2018-02-16 15:37 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2018-03-17 15:08 - 2018-02-16 15:37 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2018-03-17 15:08 - 2018-02-15 16:15 - 003241472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2018-03-17 15:08 - 2018-02-15 15:57 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2018-03-17 15:08 - 2018-02-10 19:35 - 000367296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msrpc.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000334528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\acpi.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000185024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pci.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000122560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\NV_AGP.SYS
2018-03-17 15:08 - 2018-02-10 19:35 - 000068288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volmgr.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000064192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ULIAGPKX.SYS
2018-03-17 15:08 - 2018-02-10 19:35 - 000063168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\termdd.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000060608 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\AGP440.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000036032 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vdrvroot.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000031936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mssmbios.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000023744 _____ (Microsoft Corporation) C:\Windows\system32\streamci.dll
2018-03-17 15:08 - 2018-02-10 19:35 - 000020160 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\isapnp.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000015040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msisadrv.sys
2018-03-17 15:08 - 2018-02-10 19:35 - 000012096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\swenum.sys
2018-03-17 15:08 - 2018-02-10 19:23 - 002292224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll
2018-03-17 15:08 - 2018-02-10 19:23 - 000330240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\zipfldr.dll
2018-03-17 15:08 - 2018-02-10 19:23 - 000111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\racpldlg.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 003665920 _____ (Microsoft Corporation) C:\Windows\system32\MSVidCtl.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 000369664 _____ (Microsoft Corporation) C:\Windows\system32\zipfldr.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 000133120 _____ (Microsoft Corporation) C:\Windows\system32\msrahc.dll
2018-03-17 15:08 - 2018-02-10 19:11 - 000119296 _____ (Microsoft Corporation) C:\Windows\system32\racpldlg.dll
2018-03-17 15:08 - 2018-02-10 18:55 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2018-03-17 15:08 - 2018-02-10 18:55 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 002901504 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 000577536 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 000417280 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2018-03-17 15:08 - 2018-02-10 18:40 - 000066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2018-03-17 15:08 - 2018-02-10 18:40 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2018-03-17 15:08 - 2018-02-10 18:37 - 005779968 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2018-03-17 15:08 - 2018-02-10 18:36 - 000108032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msra.exe
2018-03-17 15:08 - 2018-02-10 18:36 - 000040960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sdchange.exe
2018-03-17 15:08 - 2018-02-10 18:36 - 000007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsraLegacy.tlb
2018-03-17 15:08 - 2018-02-10 18:32 - 000054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2018-03-17 15:08 - 2018-02-10 18:31 - 000034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2018-03-17 15:08 - 2018-02-10 18:29 - 000615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2018-03-17 15:08 - 2018-02-10 18:28 - 000144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2018-03-17 15:08 - 2018-02-10 18:28 - 000116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2018-03-17 15:08 - 2018-02-10 18:27 - 000817152 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2018-03-17 15:08 - 2018-02-10 18:27 - 000814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2018-03-17 15:08 - 2018-02-10 18:26 - 000653312 _____ (Microsoft Corporation) C:\Windows\system32\msra.exe
2018-03-17 15:08 - 2018-02-10 18:26 - 000051712 _____ (Microsoft Corporation) C:\Windows\system32\sdchange.exe
2018-03-17 15:08 - 2018-02-10 18:25 - 000014336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wmiacpi.sys
2018-03-17 15:08 - 2018-02-10 18:25 - 000009728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\errdev.sys
2018-03-17 15:08 - 2018-02-10 18:25 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\MsraLegacy.tlb
