Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

HackTool:Win32/AutoKMS removal

This is a discussion on HackTool:Win32/AutoKMS removal within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi and thank you in advance for your help. I have started getting alerts on start up from windows essentials


 
 
Thread Tools Search this Thread
Old 11-03-2015, 12:51 AM   #1
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Hi and thank you in advance for your help.
I have started getting alerts on start up from windows essentials security about this and although I proceed to 'remove' this it is back on next start up.
Help with removing this permanently would be very much appreciated.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18057 BrowserJavaVersion: 11.31.2
Run by Rainman at 9:36:24 on 2015-11-03
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.8086.5707 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe
C:\Program Files\KMSpico\Service_KMS.exe
C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtWlan.exe
C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIHAE.EXE
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_226.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_226.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://localoem.msn.com
uDefault_Page_URL = hxxp://localoem.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [EPLTarget\P0000000000000000] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIHAE.EXE /EPT "EPLTarget\P0000000000000000" /M "Epson Stylus SX430"
uRun: [ISUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler
uRun: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
uRunOnce: [Uninstall C:\Users\Rainman\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Rainman\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64"
uRunOnce: [Uninstall C:\Users\Rainman\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Rainman\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [Nuance PDF Reader-reminder] "C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini"
mRun: [PaperPort PTD] C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
mRun: [IndexSearch] C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe
mRun: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRunOnce: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETCall.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Customize Menu - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 217.27.32.196 217.27.50.125
TCP: Interfaces\{8E89FF4D-9F0D-45CB-8905-0EBB26BEC41B} : DHCPNameServer = 217.27.32.196 217.27.50.125
TCP: Interfaces\{8E89FF4D-9F0D-45CB-8905-0EBB26BEC41B}\052796D6564556C60277966696 : DHCPNameServer = 194.42.133.141 217.27.32.196 217.27.50.125
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.80\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll
x64-TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rainman\AppData\Roaming\Mozilla\Firefox\Profiles\eu8amh3r.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll
FF - plugin: C:\Program Files (x86)\Nuance\PDF Reader\Bin\nppdf.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2012-5-31 42624]
R0 amdkmpfd;AMD PCI Root Bus Lower Filter;C:\Windows\System32\drivers\amdkmpfd.sys [2012-12-3 36520]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2013-6-3 645952]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2013-6-3 27456]
R0 ioatdma;Intel(R) QuickData Technology device;C:\Windows\System32\drivers\ioatdma.sys [2012-5-31 46792]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-5-31 16152]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2015-3-4 280376]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2013-6-3 22680]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2013-6-3 151648]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-6-3 7168]
R2 inpoutx64;inpoutx64;C:\Windows\System32\drivers\inpoutx64.sys [2013-5-21 15008]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2013-6-3 166720]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 124568]
R2 Realtek11nSU;Realtek11nSU;C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe [2013-6-3 36864]
R2 Service KMSELDI;Service KMSELDI;C:\Program Files\KMSpico\Service_KMS.exe [2013-6-29 37888]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-6-3 365376]
R3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-6-3 30528]
R3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [2013-6-3 160256]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2015-4-30 366544]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-6-3 646248]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8192su.sys [2010-11-25 694888]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2012-5-31 56448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2015-7-9 327296]
S3 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2012-5-31 82048]
S3 AMDCIR64;AMD CIR Service;C:\Windows\System32\drivers\AMDCIR64.sys [2012-5-31 79488]
S3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2012-5-31 102528]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2012-5-31 219776]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2013-6-3 25640]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2012-5-31 59392]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2012-5-31 84608]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2013-6-4 57840]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2014-3-31 1512640]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2015-10-14 114688]
S3 ioatdma1;ioatdma1;C:\Windows\System32\drivers\qd162x64.sys [2012-5-31 40144]
S3 ioatdma2;Intel(R) QuickData Technology device ver.2;C:\Windows\System32\drivers\qd262x64.sys [2012-5-31 42192]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-5-31 356120]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-5-31 787736]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-5-31 83080]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-5-31 184968]
S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2013-3-6 448288]
S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2013-6-3 19936]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2013-6-3 13280]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-3-13 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-3-13 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-13 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-3-13 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-6-4 1255736]
.
=============== Created Last 30 ================
.
2015-11-03 06:53:04 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{51EC3E2E-2359-45D2-A345-4D27CDC4F0E4}\offreg.1000.dll
2015-11-03 02:46:00 11140960 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{51EC3E2E-2359-45D2-A345-4D27CDC4F0E4}\mpengine.dll
2015-11-01 14:01:09 11140960 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-10-28 04:15:17 1190000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{10DF2C3E-E18F-4527-A221-974B01374A33}\gapaengine.dll
2015-10-27 12:23:29 -------- d-----w- C:\Users\Rainman\AppData\Roaming\Opera Software
2015-10-27 12:23:29 -------- d-----w- C:\Users\Rainman\AppData\Local\Opera Software
2015-10-27 12:20:38 -------- d-----w- C:\Users\Rainman\AppData\Roaming\Shortcut
2015-10-14 04:14:00 3168768 ----a-w- C:\Windows\System32\wucltux.dll
2015-10-08 12:48:01 -------- d-----w- C:\$WINDOWS.~BT
2015-10-08 10:28:47 -------- d--h--w- C:\$Windows.~WS
.
==================== Find3M ====================
.
2015-11-03 06:49:17 30528 ----a-w- C:\Windows\GVTDrv64.sys
2015-11-03 06:49:10 25640 ----a-w- C:\Windows\gdrv.sys
2015-10-17 12:33:17 780488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2015-10-17 12:33:17 142536 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-10-01 1849 692672 ----a-w- C:\Windows\System32\winload.efi
2015-10-01 18:04:11 616360 ----a-w- C:\Windows\System32\winresume.efi
2015-10-01 18:00:59 63488 ----a-w- C:\Windows\System32\setbcdlocale.dll
2015-10-01 18:00:43 59392 ----a-w- C:\Windows\System32\appidapi.dll
2015-10-01 18:00:43 32768 ----a-w- C:\Windows\System32\appidsvc.dll
2015-10-01 18:00:06 17920 ----a-w- C:\Windows\System32\appidcertstorecheck.exe
2015-10-01 18:00:06 147456 ----a-w- C:\Windows\System32\appidpolicyconverter.exe
2015-10-01 17:50:35 50688 ----a-w- C:\Windows\SysWow64\appidapi.dll
2015-10-01 17:00:54 61440 ----a-w- C:\Windows\System32\drivers\appid.sys
2015-09-29 03:16:51 5569472 ----a-w- C:\Windows\System32\ntoskrnl.exe
2015-09-29 03:13:50 1730496 ----a-w- C:\Windows\System32\ntdll.dll
2015-09-29 03:11:19 362496 ----a-w- C:\Windows\System32\wow64win.dll
2015-09-29 03:11:19 243712 ----a-w- C:\Windows\System32\wow64.dll
2015-09-29 03:11:19 215040 ----a-w- C:\Windows\System32\winsrv.dll
2015-09-29 03:11:19 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2015-09-29 03:11:06 210944 ----a-w- C:\Windows\System32\wdigest.dll
2015-09-29 03:11:03 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2015-09-29 03:11:01 503808 ----a-w- C:\Windows\System32\srcore.dll
2015-09-29 03:11:01 50176 ----a-w- C:\Windows\System32\srclient.dll
2015-09-29 03:10:59 1216512 ----a-w- C:\Windows\System32\rpcrt4.dll
2015-09-29 03:10:56 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2015-09-29 03:10:55 315392 ----a-w- C:\Windows\System32\msv1_0.dll
2015-09-29 03:10:53 729088 ----a-w- C:\Windows\System32\kerberos.dll
2015-09-29 03:10:53 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2015-09-29 03:10:47 44032 ----a-w- C:\Windows\System32\cryptbase.dll
2015-09-29 03:10:47 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2015-09-29 03:10:47 22016 ----a-w- C:\Windows\System32\credssp.dll
2015-09-29 03:10:30 112640 ----a-w- C:\Windows\System32\smss.exe
2015-09-29 03:10:25 296960 ----a-w- C:\Windows\System32\rstrui.exe