2018-03-17 15:08 - 2018-02-10 18:22 - 002724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2018-03-17 15:08 - 2018-02-10 18:20 - 000969216 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2018-03-17 15:08 - 2018-02-10 18:10 - 000499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2018-03-17 15:08 - 2018-02-10 18:10 - 000077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2018-03-17 15:08 - 2018-02-10 18:10 - 000062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2018-03-17 15:08 - 2018-02-10 18:09 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2018-03-17 15:08 - 2018-02-10 18:09 - 000107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2018-03-17 15:08 - 2018-02-10 18:09 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2018-03-17 15:08 - 2018-02-10 18:09 - 000047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2018-03-17 15:08 - 2018-02-10 18:06 - 002295296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2018-03-17 15:08 - 2018-02-10 18:06 - 000199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2018-03-17 15:08 - 2018-02-10 18:03 - 000047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2018-03-17 15:08 - 2018-02-10 18:03 - 000030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2018-03-17 15:08 - 2018-02-10 18:01 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2018-03-17 15:08 - 2018-02-10 18:01 - 000152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2018-03-17 15:08 - 2018-02-10 18:00 - 000661504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2018-03-17 15:08 - 2018-02-10 18:00 - 000620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2018-03-17 15:08 - 2018-02-10 18:00 - 000115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2018-03-17 15:08 - 2018-02-10 17:57 - 015281664 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2018-03-17 15:08 - 2018-02-10 17:52 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2018-03-17 15:08 - 2018-02-10 17:50 - 000807936 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2018-03-17 15:08 - 2018-02-10 17:50 - 000726528 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2018-03-17 15:08 - 2018-02-10 17:47 - 002134016 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2018-03-17 15:08 - 2018-02-10 17:47 - 001359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2018-03-17 15:08 - 2018-02-10 17:47 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2018-03-17 15:08 - 2018-02-10 17:47 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2018-03-17 15:08 - 2018-02-10 17:46 - 000091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2018-03-17 15:08 - 2018-02-10 17:44 - 000168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2018-03-17 15:08 - 2018-02-10 17:41 - 000130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2018-03-17 15:08 - 2018-02-10 17:40 - 004496384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2018-03-17 15:08 - 2018-02-10 17:35 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2018-03-17 15:08 - 2018-02-10 17:34 - 000694784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2018-03-17 15:08 - 2018-02-10 17:33 - 002058240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2018-03-17 15:08 - 2018-02-10 17:33 - 001155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2018-03-17 15:08 - 2018-02-10 17:23 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2018-03-17 15:08 - 2018-02-10 17:12 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2018-03-17 15:08 - 2018-02-10 17:11 - 001313792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2018-03-17 15:08 - 2018-02-10 17:09 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2018-03-17 15:08 - 2018-02-02 19:40 - 000114368 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2018-03-17 15:08 - 2018-02-02 19:29 - 002365952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2018-03-17 15:08 - 2018-02-02 19:29 - 000337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2018-03-17 15:08 - 2018-02-02 19:29 - 000025088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msimsg.dll
2018-03-17 15:08 - 2018-02-02 19:28 - 001806848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2018-03-17 15:08 - 2018-02-02 19:16 - 003246080 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2018-03-17 15:08 - 2018-02-02 19:16 - 000504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2018-03-17 15:08 - 2018-02-02 19:16 - 000025088 _____ (Microsoft Corporation) C:\Windows\system32\msimsg.dll
2018-03-17 15:08 - 2018-02-02 19:14 - 001942016 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2018-03-17 15:08 - 2018-02-02 19:14 - 000070144 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2018-03-17 15:08 - 2018-02-02 18:46 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
2018-03-17 15:08 - 2018-02-02 18:36 - 000128512 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2018-03-17 14:47 - 2018-01-15 20:59 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2018-03-17 14:47 - 2018-01-15 20:40 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2018-03-17 14:47 - 2018-01-12 17:40 - 000407040 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2018-03-17 14:47 - 2018-01-12 17:26 - 000308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2018-03-17 14:02 - 2018-03-17 14:12 - 000000000 ____D C:\ComboFix
2018-03-17 14:02 - 2018-03-17 14:05 - 000000000 ____D C:\Windows\erdnt