2015-09-29 03:09:59 338432 ----a-w- C:\Windows\System32\conhost.exe
2015-09-29 03:09:53 64000 ----a-w- C:\Windows\System32\auditpol.exe
2015-09-29 03:05:56 60416 ----a-w- C:\Windows\System32\msobjs.dll
2015-09-29 03:05:36 146432 ----a-w- C:\Windows\System32\msaudite.dll
2015-09-29 03:05:01 3990976 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2015-09-29 03:05:01 3936192 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2015-09-29 03:02:09 1311768 ----a-w- C:\Windows\SysWow64\ntdll.dll
2015-09-29 02:59:20 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2015-09-29 02:59:17 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2015-09-29 02:59:16 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2015-09-29 02:59:10 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2015-09-29 02:59:08 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2015-09-29 02:59:04 552960 ----a-w- C:\Windows\SysWow64\kerberos.dll
2015-09-29 02:58:57 36864 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2015-09-29 02:58:57 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2015-09-29 02:58:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2015-09-29 02:58:36 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2015-09-29 02:58:05 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2015-09-29 02:57:53 665088 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2015-09-29 02:57:53 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2015-09-29 02:57:52 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2015-09-29 02:53:44 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2015-09-29 02:53:28 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2015-09-29 01:50:29 159232 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2015-09-29 01:49:43 290816 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2015-09-29 01:49:31 129024 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2015-09-29 01:43:29 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2015-09-29 01:43:27 2048 ----a-w- C:\Windows\SysWow64\user.exe
2015-09-29 01:40:57 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2015-09-29 01:40:57 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2015-09-29 01:40:57 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2015-09-29 01:40:57 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2015-09-25 18:07:19 98816 ----a-w- C:\Windows\System32\wudriver.dll
2015-09-25 18:07:19 192512 ----a-w- C:\Windows\System32\wuwebv.dll
2015-09-25 1854 91136 ----a-w- C:\Windows\System32\WinSetupUI.dll
2015-09-25 1844 12288 ----a-w- C:\Windows\System32\wu.upgrade.ps.dll
2015-09-25 1840 37888 ----a-w- C:\Windows\System32\wuapp.exe
2015-09-25 17:59:08 93696 ----a-w- C:\Windows\SysWow64\wudriver.dll
2015-09-25 17:59:08 174080 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2015-09-25 17:58:25 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2015-09-19 06:34:11 113880 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-09-16 04:36:53 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2015-09-16 04:36:43 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2015-09-16 04:22:21 66560 ----a-w- C:\Windows\System32\iesetup.dll
2015-09-16 04:21:39 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2015-09-16 04:21:33 417792 ----a-w- C:\Windows\System32\html.iec
2015-09-16 04:21:27 585728 ----a-w- C:\Windows\System32\vbscript.dll
2015-09-16 04:21:17 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2015-09-16 04:09:30 5990912 ----a-w- C:\Windows\System32\jscript9.dll
2015-09-16 04:08:40 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2015-09-16 04:08:38 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2015-09-16 04:08:23 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2015-09-16 04:01:30 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2015-09-16 03:50:29 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2015-09-16 03:45:19 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2015-09-16 03:33:26 504832 ----a-w- C:\Windows\SysWow64\vbscript.dll
2015-09-16 03:33:07 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2015-09-16 03:32:33 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2015-09-16 03:32:24 341504 ----a-w- C:\Windows\SysWow64\html.iec
2015-09-16 03:31:57 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2015-09-16 03:28:33 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2015-09-16 03:26:47 2126336 ----a-w- C:\Windows\System32\inetcpl.cpl
2015-09-16 03:23:01 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2015-09-16 03:22:43 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2015-09-16 03:11:12 2487808 ----a-w- C:\Windows\System32\wininet.dll
2015-09-16 03:10:46 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2015-09-16 03:05:51 4527616 ----a-w- C:\Windows\SysWow64\jscript9.dll
.
============= FINISH: 9:36:45.32 ===============

Kind regards
Geoff
Attached Files
File Type: txt attach.txt (10.3 KB, 33 views)
geofft is offline  
Sponsored Links
Advertisement
 
Old 11-03-2015, 01:10 PM   #2
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft and Welcome to TSF!

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Are you running legal copy of Microsoft Office?

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
__________________
tekir06 is offline  
Old 11-03-2015, 09:28 PM   #3
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Hi Tolga and thank you.

I had always been under the impression everything on my computer was legal
but I now find out [after about 2 years ] that my version of office is indeed a copy ! I hope this is not the cause as I need to use Excel every day.
Please find attached requested logs.

kind regards
Geoff
Attached Files
File Type: txt Addition.txt (32.0 KB, 28 views)
File Type: txt FRST.txt (50.6 KB, 28 views)
geofft is offline  
Sponsored Links
Advertisement
 
Old 11-04-2015, 03:23 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

Thank you for log and info. Please do the following.

Download CKScanner by askey127 from Here
Right-click and Run as Administrator CKScanner.exe then click Search For Files
After a couple minutes or less, when some text appears in the box, click Save List To File.
A message box will verify the file saved. It is important that you run the program just once..
Double-click the CKFiles.txt icon on your desktop, give permission if asked, and copy/paste the contents in your next reply.
__________________
tekir06 is offline  
Old 11-04-2015, 03:35 AM   #5
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Hope I have done this correctly :
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\kmspico\check_activation_all.cmd
c:\program files\kmspico\install_service.cmd
c:\program files\kmspico\ipaddresscontrollib.dll
c:\program files\kmspico\kmseldi.exe
c:\program files\kmspico\kmspico.log
c:\program files\kmspico\log.cmd
c:\program files\kmspico\service_kms.exe
c:\program files\kmspico\triggerkms.exe
c:\program files\kmspico\unins000.dat
c:\program files\kmspico\unins000.exe
c:\program files\kmspico\uninstall_service.cmd
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\project.reg
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\proplus.reg
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\visio.reg
c:\program files\kmspico\cert\office2010vl\office14reginfo.reg
c:\program files\kmspico\cert\office2010vl\tokens.dat
c:\program files\kmspico\sounds\affirmative.mp3
c:\program files\kmspico\sounds\begin.mp3
c:\program files\kmspico\sounds\complete.mp3
c:\program files\kmspico\sounds\diagnostic.mp3
c:\program files\kmspico\sounds\transfer.mp3
c:\program files\kmspico\sounds\verified.mp3
c:\program files\kmspico\sounds\warning.mp3
c:\program files\kmspico\tokensbackup\tokens.dat
c:\program files\kmspico\tokensbackup\cache\cache.dat
scanner sequence 3.ZZ.11.AWNASZ
----- EOF -----
geofft is offline  
Old 11-04-2015, 05:22 AM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft

Unfortunately, you're using illegal Office. KMSpico is crack. This tool can be used to activate any version of Windows and MS office. Do not use of such tools/software (like kmspico and cracked software).

Please read read read

You'll have to uninstall MS Office before we can proceed.
__________________
tekir06 is offline  
Old 11-05-2015, 02:27 AM   #7
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Hello again Tolga,
I have been trying to contact the company I purchased computer from in the UK for refund to purchase genuine version I originally paid for with the bundle.
At the moment I am getting no response. I could really do without the extra expense of buying office [without refund] until at least the end of the month
when I get paid. Would I be taking too much of a risk by using excel until then ? If you feel I need to act before then I will gladly follow your instructions with appreciation.