2018-03-17 14:02 - 2018-03-17 14:02 - 000000000 ____D C:\Qoobox
2018-03-17 14:02 - 2011-06-26 07:45 - 000256000 _____ C:\Windows\PEV.exe
2018-03-17 14:02 - 2010-11-07 18:20 - 000208896 _____ C:\Windows\MBR.exe
2018-03-17 14:02 - 2009-04-20 05:56 - 000060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000098816 _____ C:\Windows\sed.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000080412 _____ C:\Windows\grep.exe
2018-03-17 14:02 - 2000-08-31 01:00 - 000068096 _____ C:\Windows\zip.exe
2018-03-14 06:56 - 2018-02-13 19:17 - 000136384 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-03-14 06:56 - 2018-02-13 19:10 - 000655872 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 001994752 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-03-14 06:56 - 2018-02-13 15:05 - 001560064 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000740864 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000600576 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000451072 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000380928 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-03-14 06:56 - 2018-02-13 15:05 - 000237568 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000380768 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-17 20:50 - 2009-07-14 16:18 - 000669580 _____ C:\Windows\system32\perfh005.dat
2018-03-17 20:50 - 2009-07-14 16:18 - 000141738 _____ C:\Windows\system32\perfc005.dat
2018-03-17 20:50 - 2009-07-14 06:13 - 001586648 _____ C:\Windows\system32\PerfStringBackup.INI
2018-03-17 20:50 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\inf
2018-03-17 20:47 - 2017-11-05 17:19 - 000000000 ____D C:\Users\GWC\AppData\LocalLow\Mozilla
2018-03-17 20:46 - 2017-12-05 20:28 - 000000144 _____ C:\Windows\system32\config\netlogon.ftl
2018-03-17 20:46 - 2017-11-05 18:24 - 000000000 __SHD C:\Users\GWC\IntelGraphicsProfiles
2018-03-17 20:46 - 2009-07-14 06:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-17 20:44 - 2009-07-14 05:45 - 000014304 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-17 20:44 - 2009-07-14 05:45 - 000014304 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-17 19:26 - 2017-11-05 13:29 - 000000000 ____D C:\Users\GWC
2018-03-17 16:24 - 2017-11-05 21:32 - 000000000 ____D C:\Users\GWC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-03-17 16:24 - 2017-11-05 21:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-03-17 16:23 - 2017-11-05 15:22 - 000000000 ____D C:\Users\GWC\AppData\Local\Google
2018-03-17 16:23 - 2017-11-05 15:21 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-17 15:35 - 2009-07-14 05:45 - 000400320 _____ C:\Windows\system32\FNTCACHE.DAT
2018-03-17 15:30 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\PolicyDefinitions
2018-03-17 15:29 - 2017-12-05 20:29 - 000000000 ____D C:\Windows\System32\Tasks\System
2018-03-17 15:29 - 2017-12-05 20:25 - 000000000 ____D C:\Windat
2018-03-17 15:16 - 2017-11-05 13:36 - 001561362 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-03-17 14:12 - 2009-07-14 03:34 - 000000215 _____ C:\Windows\system.ini
2018-03-17 13:35 - 2017-11-05 17:19 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-03-17 13:18 - 2017-12-05 20:21 - 000000000 ____D C:\Program Files (x86)\Removewat 2.2.7
2018-03-17 13:07 - 2018-01-31 11:49 - 000000000 ____D C:\Windows\Minidump
2018-03-17 13:07 - 2017-11-07 10:59 - 000000000 ____D C:\Users\GWC\AppData\Local\CrashDumps
2018-03-17 13:07 - 2017-11-05 13:13 - 000000000 ____D C:\Windows\Panther
2018-03-17 13:04 - 2017-11-05 21:06 - 000003870 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-03-17 13:03 - 2017-11-05 17:18 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-03-17 13:02 - 2018-01-04 12:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2018-03-17 13:02 - 2017-11-06 11:05 - 000001316 _____ C:\Users\Public\Desktop\Skype.lnk
2018-03-17 08:58 - 2017-11-05 21:31 - 000000000 ____D C:\Users\GWC\AppData\Roaming\vlc
2018-03-17 08:15 - 2017-11-05 18:48 - 000000000 ____D C:\Windows\system32\appraiser
2018-03-16 08:03 - 2017-11-05 15:28 - 000000000 ____D C:\Windows\system32\MRT
2018-03-16 08:02 - 2017-11-05 15:28 - 130364688 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-03-16 08:02 - 2017-11-05 15:28 - 130364688 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-03-13 10:21 - 2017-11-11 07:11 - 000196648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-03-13 10:21 - 2017-11-05 16:46 - 000003910 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-03-13 10:21 - 2017-11-05 16:45 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000146656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000110328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-03-13 10:21 - 2017-11-05 16:45 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-03-04 07:37 - 2017-12-22 20:32 - 000000000 ____D C:\Users\GWC\AppData\Local\FAAC803C-5568-3D21-1D1A-A24BB975A082
2018-03-03 05:36 - 2017-12-22 20:32 - 000000000 ____D C:\ProgramData\d4934f24
2018-02-27 19:59 - 2017-11-07 10:59 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-02-26 09:59 - 2017-11-07 10:58 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-02-17 09:11 - 2009-07-14 04:20 - 000000000 ____D C:\Windows\rescache