Kind Regards
Geoff
geofft is offline  
Old 11-05-2015, 10:52 PM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

Until you are able to make contact with the company, we would strongly recommend that you uninstall KMSpico 4.1

It may make this version of Microsoft Office become invalid. If you are unable to use MS Office after removing the activation bypass (KMSpico 4.1) then you can also try using LibreOffice.

https://www.libreoffice.org/discover/libreoffice/

This should give you a working office suite, and allow you to be in compliance with forum rules.
__________________
tekir06 is offline  
Old 11-08-2015, 05:02 AM   #9
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Hi again,
have removed kpspico & office.
Thank you for the pointer to an alternative to trial.
First impressions are that it will adequately do all I am requiring even if
it will take a little getting used to.

kind regards

Geoff
geofft is offline  
Old 11-08-2015, 11:15 AM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

You're welcome.

Please re-run FRST tool and attach fresh logs.
__________________
tekir06 is offline  
Old 11-09-2015, 01:07 AM   #11
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Hopefully this will be in order.
Kind regards
Geoff
Attached Files
File Type: txt Addition.txt (33.0 KB, 28 views)
File Type: txt FRST.txt (51.0 KB, 25 views)
geofft is offline  
Old 11-09-2015, 06:21 AM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
U2 TMAgent; no ImagePath
2015-11-08 14:59 - 2013-06-29 08:13 - 00000000 ____D C:\Program Files\KMSpico
2015-11-04 13:33 - 2014-12-29 13:50 - 00000020 ____H C:\ProgramData\PKP_DLet.DAT
2014-12-29 13:51 - 2014-12-29 13:51 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2014-12-29 13:50 - 2015-11-04 13:33 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2014-12-29 13:50 - 2014-12-29 13:50 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
Task: {184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A} - \ProgramRefresh-ATFST -> No File <==== ATTENTION
Task: {7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {80C02FE7-C462-4C32-91DF-60C8287090A7} - \ProgramUpdateCheck -> No File <==== ATTENTION
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 11-09-2015, 10:26 PM   #13
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



I managed to make hard work of this but got there in the end !

Fix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by Rainman (2015-11-10 08:18:34) Run:1
Running from C:\Users\Rainman\Downloads\New folder
Loaded Profiles: Rainman (Available Profiles: Rainman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
U2 TMAgent; no ImagePath
2015-11-08 14:59 - 2013-06-29 08:13 - 00000000 ____D C:\Program Files\KMSpico
2015-11-04 13:33 - 2014-12-29 13:50 - 00000020 ____H C:\ProgramData\PKP_DLet.DAT
2014-12-29 13:51 - 2014-12-29 13:51 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2014-12-29 13:50 - 2015-11-04 13:33 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2014-12-29 13:50 - 2014-12-29 13:50 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
Task: {184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A} - \ProgramRefresh-ATFST -> No File <==== ATTENTION
Task: {7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {80C02FE7-C462-4C32-91DF-60C8287090A7} - \ProgramUpdateCheck -> No File <==== ATTENTION
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
TMAgent => service removed successfully
C:\Program Files\KMSpico => moved successfully
C:\ProgramData\PKP_DLet.DAT => moved successfully
C:\ProgramData\PKP_DLes.DAT => moved successfully
"C:\ProgramData\PKP_DLet.DAT" => not found.
C:\ProgramData\PKP_DLev.DAT => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProgramRefresh-ATFST => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchPreSignup => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{80C02FE7-C462-4C32-91DF-60C8287090A7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80C02FE7-C462-4C32-91DF-60C8287090A7}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProgramUpdateCheck => key not found.
EmptyTemp: => 115.7 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:18:57 ====
geofft is offline  
Old 11-09-2015, 11:21 PM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

Thanks for the log. Please do the following. Then How is the machine behaving now? What problems do you still have? Do you still get HackTool:Win32 alert?

Please go to Start > Control Panel > Programs and Features and remove the above Java program(s) installed.
Next, download the latest Java, version 8 Update 65 from the following link

Download Free Java Software

========================================================

Please go HERE then click on: Run Eset Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on Start buton.
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

  • Scan for potentially unwanted applications
  • Scan Archives
  • Enable Anti-Stealth Technology

Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
Tick all the boxes that correspond to your external/inserted drives.
Click Start. The virus signature database will begin to download. This may take some time.
Wait for the scan to finish.
When completed, click on Finish.
When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
Save that text file to your desktop, and then copy/paste the contents in your next reply.
__________________
tekir06 is offline  
Old 11-10-2015, 03:23 AM   #15
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Phew ! took a while.

C:\Users\Rainman\AppData\Roaming\uTorrent\uTorrent.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Rainman\Downloads\utorrent.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
G:\Applications\nuancepdf.exe a variant of Win32/InstallIQ potentially unwanted application
G:\Backups\May 2013\Misc\freefileviewer_2_d1426120.exe a variant of Win32/InstallIQ.A potentially unwanted application
G:\GEOFF-PC\Backup Set 2011-02-27 190000\Backup Files 2011-02-27 190000\Backup files 1.zip Win32/Toolbar.Montiera.T potentially unwanted application
G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 1.zip Win32/Toolbar.Conduit.Q potentially unwanted application
G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 5.zip multiple threats
G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 1.zip Win32/Toolbar.Conduit.Q potentially unwanted application
G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 4.zip multiple threats
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 1.zip Win32/Toolbar.Conduit.Q potentially unwanted application
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 4.zip a variant of Win32/Toolbar.Conduit.P potentially unwanted application
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 5.zip multiple threats
G:\Misc\Misc\freefileviewer_2_d1426120.exe a variant of Win32/InstallIQ.A potentially unwanted application
geofft is offline  
Old 11-10-2015, 05:00 AM   #16
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

You were infected when you made some backups, the backups are infected and need to be removed.
When we're finished I suggest, you create a new restore point and then make a backup.

Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.
Code:
CreateRestorePoint:
C:\Users\Rainman\AppData\Roaming\uTorrent\uTorrent.exe
C:\Users\Rainman\Downloads\utorrent.exe
G:\Applications\nuancepdf.exe
G:\Backups\May 2013\Misc\freefileviewer_2_d1426120.exe
G:\GEOFF-PC\Backup Set 2011-02-27 190000\Backup Files 2011-02-27 190000\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 5.zip
G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 4.zip
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 4.zip
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 5.zip
G:\Misc\Misc\freefileviewer_2_d1426120.exe
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 11-10-2015, 06:31 AM   #17
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



I really hope I've done this correctly !

ix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by Rainman (2015-11-10 08:18:34) Run:1
Running from C:\Users\Rainman\Downloads\New folder
Loaded Profiles: Rainman (Available Profiles: Rainman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
U2 TMAgent; no ImagePath
2015-11-08 14:59 - 2013-06-29 08:13 - 00000000 ____D C:\Program Files\KMSpico
2015-11-04 13:33 - 2014-12-29 13:50 - 00000020 ____H C:\ProgramData\PKP_DLet.DAT
2014-12-29 13:51 - 2014-12-29 13:51 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2014-12-29 13:50 - 2015-11-04 13:33 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2014-12-29 13:50 - 2014-12-29 13:50 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
Task: {184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A} - \ProgramRefresh-ATFST -> No File <==== ATTENTION
Task: {7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {80C02FE7-C462-4C32-91DF-60C8287090A7} - \ProgramUpdateCheck -> No File <==== ATTENTION
EmptyTemp:
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
TMAgent => service removed successfully
C:\Program Files\KMSpico => moved successfully
C:\ProgramData\PKP_DLet.DAT => moved successfully
C:\ProgramData\PKP_DLes.DAT => moved successfully
"C:\ProgramData\PKP_DLet.DAT" => not found.
C:\ProgramData\PKP_DLev.DAT => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{184EA7CD-CE7D-4C8E-B54D-9D55F96DA53A}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProgramRefresh-ATFST => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7D11BC1B-58C9-4745-B9D6-EDEC01F95BDA}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchPreSignup => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{80C02FE7-C462-4C32-91DF-60C8287090A7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80C02FE7-C462-4C32-91DF-60C8287090A7}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProgramUpdateCheck => key not found.
EmptyTemp: => 115.7 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:18:57 ====
geofft is offline  
Old 11-11-2015, 12:20 AM   #18
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello geofft,