==================== Files in the root of some directories =======

2018-03-17 20:43 - 2018-03-17 20:43 - 000029696 _____ () C:\Users\GWC\AppData\Local\MSGBOX.EXE

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2017-11-05 18:36] - [2017-12-05 21:33] - 001008640 _____ (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2017-11-05 18:36] - [2017-12-05 21:33] - 000833024 _____ (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-03-17 16:49

==================== End of FRST.txt ============================

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#11 Příspěvek od AaronP »

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by GWC (17-03-2018 20:57:43)
Running from C:\Users\GWC\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2017-11-05 12:20:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2450825360-3699682863-3957725698-500 - Administrator - Disabled)
Guest (S-1-5-21-2450825360-3699682863-3957725698-501 - Limited - Disabled)
GWC (S-1-5-21-2450825360-3699682863-3957725698-1000 - Administrator - Enabled) => C:\Users\GWC

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.57 (HKLM-x32\...\7-Zip) (Version: - )
Adobe Acrobat Reader DC - Czech (HKLM-x32\...\{AC76BA86-7AD7-1029-7B44-AC0F074E4100}) (Version: 18.011.20038 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Archivátor WinRAR (HKLM-x32\...\WinRAR archiver) (Version: - )
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 18.2.2328 - AVAST Software)
Canon LBP5050 (HKLM\...\Canon LBP5050) (Version: - )
Canon MF8500C Series (HKLM\...\{025ACC0E-B6F7-4cb8-B1B2-29DBEEFE0C4A}) (Version: 4.2.0.0 - CANON INC.)
CCleaner (HKLM\...\CCleaner) (Version: 5.41 - Piriform)
Corel Graphics Suite 11 (HKLM-x32\...\{07A540AB-D785-11D5-8E89-0090275862A0}) (Version: 11 - Corel Corporation) Hidden
CorelDRAW Graphics Suite 11 (HKLM-x32\...\InstallShield_{07A540AB-D785-11D5-8E89-0090275862A0}) (Version: 11 - Corel Corporation)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.6.0.0283 - Disc Soft Ltd)
FileZilla Server (HKLM-x32\...\FileZilla Server) (Version: beta 0.9.60 - FileZilla Project)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.162 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.6.0.1030 - Intel Corporation)
Intel(R) Network Connections 21.1.29.0 (HKLM\...\PROSetDX) (Version: 21.1.29.0 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 21.20.16.4526 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 15.5.0.1051 - Intel Corporation)
Intel(R) USB 3.0\3.1 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 5.0.0.32 - Intel Corporation)
Microsoft .NET Framework 4.7.1 (čeština) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1029) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
MiniTool Partition Wizard Free 10.2.2 (HKLM\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version: - MiniTool Solution Ltd.)
Mozilla Firefox 59.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 59.0.1 (x64 en-US)) (Version: 59.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 59.0.1.6648 - Mozilla)
Mozilla Thunderbird 52.6.0 (x86 cs) (HKLM-x32\...\Mozilla Thunderbird 52.6.0 (x86 cs)) (Version: 52.6.0 - Mozilla)
NativeDesktopMediaService (HKLM\...\{7AE7827C-57AB-4A9E-A598-8D8142D28EB3}) (Version: 2.1.5 - Jetmedia) <==== ATTENTION
Nero 6 Demo (HKLM-x32\...\Nero - Burning Rom!UninstallKey) (Version: - )
No-IP DUC (HKLM-x32\...\NoIPDUC) (Version: 4.0.2 - Vitalwerks Internet Solutions LLC)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7917 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.23.0 - Renesas Electronics Corporation) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.23.0 - Renesas Electronics Corporation)
ScanToPDF 4.2 (HKLM-x32\...\{CB7B4260-0E23-4444-8376-1D3E74F421D8}_is1) (Version: 4.2.0.23 - O Imaging Corporation)
Skype verze 8.17 (HKLM-x32\...\Skype_is1) (Version: 8.17 - Skype Technologies S.A.)
UltraVnc (HKLM\...\Ultravnc2_is1) (Version: 1.2.1.6 - uvnc bvba)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
wufuc (HKLM\...\{AF23CE93-4FB0-4A8A-A8D6-7A97151BCC14}) (Version: 0.7.1.81 - zeffy)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2007-12-06] (Igor Pavlov)
ContextMenuHandlers1-x32: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers1-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2007-12-06] (Igor Pavlov)
ContextMenuHandlers4-x32-x32: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2016-09-26] (Intel Corporation)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-03-13] (AVAST Software)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {132CDDE8-5BFD-4982-A02D-AAF86066CF90} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask => C:\Windows\system32\Wat\WatAdminSvc.exe [2017-11-05] ()
Task: {14AB9D00-CC32-47D4-99C8-70A4CB724655} - System32\Tasks\wufuc.{72EEE38B-9997-42BD-85D3-2DD96DA17307} => C:\Windows\system32\rundll32.exe "C:\Program Files\wufuc\wufuc.dll",Rundll32Entry
Task: {4D1229A7-FEF2-4ED4-8125-D3442EDE5FC6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-17] (Google Inc.)
Task: {5A7193EE-DFC7-4B9A-805C-D05A4C495BC3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-03-06] (Piriform Ltd)
Task: {85A010E3-C7DA-4D3E-ADD4-EF946CE95C54} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-03-13] (AVAST Software)
Task: {8BB421C8-E9CB-42B1-BB7C-21024020BF0F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-17] (Google Inc.)
Task: {B118AE0D-3DF1-481C-9FD4-EEA05DC2E8F7} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-03-06] (Piriform Ltd)
Task: {C6CF8F21-B32B-4996-AE3F-0820BA85FDCA} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {FEC51537-01AE-4198-800D-C1516C8AAB4D} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-01-06] (AVAST Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2018-03-13 10:21 - 2018-03-13 10:21 - 000721624 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000912088 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000341720 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll
2018-03-17 16:23 - 2018-03-13 01:39 - 004435288 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.162\libglesv2.dll
2018-03-17 16:23 - 2018-03-13 01:39 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.162\libegl.dll
2017-12-22 21:00 - 2017-12-22 21:00 - 000641024 _____ () C:\Windows\TEMP\IXP001.TMP\COM Surrogate.exe
2017-12-22 20:53 - 2017-12-22 20:53 - 012514304 _____ () C:\Windows\TEMP\IXP001.TMP\xmrstak_cuda_backend.dll
2017-12-22 20:53 - 2017-12-22 20:53 - 000465920 _____ () C:\Windows\TEMP\IXP001.TMP\xmrstak_opencl_backend.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000287960 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000280280 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2018-03-17 13:02 - 2018-03-17 13:02 - 005800080 _____ () C:\Program Files\AVAST Software\Avast\defs\18031700\algo.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000756952 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000964824 _____ () C:\Program Files\AVAST Software\Avast\shepherdsync.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 000475352 _____ () C:\Program Files\AVAST Software\Avast\gui_cache.dll
2018-03-13 10:21 - 2018-03-13 10:21 - 067126928 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2018-01-04 12:21 - 2018-03-02 21:44 - 001782904 _____ () C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
2018-03-17 13:02 - 2018-03-02 21:44 - 000097224 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node
2018-01-04 12:21 - 2018-03-02 21:44 - 002559608 _____ () C:\Program Files (x86)\Microsoft\Skype for Desktop\libglesv2.dll
2018-01-04 12:21 - 2018-03-02 21:44 - 000031864 _____ () C:\Program Files (x86)\Microsoft\Skype for Desktop\libegl.dll
2018-03-17 13:02 - 2018-03-02 21:44 - 000216520 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\electron-ssid\build\Release\electron-ssid.node
2018-03-17 13:02 - 2018-03-02 21:44 - 000409544 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\@paulcbetts\spellchecker\build\Release\spellchecker.node
2018-03-17 13:02 - 2018-03-02 21:44 - 000138688 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node
2018-03-17 13:02 - 2018-03-02 21:44 - 002188800 _____ () \\?\C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2018-03-17 20:44 - 000000035 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\GWC\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.0.0.138
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{67ED3475-682D-4B56-9AF7-A3AF72E400B3}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{4814F9B2-4C0B-4B97-B134-2628D5913B97}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{89BC81C5-400F-4EEC-9DAD-775825D5E858}] => (Allow) LPort=5900
FirewallRules: [{8C840CCD-B61A-4D29-A1A7-2347BB4617A3}] => (Allow) LPort=5800
FirewallRules: [{E99F6DFF-E90B-4A84-90EF-471FF880C373}] => (Allow) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
FirewallRules: [{A4E35030-265D-4F83-ADDA-AA036040FE5C}] => (Allow) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
FirewallRules: [{ABA478B4-43DB-4782-8C7E-85DBCA8892FD}] => (Allow) LPort=21
FirewallRules: [TCP Query User{186341F9-CD80-4C6B-A19C-CB870D563AA9}C:\program files (x86)\microsoft\skype for desktop\skype.exe] => (Block) C:\program files (x86)\microsoft\skype for desktop\skype.exe
FirewallRules: [UDP Query User{C83735F9-475F-4CB6-BC9F-6C897C0337A9}C:\program files (x86)\microsoft\skype for desktop\skype.exe] => (Block) C:\program files (x86)\microsoft\skype for desktop\skype.exe
FirewallRules: [{9EB1A12C-B118-434F-8E86-B67BF79700D3}] => (Allow) C:\Windows\SysWOW64\TCPSVCS.EXE
FirewallRules: [{500D082A-11C2-4A89-BCA7-1D3F07E2459A}] => (Allow) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
FirewallRules: [{8AC3E74B-8406-4909-80C8-62E2E5153B8A}] => (Allow) C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
FirewallRules: [{1D188FCD-3F46-4FB2-9778-902A5A151497}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

17-03-2018 13:03:00 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 13:39:06 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 13:56:19 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 14:40:12 Windows Update
17-03-2018 14:40:26 Windows Update
17-03-2018 14:47:44 Windows Update
17-03-2018 15:09:13 Windows Update
17-03-2018 15:36:52 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 17:11:37 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 17:29:05 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 17:32:28 Checkpoint by HitmanPro
17-03-2018 19:34:03 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026
17-03-2018 20:44:06 Restore Point Created by FRST
17-03-2018 20:47:11 Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026

==================== Faulty Device Manager Devices =============

Name: Řadič paměti na sběrnici PCI
Description: Řadič paměti na sběrnici PCI
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Řadič sběrnice SM
Description: Řadič sběrnice SM
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Řadič PCI pro získávání dat a zpracování signálu
Description: Řadič PCI pro získávání dat a zpracování signálu
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/17/2018 08:46:05 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 07:31:37 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 07:17:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Název chybující aplikace: distx.exe, verze: 0.0.0.0, časové razítko: 0x545301ef
Název chybujícího modulu: unknown, verze: 0.0.0.0, časové razítko: 0x00000000
Kód výjimky: 0xc0000005
Posun chyby: 0x7483e514
ID chybujícího procesu: 0x14d8
Čas spuštění chybující aplikace: 0x01d3be0cf6746ad3
Cesta k chybující aplikaci: \\kuikdelivery.com\SYSVOL\kuikdelivery.com\scripts\distx.exe
Cesta k chybujícímu modulu: unknown
ID zprávy: 73c03e48-2a0f-11e8-9500-7085c25358f0

Error: (03/17/2018 05:28:05 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 05:08:55 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 04:16:05 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 03:40:20 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.

Error: (03/17/2018 03:36:04 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Aktivace licence systému Windows se nezdařila. Chyba 0x80070005.


System errors:
=============
Error: (03/17/2018 08:46:05 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: Zpracování zásad skupiny selhalo v důsledku toho, že se nebylo v síti možné připojit k řadiči domény. Může se jednat o přechodný stav. Po připojení počítače k řadiči domény a úspěšném zpracování zásad skupiny bude odeslána zpráva o úspěšné provedení těchto akcí. Pokud se tato zpráva nezobrazí během několika hodin, obraťte se na správce.

Error: (03/17/2018 08:46:00 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: Tento počítač nemohl nastavit zabezpečenou relaci s řadičem
domény v doméně KUIKDELIVERY z následujícího důvodu:
Pro vyřízení žádosti o přihlášení nejsou nyní k dispozici žádné přihlašovací servery.


To může vést k potížím při ověřování. Přesvědčte se, zda je tento
počítač připojen k síti. Pokud potíže trvají,
obraťte se na správce domény.



DALŠÍ INFORMACE

Pokud je tento počítač řadičem domény pro určenou doménu,
nastaví zabezpečenou relaci s emulátorem primárního řadiče domény v určené
doméně. V opačném případě tento počítač nastaví zabezpečenou relaci s libovolným řadičem domény
v určené doméně.

Error: (03/17/2018 08:44:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Služba Ochrana softwaru byla nečekaně ukončena. Stalo se to 1 krát. Následující opravná akce bude spuštěna za 120000 milisekund: Restartovat službu.

Error: (03/17/2018 08:44:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Služba Instalační služba systému Windows byla nečekaně ukončena. Stalo se to 1 krát. Následující opravná akce bude spuštěna za 120000 milisekund: Restartovat službu.

Error: (03/17/2018 08:44:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Služba Intel(R) Rapid Storage Technology byla neočekávaně ukončena. Tento stav nastal již 1krát.

Error: (03/17/2018 08:44:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Služba Windows Search byla nečekaně ukončena. Stalo se to 1 krát. Následující opravná akce bude spuštěna za 30000 milisekund: Restartovat službu.

Error: (03/17/2018 08:44:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Služba NativeDesktopMediaService byla nečekaně ukončena. Stalo se to 1 krát. Následující opravná akce bude spuštěna za 60000 milisekund: Restartovat službu.

Error: (03/17/2018 08:44:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Služba Disc Soft Lite Bus Service byla neočekávaně ukončena. Tento stav nastal již 1krát.


CodeIntegrity:
===================================

Date: 2018-03-17 14:04:58.550
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-03-17 14:04:58.487
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz
Percentage of memory in use: 58%
Total physical RAM: 3795.28 MB
Available physical RAM: 1582.87 MB
Total Virtual: 7588.72 MB
Available Virtual: 5279.82 MB

==================== Drives ================================

Drive c: (SYSTEM) (Fixed) (Total:167.58 GB) (Free:111.9 GB) NTFS
Drive f: (SAMSUNG1) (Fixed) (Total:916.98 GB) (Free:104.68 GB) NTFS
Drive g: (SAMSUNG2) (Fixed) (Total:14.53 GB) (Free:3.69 GB) NTFS

\\?\Volume{c8679e43-c222-11e7-b4ca-806e6f6e6963}\ () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: B10B3246)
Partition 1: (Active) - (Size=917 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=14.5 GB) - (Type=05)

========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 167.7 GB) (Disk ID: 09EEB114)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=167.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Conder
VIP
VIP
Příspěvky: 4399
Registrován: 30 pro 2013 22:29
Bydliště: Bratislava

Re: win32 malware gen

#12 Příspěvek od Conder »

:arrow: Stiahni AdwCleaner: https://toolslib.net/downloads/finish/1/
  • Uloz na plochu a ukonci vsetky programy
  • Spusti AdwCleaner ako spravca
  • Odsuhlas licencne podmienky
  • Klikni na Scan (Skenovanie) a pockaj na dokoncenie
  • Klikni na Clean (Cistenie) a potvrd kliknutim na OK
  • AdwCleaner si vyziada restart PC, potvrd kliknutim na Restart Now (Restartovat teraz)
  • Po dokonceni a restartovani PC vyskoci log, jeho obsah sem skopiruj
Absolvent skoly pre novacikov :)
E-mail: conder (zavinac) forum.viry.cz

Ak nieco nie je jasne, pytaj sa. Odporucam mat vzdy zalohovat dolezite data (dokumenty, fotky a ine).

Fixlisty a ine scripty su pisane len pre konkretny PC. Nepouzivajte ich na inych zariadeniach, inak hrozi poskodenie systemu alebo strata dat.
Ak mate podobny problem ako iny uzivatel, prosim, zalozte si vlastnu temu.

V pripade spokojnosti je mozne podporit forum. Dakujeme!

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#13 Příspěvek od AaronP »

Conder píše::arrow: Stiahni AdwCleaner: https://toolslib.net/downloads/finish/1/
  • Uloz na plochu a ukonci vsetky programy
  • Spusti AdwCleaner ako spravca
  • Odsuhlas licencne podmienky
  • Klikni na Scan (Skenovanie) a pockaj na dokoncenie
  • Klikni na Clean (Cistenie) a potvrd kliknutim na OK
  • AdwCleaner si vyziada restart PC, potvrd kliknutim na Restart Now (Restartovat teraz)
  • Po dokonceni a restartovani PC vyskoci log, jeho obsah sem skopiruj
# AdwCleaner 7.0.8.0 - Logfile created on Sat Mar 17 20:11:09 2018
# Updated on 2018/08/02 by Malwarebytes
# Running on Windows 7 Ultimate (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Users\GWC\AppData\Local\AdService
Deleted: C:\\Users\Public\Documents\XMUpdate
Deleted: C:\Program Files (x86)\Alcine
Deleted: C:\Users\GWC\AppData\Roaming\Jetmedia
Deleted: C:\ProgramData\d4934f24


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\MinerGate
Deleted: [Key] - HKCU\Software\MinerGate
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|AdsServiceGroup
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\SpyHunter4.exe
Deleted: [Key] - HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\SetupCompany
Deleted: [Key] - HKCU\Software\SetupCompany
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|AdsServiceGroup
Deleted: [Key] - HKU\S-1-5-21-2450825360-3699682863-3957725698-1000\Software\GenericTools
Deleted: [Key] - HKCU\Software\GenericTools
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7AE7827C-57AB-4A9E-A598-8D8142D28EB3}
Deleted: [Key] - HKLM\SOFTWARE\Jetmedia
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C7287EA7BA75E9A45A89D818242DE83B
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Features\C7287EA7BA75E9A45A89D818242DE83B
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Products\C7287EA7BA75E9A45A89D818242DE83B
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders|C:\Program Files\Jetmedia\NativeDesktopMediaService\
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders|C:\Program Files\Jetmedia\


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [2838 B] - [2018/3/17 20:10:45]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

Conder
VIP
VIP
Příspěvky: 4399
Registrován: 30 pro 2013 22:29
Bydliště: Bratislava

Re: win32 malware gen

#14 Příspěvek od Conder »

:arrow: Otvor poznamkovy blok (Win+R -> notepad -> enter)
  • Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

    Kód: Vybrat vše

    Start
    CloseProcesses:
    CreateRestorePoint:
    CMD: dir "C:\Windows\TEMP"
    HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
    RemoveDirectory: C:\Windows\TEMP\IXP001.TMP
    RemoveDirectory: C:\Windows\TEMP\IXP002.TMP
    RemoveDirectory: C:\Windows\TEMP
    EmptyTemp:
    End
  • Uloz na plochu s nazvom fixlist.txt
  • Spusti znovu FRST a klikni na Fix
  • Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
  • Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj
Absolvent skoly pre novacikov :)
E-mail: conder (zavinac) forum.viry.cz

Ak nieco nie je jasne, pytaj sa. Odporucam mat vzdy zalohovat dolezite data (dokumenty, fotky a ine).

Fixlisty a ine scripty su pisane len pre konkretny PC. Nepouzivajte ich na inych zariadeniach, inak hrozi poskodenie systemu alebo strata dat.
Ak mate podobny problem ako iny uzivatel, prosim, zalozte si vlastnu temu.

V pripade spokojnosti je mozne podporit forum. Dakujeme!

AaronP
Návštěvník
Návštěvník
Příspěvky: 20
Registrován: 17 bře 2018 19:39

Re: win32 malware gen

#15 Příspěvek od AaronP »

Conder píše::arrow: Otvor poznamkovy blok (Win+R -> notepad -> enter)
  • Skopiruj nasledujuci text a vloz ho do poznamkoveho bloku:

    Kód: Vybrat vše

    Start
    CloseProcesses:
    CreateRestorePoint:
    CMD: dir "C:\Windows\TEMP"
    HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
    RemoveDirectory: C:\Windows\TEMP\IXP001.TMP
    RemoveDirectory: C:\Windows\TEMP\IXP002.TMP
    RemoveDirectory: C:\Windows\TEMP
    EmptyTemp:
    End
  • Uloz na plochu s nazvom fixlist.txt
  • Spusti znovu FRST a klikni na Fix
  • Po dokonceni si FRST vyziada restart PC, potvrd kliknutim na OK
  • Po restartovani PC bude na ploche subor Fixlog.txt, jeho obsah sem skopiruj
Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by GWC (17-03-2018 21:17:32) Run:2
Running from C:\Users\GWC\Desktop
Loaded Profiles: GWC (Available Profiles: GWC)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
CMD: dir "C:\Windows\TEMP"
HKLM\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP001.TMP\" <==== ATTENTION
RemoveDirectory: C:\Windows\TEMP\IXP001.TMP
RemoveDirectory: C:\Windows\TEMP\IXP002.TMP
RemoveDirectory: C:\Windows\TEMP
EmptyTemp:
End
*****************

Processes closed successfully.
Restore point was successfully created.

========= dir "C:\Windows\TEMP" =========

Svazek v jednotce C je SYSTEM.
Sériové číslo svazku je 7222-53FD.

Výpis adresáře C:\Windows\TEMP

17.03.2018 21:14 <DIR> .
17.03.2018 21:14 <DIR> ..
17.03.2018 21:11 <DIR> IXP000.TMP
17.03.2018 21:17 <DIR> IXP001.TMP
17.03.2018 21:14 <DIR> IXP002.TMP
17.03.2018 20:46 0 tmp4893.tmp
17.03.2018 20:46 1 161 859 tmp4893.tmp.zip
17.03.2018 21:13 0 tmp55CC.tmp
17.03.2018 21:13 1 161 859 tmp55CC.tmp.zip
17.03.2018 21:14 10 813 vcredist.log
17.03.2018 21:16 <DIR> _avast_
Souborů: 5, Bajtů: 2 334 531
Adresářů: 6, Volných bajtů: 120 150 953 984

========= End of CMD: =========

"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\wextract_cleanup0" => removed successfully
could not remove "C:\Windows\TEMP\IXP001.TMP\COM Surrogate.exe" => Scheduled to remove on reboot.
could not remove "C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_21-17-37_144.txt" => Scheduled to remove on reboot.
"C:\Windows\TEMP\IXP001.TMP" => removed successfully
"C:\Windows\TEMP\IXP002.TMP" => removed successfully
could not remove "C:\Windows\TEMP\_avast_\AvLock.txt" => Scheduled to remove on reboot.
could not remove "C:\Windows\TEMP" => Scheduled to remove on reboot.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10615315 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 13125647 B
Firefox => 15474734 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
GWC => 130520 B

RecycleBin => 0 B
EmptyTemp: => 45.5 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 17-03-2018 21:20:03)

"C:\Windows\TEMP\IXP001.TMP\COM Surrogate.exe" => removed successfully
"C:\Windows\TEMP\IXP001.TMP\AppData\Logs\17-03-2018_21-17-37_144.txt" => removed successfully
C:\Windows\TEMP\_avast_\AvLock.txt => Could not move
C:\Windows\TEMP => Could not move

==== End of Fixlog 21:20:04 ====

Zamčeno