This old fixlog. Please read again my post #16. That's the post I want you to do what it says.
__________________
tekir06 is offline  
Old 11-11-2015, 01:49 AM   #19
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



Sorry ..not sure how that happened, hopefully this one correct ;

Fix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by Rainman (2015-11-11 11:35:17) Run:3
Running from C:\Users\Rainman\Downloads\Latest frst
Loaded Profiles: Rainman (Available Profiles: Rainman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Users\Rainman\AppData\Roaming\uTorrent\uTorrent.exe
C:\Users\Rainman\Downloads\utorrent.exe
G:\Applications\nuancepdf.exe
G:\Backups\May 2013\Misc\freefileviewer_2_d1426120.exe
G:\GEOFF-PC\Backup Set 2011-02-27 190000\Backup Files 2011-02-27 190000\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 5.zip
G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 4.zip
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 1.zip
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 4.zip
G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 5.zip
G:\Misc\Misc\freefileviewer_2_d1426120.exe
EmptyTemp:
*****************

Restore point was successfully created.
"C:\Users\Rainman\AppData\Roaming\uTorrent\uTorrent.exe" => not found.
"C:\Users\Rainman\Downloads\utorrent.exe" => not found.
"G:\Applications\nuancepdf.exe" => not found.
"G:\Backups\May 2013\Misc\freefileviewer_2_d1426120.exe" => not found.
"G:\GEOFF-PC\Backup Set 2011-02-27 190000\Backup Files 2011-02-27 190000\Backup files 1.zip" => not found.
"G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 1.zip" => not found.
"G:\GEOFF-PC\Backup Set 2012-12-16 190001\Backup Files 2012-12-16 190001\Backup files 5.zip" => not found.
"G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 1.zip" => not found.
"G:\GEOFF-PC\Backup Set 2013-01-27 190000\Backup Files 2013-01-27 190000\Backup files 4.zip" => not found.
"G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 1.zip" => not found.
"G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 4.zip" => not found.
"G:\GEOFF-PC\Backup Set 2013-02-10 190000\Backup Files 2013-02-10 190000\Backup files 5.zip" => not found.
"G:\Misc\Misc\freefileviewer_2_d1426120.exe" => not found.
EmptyTemp: => 25.1 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 11:35:26 ====
geofft is offline  
Old 11-11-2015, 01:51 AM   #20
Registered Member
 
Join Date: Nov 2015
Posts: 16
OS: win7



forgot to mention that win. essentials still picking up hacktool
regards
Geoff
geofft is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote Malware Removal as a Viable Business Idea?
I just had this idea, and this forum happened to have an open tab, so on impulse, here it is: Recently I just got a refresher course on malware removal after taking a computer infected with the FBI/DOJ Moneypak virus. What a mess. Anyways, during the course of this project, due to the fact...
BFGoodrich General Computer Security 1 06-24-2014 02:55 AM
Trustworthy inksdata.com virus removal software?
I have found plenty of manual removal instructions but do not trust my own PC skills !!! I have also found various types of software which claims to successfully remove this virus. However feedback is mixed in terms of effectiveness and also some having a negative impact ie attaching Trojans...
borischelski Resolved HJT Threads 1 06-03-2013 11:12 AM
A Challenge?
Any help with this would be really appreciated! So, -I kept getting directed to the wrong (avast tells me malicious) websites when I clicked a link with Bing or Google, has been happening for a couple weeks, with increased frequency -10 days or so ago, found out it might be this "misdirect...
needhelp1234222 Resolved HJT Threads 22 06-26-2012 09:55 PM
MS removal tool - cant start in recovery console
Hi, I got this particular virus close to a week ago and have had no success whatsoever in remedying the situation. I was simply browsing the internet (at a motel 6 on an unsecured network) when I received a "Tamper Alert" from my anti virus software (Symantec). I was receiving close to 100...
gregluck Resolved HJT Threads 20 05-26-2011 01:35 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:37 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts