Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

SysWOW64 virus removal

This is a discussion on SysWOW64 virus removal within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, I am running WIndows 7, SP1, 64 bit on a Dell laptop. I am using this at my work


 
 
Thread Tools Search this Thread
Old 07-13-2017, 07:49 AM   #1
Registered Member
 
Join Date: Oct 2009
Posts: 32
OS: xp



Hello,

I am running WIndows 7, SP1, 64 bit on a Dell laptop. I am using this at my work to share programs for my shop. I did not have malware or AV software on this machine, but i did have MSE on it. It has a 140 gig hard drive, and i noticed it was full. These shared files are all very small in size, and no way this drive should be filled. I noticed that over 100 gigs was in the c:\windows directory. And then i saw a SysWOW64 directory created also - i assume that is part of the problem. All assistance is greatly appreciated. Thanks.

Rudi

DDS below

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18739
Run by MOH at 10:47:35 on 2017-07-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3958.1703 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {71A27EC9-3DA6-45FC-60A7-004F623C6189}
SP: Microsoft Security Essentials *Enabled/Updated* {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k utcsvc
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
mRun: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
StartupFolder: C:\Users\MOH\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICK'~1.LNK - C:\FTP SERVER\FTPServer.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
Trusted Zone: dell.com
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{45D9FB8C-4D04-42CB-BC83-FEC37DB4822D} : DHCPNameServer = 127.0.0.1
TCP: Interfaces\{EAD7B3A8-1DB8-407C-AAF3-55070211396D} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{EAD7B3A8-1DB8-407C-AAF3-55070211396D}\2716D607275636963796F6E62726 : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [Malwarebytes TrayApp] C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2015-4-1 20024]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2016-8-25 295000]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Windows\System32\drivers\mbae64.sys [2017-6-29 77376]
R1 MpKsl3d2d5c0f;MpKsl3d2d5c0f;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3FA8E2C7-C44D-410F-A9E2-FCF3DB449812}\MpKsl3d2d5c0f.sys [2017-7-12 44928]
R2 DiagTrack;Diagnostics Tracking Service;C:\Windows\System32\svchost.exe -k utcsvc [2009-7-13 27136]
R2 MBAMChameleon;MBAMChameleon;C:\Windows\System32\drivers\MBAMChameleon.sys [2017-6-29 188352]
R2 MBAMService;Malwarebytes Service;C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [2017-6-29 4470736]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2015-4-1 509104]
R3 MBAMFarflt;MBAMFarflt;C:\Windows\System32\drivers\farflt.sys [2017-6-29 101784]
R3 MBAMProtection;MBAMProtection;C:\Windows\System32\drivers\mbam.sys [2017-6-29 45472]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2017-6-29 253856]
R3 MBAMWebProtection;MBAMWebProtection;C:\Windows\System32\drivers\mwac.sys [2017-6-29 84256]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2015-3-4 135928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2016-11-14 361816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2017-3-26 105096]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2017-3-26 125064]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2017-7-12 116224]
S3 MDNCService;Multi-DNC Service;C:\Windows\SysWOW64\MDNCService.exe [2015-6-25 118784]
S3 NLSService;Spectrum License Manager;C:\Windows\SysWOW64\NLSService.exe --> C:\Windows\SysWOW64\NLSService.exe [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2015-3-24 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2015-3-24 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2015-3-24 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2015-3-24 29696]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2015-3-25 1255736]
.
=============== Created Last 30 ================
.
2017-07-13 08:13:07 -------- d-----w- C:\Windows\rescache
2017-07-12 21:49:59 491520 ----a-w- C:\Windows\System32\mssph.dll
2017-07-12 15:18:11 44928 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3FA8E2C7-C44D-410F-A9E2-FCF3DB449812}\MpKsl3d2d5c0f.sys
2017-07-12 15:14:42 13120896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3FA8E2C7-C44D-410F-A9E2-FCF3DB449812}\mpengine.dll
2017-07-12 01:23:48 217088 ----a-w- C:\Windows\System32\aepic.dll
2017-07-12 01:23:48 1691136 ----a-w- C:\Windows\System32\aitstatic.exe
2017-07-12 01:23:48 1555968 ----a-w- C:\Windows\System32\appraiser.dll
2017-07-12 01:23:48 1206272 ----a-w- C:\Windows\System32\aeinv.dll
2017-07-12 01:23:47 94952 ----a-w- C:\Windows\System32\CompatTelRunner.exe
2017-07-12 01:23:47 620544 ----a-w- C:\Windows\System32\generaltel.dll
2017-07-12 01:23:47 535552 ----a-w- C:\Windows\System32\devinv.dll
2017-07-12 01:23:47 325632 ----a-w- C:\Windows\System32\invagent.dll
2017-07-12 01:23:47 311296 ----a-w- C:\Windows\System32\centel.dll
2017-07-12 01:23:47 127488 ----a-w- C:\Windows\System32\acmigration.dll
2017-07-11 12:58:07 13120896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2017-06-30 21:35:32 -------- d-----w- C:\Users\MOH\AppData\Local\CrashDumps
2017-06-29 17:34:34 188352 ----a-w- C:\Windows\System32\drivers\MBAMChameleon.sys
2017-06-29 17:34:25 84256 ----a-w- C:\Windows\System32\drivers\mwac.sys
2017-06-29 17:34:25 101784 ----a-w- C:\Windows\System32\drivers\farflt.sys
2017-06-29 17:34:20 45472 ----a-w- C:\Windows\System32\drivers\mbam.sys
2017-06-29 17:34:14 253856 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2017-06-29 17:34:01 77376 ----a-w- C:\Windows\System32\drivers\mbae64.sys
2017-06-29 17:33:50 -------- d-----w- C:\ProgramData\Malwarebytes
2017-06-29 17:33:50 -------- d-----w- C:\Program Files\Malwarebytes
2017-06-15 02:31:13 4296704 ----a-w- C:\Windows\System32\D3DCompiler_47.dll
2017-06-15 02:31:13 3550208 ----a-w- C:\Windows\SysWow64\D3DCompiler_47.dll
.
==================== Find3M ====================
.
2017-07-06 04:56:32 119296 ----a-w- C:\Windows\System32\drivers\bthpan.sys
2017-06-30 02:57:24 2319872 ----a-w- C:\Windows\System32\tquery.dll
2017-06-30 02:57:21 2058240 ----a-w- C:\Windows\System32\Query.dll
2017-06-30 02:57:17 99840 ----a-w- C:\Windows\System32\mssprxy.dll
2017-06-30 02:57:17 778240 ----a-w- C:\Windows\System32\mssvp.dll
2017-06-30 02:57:17 75264 ----a-w- C:\Windows\System32\msscntrs.dll
2017-06-30 02:57:17 288256 ----a-w- C:\Windows\System32\mssphtb.dll
2017-06-30 02:57:17 2222080 ----a-w- C:\Windows\System32\mssrch.dll
2017-06-30 02:57:17 14336 ----a-w- C:\Windows\System32\msshooks.dll
2017-06-30 02:57:17 115200 ----a-w- C:\Windows\System32\mssitlb.dll
2017-06-30 02:40:25 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2017-06-30 02:40:18 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
2017-06-30 02:39:38 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
2017-06-30 02:39:01 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
2017-06-30 02:38:58 1363968 ----a-w- C:\Windows\SysWow64\Query.dll
2017-06-30 02:38:54 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
2017-06-30 02:38:54 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
2017-06-30 02:38:54 34816 ----a-w- C:\Windows\SysWow64\mssprxy.dll
2017-06-30 02:38:54 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
2017-06-30 02:38:54 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
2017-06-30 02:38:54 1400320 ----a-w- C:\Windows\SysWow64\mssrch.dll
2017-06-30 02:38:54 104448 ----a-w- C:\Windows\SysWow64\mssitlb.dll
2017-06-30 02:27:15 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
2017-06-30 02:27:04 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
2017-06-30 02:26:41 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
2017-06-30 02:26:20 9728 ----a-w- C:\Windows\SysWow64\msshooks.dll
2017-06-29 06:19:09 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2017-06-29 06:18:58 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2017-06-29 06:04:12 66560 ----a-w- C:\Windows\System32\iesetup.dll
2017-06-29 06:03:28 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2017-06-29 06:03:20 417792 ----a-w- C:\Windows\System32\html.iec
2017-06-29 06:02:52 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2017-06-29 06:02:46 576512 ----a-w- C:\Windows\System32\vbscript.dll
2017-06-29 05:50:26 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2017-06-29 05:50:26 116224 ----a-w- C:\Windows\System32\ieetwcollector.exe
2017-06-29 05:50:10 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2017-06-29 05:44:36 5975552 ----a-w- C:\Windows\System32\jscript9.dll
2017-06-29 05:43:07 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2017-06-29 05:35:46 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2017-06-29 05:31:50 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2017-06-29 05:31:23 87552 ----a-w- C:\Windows\System32\tdc.ocx
2017-06-29 05:23:40 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2017-06-29 05:23:38 499200 ----a-w- C:\Windows\SysWow64\vbscript.dll
2017-06-29 05:23:03 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2017-06-29 05:22:54 341504 ----a-w- C:\Windows\SysWow64\html.iec
2017-06-29 05:22:01 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2017-06-29 05:13:38 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2017-06-29 05:13:19 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2017-06-29 05:08:32 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2017-06-29 05:07:16 2132992 ----a-w- C:\Windows\System32\inetcpl.cpl
2017-06-29 05:01:01 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2017-06-29 05:00:32 73216 ----a-w- C:\Windows\SysWow64\tdc.ocx
2017-06-29 04:53:46 3240960 ----a-w- C:\Windows\System32\wininet.dll
2017-06-29 04:52:52 4549632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2017-06-29 04:46:33 2057216 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2017-06-29 04:46:20 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2017-06-29 04:28:59 2767872 ----a-w- C:\Windows\SysWow64\wininet.dll
2017-06-22 14:58:48 3223040 ----a-w- C:\Windows\System32\win32k.sys
2017-06-15 20:23:49 753664 ----a-w- C:\Windows\System32\drivers\http.sys
2017-06-12 22:54:32 95464 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2017-06-12 22:54:32 154856 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2017-06-12 22:54:31 370920 ----a-w- C:\Windows\System32\clfs.sys
2017-06-12 22:29:03 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2017-06-12 22:29:03 82944 ----a-w- C:\Windows\SysWow64\bcrypt.dll
2017-06-12 22:29:03 666112 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2017-06-12 22:29:03 444928 ----a-w- C:\Windows\SysWow64\wvc.dll
2017-06-12 22:29:02 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2017-06-12 22:29:02 1227264 ----a-w- C:\Windows\SysWow64\wdc.dll
2017-06-12 22:29:01 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2017-06-12 22:29:01 390144 ----a-w- C:\Windows\SysWow64\sysmon.ocx
2017-06-12 22:28:59 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2017-06-12 22:28:58 254464 ----a-w- C:\Windows\SysWow64\schannel.dll
2017-06-12 22:28:58 141312 ----a-w- C:\Windows\SysWow64\rpchttp.dll
2017-06-12 22:28:57 47104 ----a-w- C:\Windows\SysWow64\pdhui.dll
2017-06-12 22:28:54 223232 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2017-06-12 22:28:53 60416 ----a-w- C:\Windows\SysWow64\msobjs.dll
2017-06-12 22:28:53 261120 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2017-06-12 22:28:52 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2017-06-12 22:28:51 554496 ----a-w- C:\Windows\SysWow64\kerberos.dll
2017-06-12 22:28:48 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2017-06-12 22:28:47 342528 ----a-w- C:\Windows\SysWow64\certcli.dll
2017-06-12 22:28:46 690688 ----a-w- C:\Windows\SysWow64\adtschema.dll
2017-06-12 22:19:20 64000 ----a-w- C:\Windows\System32\auditpol.exe
2017-06-12 22:14:07 379392 ----a-w- C:\Windows\System32\msinfo32.exe
2017-06-12 22:14:06 172544 ----a-w- C:\Windows\System32\perfmon.exe
2017-06-12 22:14:04 103936 ----a-w- C:\Windows\System32\resmon.exe
2017-06-12 22:12:49 159744 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2017-06-12 22:12:16 291328 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2017-06-12 22:12:14 129536 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2017-06-12 22:11:32 30720 ----a-w- C:\Windows\System32\lsass.exe
2017-06-12 22:09:30 50176 ----a-w- C:\Windows\SysWow64\auditpol.exe
2017-06-12 2251 157184 ----a-w- C:\Windows\SysWow64\perfmon.exe
2017-06-12 2250 303616 ----a-w- C:\Windows\SysWow64\msinfo32.exe
2017-06-12 2250 103424 ----a-w- C:\Windows\SysWow64\resmon.exe
2017-06-12 22:05:17 36352 ----a-w- C:\Windows\SysWow64\cryptbase.dll
2017-06-10 15:59:44 313856 ----a-w- C:\Windows\System32\Wldap32.dll
2017-06-10 15:39:54 271360 ----a-w- C:\Windows\SysWow64\Wldap32.dll
2017-06-09 15:33:28 1680616 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2017-06-06 15:30:28 1867264 ----a-w- C:\Windows\System32\ExplorerFrame.dll
2017-06-06 15:12:38 1499648 ----a-w- C:\Windows\SysWow64\ExplorerFrame.dll
.
============= FINISH: 10:48:20.53 ===============
Attached Files
File Type: txt attach.txt (3.0 KB, 9 views)
bauknecht is offline  
Sponsored Links
Advertisement
 
Old 07-14-2017, 10:32 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Quote:
I did not have malware or AV software on this machine, but i did have MSE on it
MSE is a sufficient antivirus for this machine. Not sure what you meant by that.

------------------------------------------------------

Quote:
And then i saw a SysWOW64 directory created also - i assume that is part of the problem
SysWOW64 is a legitimate and necessary Windows folder, and is not your problem.

------------------------------------------------------

Quote:
I am using this at my work to share programs for my shop
Does your work approve of this? We can't assume so. How can we be sure?

It may be against our rules here. Have you conferred with your works IT department?

The intent of this forum is to address problems for the home user.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-15-2017, 10:36 AM   #3
Registered Member
 
Join Date: Oct 2009
Posts: 32
OS: xp


Thank you for looking into this. I own the business, so yes it is ok. We are only 5 people. This laptop had 100 gigs free until recently. Figured it had to be a virus or malware. if nothing is obvious, thank you for your time
bauknecht is offline  
Sponsored Links
Advertisement
 
Old 07-15-2017, 06:53 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello bauknecht. I don't think malware is your problem. We'll check and see what turns up.

If no malware is present, you can seek help on one of our other forums to see what is using up your space.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • It also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-17-2017, 12:41 PM   #5
Registered Member
 
Join Date: Oct 2009
Posts: 32
OS: xp



Thank you for assistance

# AdwCleaner v6.047 - Logfile created 17/07/2017 at 15:01:58
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-13.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : MOH - MOH2
# Running from : C:\Users\MOH\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [759 Bytes] - [17/07/2017 15:01:58]
C:\AdwCleaner\AdwCleaner[S0].txt - [1150 Bytes] - [17/07/2017 15:01:33]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [904 Bytes] ##########


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-07-2017
Ran by MOH (17-07-2017 15:09:44)
Running from C:\Users\MOH\Downloads
Windows 7 Professional Service Pack 1 (X64) (2015-06-22 15:09:23)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-192953917-1064425728-4152269633-500 - Administrator - Disabled)
Guest (S-1-5-21-192953917-1064425728-4152269633-501 - Limited - Enabled)
MOH (S-1-5-21-192953917-1064425728-4152269633-1000 - Administrator - Enabled) => C:\Users\MOH

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.016.20039 - Adobe Systems Incorporated)
CPR Driver 4.3.0.2RC4 (x64) (HKLM\...\{FF03C21E-B837-43E4-9CD9-CD0C27F085BC}) (Version: 43.00.2404 - Lantronix)
Dell System Detect (HKU\S-1-5-21-192953917-1064425728-4152269633-1000\...\73f463568823ebbe) (Version: 6.2.0.5 - Dell)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1208.101.124 - ALPS ELECTRIC CO., LTD.)
FileZilla Server (HKLM-x32\...\FileZilla Server) (Version: beta 0.9.53 - FileZilla Project)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Multi-DNC (HKLM-x32\...\{E1AC2EE2-F770-11D0-806A-484C0001D098}) (Version: v9.0 (build 3) - Xpert CNC Technologies, LLC.)
NCPlot v2.32 (HKLM-x32\...\NCPlot_is1) (Version: - NCPlot Software LLC)
Windows Driver Package - FTDI CDM Driver Package - Bus/D2XX Driver (07/12/2013 2.08.30) (HKLM\...\22CCD58B53472BE3FCAFF05631111C4062959A43) (Version: 07/12/2013 2.08.30 - FTDI)
Windows Driver Package - FTDI CDM Driver Package - VCP Driver (07/12/2013 2.08.30) (HKLM\...\BD00013670D26C16E19F284BF8E15DAF813497C7) (Version: 07/12/2013 2.08.30 - FTDI)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers01: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers02: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers03: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers04: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-01-10] (Intel Corporation)
ContextMenuHandlers06: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {205063A5-32A6-4F0A-B19E-E966E0D6798C} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {27838657-885E-4EC1-BAEA-2BDF01479FE7} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {4B46ACAA-7A13-413E-BAA8-B43FC3951A6E} - System32\Tasks\GoogleUpdateTaskMachineCore1d1e917eb7f4585 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-22] (Google Inc.)
Task: {4CE6F4B4-2EE8-4194-846D-9D5E3D8639CD} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-22] (Google Inc.)
Task: {8C3AC462-799B-4680-8E78-14A5AEFEA7F8} - System32\Tasks\GoogleUpdateTaskMachineUA1d1e917ec0e1816 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-22] (Google Inc.)
Task: {98DCF5F3-C0FB-49FF-A5C2-4DA3D0367598} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-04-22] (Adobe Systems Incorporated)
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {BC00DBA8-204B-4594-8D1D-8087B09D8F09} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-06-22] (Google Inc.)
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {EA8DED6B-A4D6-4B17-81F5-22D3A04FD813} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2012-01-10 21:12 - 2012-01-10 21:12 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-06-29 13:34 - 2017-07-10 17:37 - 02260432 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-06-28 15:06 - 2017-06-22 23:21 - 03807064 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libglesv2.dll
2017-06-28 15:06 - 2017-06-22 23:21 - 00100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libegl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-192953917-1064425728-4152269633-1000\...\dell.com -> dell.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-192953917-1064425728-4152269633-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\MOH\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{7B8042DA-88B3-4194-82D4-C12131C768A7}C:\multi-dnc\program\multi-dnc.exe] => (Allow) C:\multi-dnc\program\multi-dnc.exe
FirewallRules: [UDP Query User{81B944C2-1C4E-46E3-9630-07FBF00E21F8}C:\multi-dnc\program\multi-dnc.exe] => (Allow) C:\multi-dnc\program\multi-dnc.exe
FirewallRules: [{6036E438-BB1E-4E03-9C56-80B91527D7B6}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Broadcom USH
Description: Broadcom USH
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/17/2017 03:05:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (07/16/2017 03:37:00 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary MpKsl3d2d5c0f.

System Error:
The system cannot find the file specified.
.

Error: (07/16/2017 12:00:09 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary MpKsl3d2d5c0f.

System Error:
The system cannot find the file specified.
.

Error: (07/13/2017 03:28:12 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (07/12/2017 11:01:22 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (07/12/2017 03:27:29 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (06/30/2017 05:35:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.23537, time stamp: 0x57c44efe
Faulting module name: comctl32.dll, version: 6.10.7601.18837, time stamp: 0x553a8775
Exception code: 0xc0000005
Fault offset: 0x0000000000157765
Faulting process id: 0x6e4
Faulting application start time: 0x01d2e9e6aea5ead8
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
Report Id: 06bcf5d3-5ddc-11e7-9afd-1c659d50248d

Error: (06/25/2017 08:56:09 AM) (Source: ESENT) (EventID: 482) (User: )
Description: wuaueng.dll (416) SUS20ClientDataStore: An attempt to write to the file "C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log" at offset 0 (0x0000000000000000) for 393216 (0x00060000) bytes failed after 0 seconds with system error 112 (0x00000070): "There is not enough space on the disk. ". The write operation will fail with error -1808 (0xfffff8f0). If this error persists then the file may be damaged and may need to be restored from a previous backup.

Error: (06/20/2017 01:01:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (06/15/2017 03:27:33 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (07/17/2017 03:01:53 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (07/17/2017 03:01:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Malwarebytes Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (07/17/2017 03:01:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The FileZilla Server FTP server service terminated unexpectedly. It has done this 1 time(s).

Error: (07/17/2017 03:01:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/17/2017 03:01:51 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (07/17/2017 03:01:52 PM) (Source: SCardSvr) (EventID: 610) (User: )
Description: Smart Card Reader 'Broadcom Corp Contacted SmartCard 0' rejected IOCTL GET_STATE: The handle is invalid. If this error persists, your smart card or reader may not be functioning correctly.

Command Header: XX XX XX XX

Error: (07/17/2017 11:20:58 AM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "RAMPRECISION :1d" could not be registered on the interface with IP address 192.168.1.128.
The computer with the IP address 192.168.1.149 did not allow the name to be claimed by
this computer.

Error: (07/17/2017 03:34:19 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/15/2017 05:16:57 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/13/2017 06:21:10 AM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{EAD7B3A8-1DB8-407C-AAF3-55070211396D}.
The backup browser is stopping.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz
Percentage of memory in use: 61%
Total physical RAM: 3957.83 MB
Available physical RAM: 1532.48 MB
Total Virtual: 7913.85 MB
Available Virtual: 5374.01 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:140.61 GB) (Free:2.96 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 89E281CE)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=140.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=8 GB) - (Type=27)

==================== End of Addition.txt ============================
bauknecht is offline  
Old 07-17-2017, 07:59 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello bauknecht. You're welcome. It appears you posted the second FRST log, Addition.txt, but not the first FRST log, FRST.txt, in your last reply.

I need to see it before we can proceed.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-18-2017, 05:24 AM   #7
Registered Member
 
Join Date: Oct 2009
Posts: 32
OS: xp



here ya go, thanks

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-07-2017
Ran by MOH (administrator) on MOH2 (17-07-2017 15:08:15)
Running from C:\Users\MOH\Downloads
Loaded Profiles: MOH (Available Profiles: MOH)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Pablo Software Solutions) C:\FTP SERVER\FTPServer.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [FileZilla Server Interface] => C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe [2462680 2015-06-12] (FileZilla Project)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-192953917-1064425728-4152269633-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
Startup: C:\Users\MOH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quick'n Easy FTP Server.lnk [2017-06-26]
ShortcutTarget: Quick'n Easy FTP Server.lnk -> C:\FTP SERVER\FTPServer.exe (Pablo Software Solutions)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{45D9FB8C-4D04-42CB-BC83-FEC37DB4822D}: [DhcpNameServer] 127.0.0.1
Tcpip\..\Interfaces\{EAD7B3A8-1DB8-407C-AAF3-55070211396D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-192953917-1064425728-4152269633-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-05-03] (Adobe Systems Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default [2017-07-17]
CHR Extension: (Google Slides) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-22]
CHR Extension: (Google Docs) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-22]
CHR Extension: (Google Drive) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-29]
CHR Extension: (YouTube) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-01]
CHR Extension: (Google Search) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-29]
CHR Extension: (Google Sheets) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-22]
CHR Extension: (Google Docs Offline) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-24]
CHR Extension: (Gmail) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-22]
CHR Extension: (Chrome Media Router) - C:\Users\MOH\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-17]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 FileZilla Server; C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe [794584 2015-06-12] (FileZilla Project)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S3 MDNCService; C:\Windows\SysWOW64\MDNCService.exe [118784 2005-05-26] (Spectrum CNC Technologies) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 NLSService; C:\Windows\SysWOW64\NLSService.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77376 2017-07-10] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188352 2017-07-10] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [101784 2017-07-17] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-07-17] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [253856 2017-07-17] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [84256 2017-07-17] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R1 MpKslec04a742; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{157E2222-547A-4F19-8FCB-67AE9B4234B4}\MpKslec04a742.sys [44928 2017-07-17] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-17 15:08 - 2017-07-17 15:08 - 00008499 _____ C:\Users\MOH\Downloads\FRST.txt
2017-07-17 15:08 - 2017-07-17 15:08 - 00000000 ____D C:\FRST
2017-07-17 15:07 - 2017-07-17 15:07 - 02435584 _____ (Farbar) C:\Users\MOH\Downloads\FRST64.exe
2017-07-17 15:00 - 2017-07-17 15:01 - 00000000 ____D C:\AdwCleaner
2017-07-17 14:59 - 2017-07-17 15:00 - 04110280 _____ C:\Users\MOH\Downloads\AdwCleaner.exe
2017-07-13 04:13 - 2017-07-13 04:13 - 00000000 ____D C:\Windows\rescache
2017-07-12 17:50 - 2017-07-06 00:56 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bthpan.sys
2017-07-12 17:50 - 2017-06-30 00:15 - 00394448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-07-12 17:50 - 2017-06-29 23:32 - 00346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-07-12 17:50 - 2017-06-29 22:57 - 02319872 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-07-12 17:50 - 2017-06-29 22:57 - 02222080 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-07-12 17:50 - 2017-06-29 22:57 - 02058240 _____ (Microsoft Corporation) C:\Windows\system32\Query.dll
2017-07-12 17:50 - 2017-06-29 22:57 - 00778240 _____ (Microsoft Corporation) C:\Windows\system32\mssvp.dll
2017-07-12 17:50 - 2017-06-29 22:39 - 01549312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-07-12 17:50 - 2017-06-29 22:38 - 01363968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Query.dll
2017-07-12 17:50 - 2017-06-29 02:27 - 25734656 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-07-12 17:50 - 2017-06-29 02:19 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-07-12 17:50 - 2017-06-29 02:18 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-07-12 17:50 - 2017-06-29 02:04 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-07-12 17:50 - 2017-06-29 02:03 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-07-12 17:50 - 2017-06-29 02:03 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-07-12 17:50 - 2017-06-29 02:02 - 02899456 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-07-12 17:50 - 2017-06-29 02:02 - 00576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-07-12 17:50 - 2017-06-29 02:02 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-07-12 17:50 - 2017-06-29 01:55 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-07-12 17:50 - 2017-06-29 01:54 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-07-12 17:50 - 2017-06-29 01:51 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-07-12 17:50 - 2017-06-29 01:50 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-07-12 17:50 - 2017-06-29 01:50 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-07-12 17:50 - 2017-06-29 01:50 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-07-12 17:50 - 2017-06-29 01:50 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-07-12 17:50 - 2017-06-29 01:44 - 05975552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-07-12 17:50 - 2017-06-29 01:43 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-07-12 17:50 - 2017-06-29 01:39 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-07-12 17:50 - 2017-06-29 01:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2017-07-12 17:50 - 2017-06-29 01:31 - 00087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2017-07-12 17:50 - 2017-06-29 01:31 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-07-12 17:50 - 2017-06-29 01:30 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-07-12 17:50 - 2017-06-29 01:27 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-07-12 17:50 - 2017-06-29 01:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-07-12 17:50 - 2017-06-29 01:23 - 20270592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-07-12 17:50 - 2017-06-29 01:23 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-07-12 17:50 - 2017-06-29 01:23 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-07-12 17:50 - 2017-06-29 01:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2017-07-12 17:50 - 2017-06-29 01:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2017-07-12 17:50 - 2017-06-29 01:22 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2017-07-12 17:50 - 2017-06-29 01:22 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-07-12 17:50 - 2017-06-29 01:22 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-07-12 17:50 - 2017-06-29 01:19 - 02290176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-07-12 17:50 - 2017-06-29 01:17 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2017-07-12 17:50 - 2017-06-29 01:16 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2017-07-12 17:50 - 2017-06-29 01:14 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2017-07-12 17:50 - 2017-06-29 01:13 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-07-12 17:50 - 2017-06-29 01:13 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-07-12 17:50 - 2017-06-29 01:13 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2017-07-12 17:50 - 2017-06-29 01:11 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-07-12 17:50 - 2017-06-29 01:09 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-07-12 17:50 - 2017-06-29 01:09 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-07-12 17:50 - 2017-06-29 01:08 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-07-12 17:50 - 2017-06-29 01:07 - 02132992 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-07-12 17:50 - 2017-06-29 01:05 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2017-07-12 17:50 - 2017-06-29 01:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-07-12 17:50 - 2017-06-29 01:00 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2017-07-12 17:50 - 2017-06-29 01:00 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2017-07-12 17:50 - 2017-06-29 00:58 - 15253504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-07-12 17:50 - 2017-06-29 00:58 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2017-07-12 17:50 - 2017-06-29 00:56 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-07-12 17:50 - 2017-06-29 00:56 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-07-12 17:50 - 2017-06-29 00:54 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2017-07-12 17:50 - 2017-06-29 00:53 - 03240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-07-12 17:50 - 2017-06-29 00:52 - 04549632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-07-12 17:50 - 2017-06-29 00:48 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-07-12 17:50 - 2017-06-29 00:47 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-07-12 17:50 - 2017-06-29 00:46 - 02057216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-07-12 17:50 - 2017-06-29 00:46 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2017-07-12 17:50 - 2017-06-29 00:43 - 13663744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-07-12 17:50 - 2017-06-29 00:41 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-07-12 17:50 - 2017-06-29 00:29 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-07-12 17:50 - 2017-06-29 00:28 - 02767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-07-12 17:50 - 2017-06-29 00:24 - 01314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-07-12 17:50 - 2017-06-29 00:23 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-07-12 17:50 - 2017-06-22 10:58 - 03223040 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-07-12 17:50 - 2017-06-15 16:23 - 00753664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2017-07-12 17:50 - 2017-06-12 18:54 - 00370920 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2017-07-12 17:50 - 2017-06-12 18:54 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-07-12 17:50 - 2017-06-12 18:54 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-07-12 17:50 - 2017-06-12 18:49 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-07-12 17:50 - 2017-06-12 18:49 - 01363456 _____ (Microsoft Corporation) C:\Windows\system32\wdc.dll
2017-07-12 17:50 - 2017-06-12 18:49 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-07-12 17:50 - 2017-06-12 18:49 - 00731648 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-07-12 17:50 - 2017-06-12 18:49 - 00594432 _____ (Microsoft Corporation) C:\Windows\system32\wvc.dll
2017-07-12 17:50 - 2017-06-12 18:49 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\sysmon.ocx
2017-07-12 17:50 - 2017-06-12 18:49 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-07-12 17:50 - 2017-06-12 18:49 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\pdhui.dll
2017-07-12 17:50 - 2017-06-12 18:29 - 01227264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdc.dll
2017-07-12 17:50 - 2017-06-12 18:29 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-07-12 17:50 - 2017-06-12 18:29 - 00444928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wvc.dll
2017-07-12 17:50 - 2017-06-12 18:29 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sysmon.ocx
2017-07-12 17:50 - 2017-06-12 18:28 - 00554496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-07-12 17:50 - 2017-06-12 18:28 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-07-12 17:50 - 2017-06-12 18:28 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pdhui.dll
2017-07-12 17:50 - 2017-06-12 18:14 - 00379392 _____ (Microsoft Corporation) C:\Windows\system32\msinfo32.exe
2017-07-12 17:50 - 2017-06-12 18:14 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\perfmon.exe
2017-07-12 17:50 - 2017-06-12 18:14 - 00103936 _____ (Microsoft Corporation) C:\Windows\system32\resmon.exe
2017-07-12 17:50 - 2017-06-12 18:12 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-07-12 17:50 - 2017-06-12 18:06 - 00303616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msinfo32.exe
2017-07-12 17:50 - 2017-06-12 18:06 - 00157184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perfmon.exe
2017-07-12 17:50 - 2017-06-12 18:06 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\resmon.exe
2017-07-12 17:50 - 2017-06-10 11:59 - 00313856 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-07-12 17:50 - 2017-06-10 11:39 - 00271360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-07-12 17:50 - 2017-06-09 11:33 - 01680616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-07-12 17:50 - 2017-06-06 11:30 - 01867264 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-07-12 17:50 - 2017-06-06 11:12 - 01499648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2017-07-12 17:50 - 2017-05-30 00:56 - 01895656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-07-12 17:50 - 2017-05-30 00:56 - 00377576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-07-12 17:50 - 2017-05-30 00:56 - 00287976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2017-07-12 17:50 - 2017-05-16 11:35 - 00986856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-07-12 17:50 - 2017-05-16 11:35 - 00265448 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-07-12 17:49 - 2017-06-29 22:57 - 00491520 _____ (Microsoft Corporation) C:\Windows\system32\mssph.dll
2017-07-12 17:49 - 2017-06-29 22:57 - 00288256 _____ (Microsoft Corporation) C:\Windows\system32\mssphtb.dll
2017-07-12 17:49 - 2017-06-29 22:57 - 00115200 _____ (Microsoft Corporation) C:\Windows\system32\mssitlb.dll
2017-07-12 17:49 - 2017-06-29 22:57 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\mssprxy.dll
2017-07-12 17:49 - 2017-06-29 22:57 - 00075264 _____ (Microsoft Corporation) C:\Windows\system32\msscntrs.dll
2017-07-12 17:49 - 2017-06-29 22:57 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\msshooks.dll
2017-07-12 17:49 - 2017-06-29 22:40 - 00591872 _____ (Microsoft Corporation) C:\Windows\system32\SearchIndexer.exe
2017-07-12 17:49 - 2017-06-29 22:40 - 00249856 _____ (Microsoft Corporation) C:\Windows\system32\SearchProtocolHost.exe
2017-07-12 17:49 - 2017-06-29 22:39 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\SearchFilterHost.exe
2017-07-12 17:49 - 2017-06-29 22:38 - 01400320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-07-12 17:49 - 2017-06-29 22:38 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssvp.dll
2017-07-12 17:49 - 2017-06-29 22:38 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssph.dll
2017-07-12 17:49 - 2017-06-29 22:38 - 00197120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssphtb.dll
2017-07-12 17:49 - 2017-06-29 22:38 - 00104448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssitlb.dll
2017-07-12 17:49 - 2017-06-29 22:38 - 00059392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscntrs.dll
2017-07-12 17:49 - 2017-06-29 22:38 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssprxy.dll
2017-07-12 17:49 - 2017-06-29 22:27 - 00427520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchIndexer.exe
2017-07-12 17:49 - 2017-06-29 22:27 - 00164352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe
2017-07-12 17:49 - 2017-06-29 22:26 - 00086528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchFilterHost.exe
2017-07-12 17:49 - 2017-06-29 22:26 - 00009728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msshooks.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-07-12 17:49 - 2017-06-12 18:49 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-07-12 17:49 - 2017-06-12 18:29 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-07-12 17:49 - 2017-06-12 18:29 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-07-12 17:49 - 2017-06-12 18:29 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-07-12 17:49 - 2017-06-12 18:29 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-07-12 17:49 - 2017-06-12 18:28 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-07-12 17:49 - 2017-06-12 18:19 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-07-12 17:49 - 2017-06-12 18:12 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-07-12 17:49 - 2017-06-12 18:12 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-07-12 17:49 - 2017-06-12 18:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-07-12 17:49 - 2017-06-12 18:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-07-12 17:49 - 2017-06-12 18:05 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2017-07-12 17:49 - 2017-05-21 00:24 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-07-12 17:49 - 2017-05-21 00:06 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-07-12 17:49 - 2017-05-16 11:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2017-07-11 21:23 - 2017-05-03 11:34 - 00094952 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-07-11 21:23 - 2017-05-03 11:29 - 01206272 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 01555968 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 00620544 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 00535552 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 00311296 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 00217088 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-07-11 21:23 - 2017-05-03 09:05 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-07-11 21:23 - 2017-03-22 22:06 - 01691136 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2017-06-30 17:35 - 2017-06-30 17:35 - 00000000 ____D C:\Users\MOH\AppData\Local\CrashDumps
2017-06-29 13:34 - 2017-07-17 15:05 - 00253856 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-06-29 13:34 - 2017-07-17 15:05 - 00101784 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-06-29 13:34 - 2017-07-17 15:05 - 00084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-06-29 13:34 - 2017-07-17 15:05 - 00045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-06-29 13:34 - 2017-07-10 17:38 - 00188352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-06-29 13:34 - 2017-07-10 17:37 - 00077376 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-06-29 13:34 - 2017-06-29 13:34 - 00001874 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-06-29 13:34 - 2017-06-29 13:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-29 13:33 - 2017-06-29 13:33 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-29 13:33 - 2017-06-29 13:33 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-29 13:32 - 2017-06-29 13:33 - 64232976 _____ (Malwarebytes ) C:\Users\MOH\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-29 09:47 - 2017-06-29 09:48 - 15065792 _____ (Microsoft Corporation) C:\Users\MOH\Downloads\mseinstall (1).exe
2017-06-26 09:23 - 2017-07-13 10:48 - 00017124 _____ C:\Users\MOH\Desktop\dds.txt
2017-06-26 09:23 - 2017-07-13 10:48 - 00003070 _____ C:\Users\MOH\Desktop\attach.txt
2017-06-26 09:22 - 2017-06-26 09:22 - 00688992 ____R (Swearware) C:\Users\MOH\Downloads\dds.scr

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-17 15:04 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-17 10:52 - 2015-06-22 11:21 - 00000000 ____D C:\RMC55
2017-07-17 09:54 - 2015-06-22 11:46 - 00000000 ____D C:\PS95
2017-07-17 04:40 - 2009-07-14 00:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-07-17 04:40 - 2009-07-14 00:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-07-13 07:34 - 2016-10-17 14:14 - 00000000 ____D C:\SP64
2017-07-13 03:34 - 2009-07-14 01:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-13 03:34 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2017-07-13 03:23 - 2009-07-14 00:45 - 00267672 _____ C:\Windows\system32\FNTCACHE.DAT
2017-07-12 03:19 - 2015-06-24 08:40 - 00000000 ____D C:\Windows\system32\appraiser
2017-07-12 03:04 - 2015-03-24 14:00 - 00000000 ____D C:\Windows\system32\MRT
2017-07-12 03:01 - 2015-03-24 14:00 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-06-29 09:48 - 2015-06-22 11:56 - 00002198 _____ C:\Windows\epplauncher.mif
2017-06-28 15:06 - 2015-06-22 11:16 - 00002202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-06-28 15:06 - 2015-06-22 11:16 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-06-23 13:07 - 2015-06-22 11:48 - 00000000 ____D C:\fnc74
2017-06-20 13:09 - 2015-07-16 06:22 - 00000000 ____D C:\Users\MOH\AppData\Local\ElevatedDiagnostics
2017-06-20 13:09 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2017-06-20 13:00 - 2009-07-14 01:08 - 00032560 _____ C:\Windows\Tasks\SCHEDLGU.TXT

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-07-12 00:12

==================== End of FRST.txt ============================
bauknecht is offline  
Old 07-18-2017, 07:34 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello bauknecht. You're welcome. Not seeing much here.

------------------------------------------------------

Your Windows 7 User Account Control UAC has been disabled. Sometimes, malware disables it, sometimes the end user does.

Please read this

Before you go any further, protect this system and re-enable that feature. Click Start > Control Panel > User Accounts > Change User Account Control settings and set it back to Always Notify.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {205063A5-32A6-4F0A-B19E-E966E0D6798C} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
    Task: {27838657-885E-4EC1-BAEA-2BDF01479FE7} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
    Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
    Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
    Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
    Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-20-2017, 08:24 AM   #9
Registered Member
 
Join Date: Oct 2009
Posts: 32
OS: xp



I now have 100+ gigs free, this worked, thank you very much. Should i do this FRST occasionally to clean up the temp files in future?

Below is the fixlog

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-07-2017
Ran by MOH (20-07-2017 11:14:45) Run:1
Running from C:\Users\MOH\Downloads
Loaded Profiles: MOH (Available Profiles: MOH)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
Task: {205063A5-32A6-4F0A-B19E-E966E0D6798C} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {27838657-885E-4EC1-BAEA-2BDF01479FE7} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
EmptyTemp:
end
*****************

Restore point was successfully created.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{205063A5-32A6-4F0A-B19E-E966E0D6798C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{205063A5-32A6-4F0A-B19E-E966E0D6798C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{27838657-885E-4EC1-BAEA-2BDF01479FE7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27838657-885E-4EC1-BAEA-2BDF01479FE7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsBackup\ConfigNotification => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC4E5ACF-89F7-4220-BA21-81EE183975E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC4E5ACF-89F7-4220-BA21-81EE183975E2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\AitAgent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEE64558-E1A7-4D9D-80A7-2001912BE5B5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\CorruptionDetector => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA2BC0A6-8D4B-458A-85C8-2B8C72487513} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector => key removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9833482 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 109433900905 B
Edge => 0 B
Chrome => 371367768 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 16802 B
systemprofile32 => 66228 B
LocalService => 16674 B
NetworkService => 5651192 B
MOH => 30885771 B

RecycleBin => 1222186 B
EmptyTemp: => 102.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:18:12 ====
bauknecht is offline  
Old 07-20-2017, 08:08 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, bauknecht. You're very welcome. Glad to hear it.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\FRST"

A DOS window will open and close again, this is normal.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Scan('Threat Scan' by default, or 'Scan Now' under the Dashboard tab) weekly.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

Please read this and, if possible, contribute as much as you can:

https://www.bleepingcomputer.com/anno...dom-of-speech/

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

https://windows.microsoft.com/en-US/w...up-and-restore

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-21-2017, 06:48 AM   #11
Registered Member
 
Join Date: Oct 2009
Posts: 32
OS: xp



Great thank you. This was a huge help. Where is the best place to contribute to what you all offer?

Thanks again

Rudi
bauknecht is offline  
Old 07-21-2017, 10:54 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, Rudi! Glad to have helped.


Please read this and, if possible, contribute as much as you can:

https://www.bleepingcomputer.com/anno...dom-of-speech/

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Used RealPlayer Download, various threats
Since using RealPlayer to download video from a web page, I noticed the C/Documents and settings/network service, folder has been working over time. Its cookies folder is constantly filling up with "@system.blah blah blah" and is accompanied by several serious threats: jpeg attached.. This is...
musodude Resolved HJT Threads 13 04-07-2012 06:49 PM
Request for assistance cleaning up/out virus & bad image errors
Hi there. With the hope someone may be able to navigate me through a fix to restore this laptop to its pre "Windows XP Recovery" virus state, and the further hope I've not frustrated the solution process going too far ahead solo, here goes... My laptop is a newer Dell running Windows XP (I...
dagtagit Resolved HJT Threads 74 06-14-2011 05:40 PM
xp security 2011/ malware removal tool
hello fellow tech heads i've had a day from hell trying to remove the above trojan. none of the things found on the net worked for me like booting into safe mode as the virus was still active and stopping things. blocking task manager so i took things into my own hands and downloaded rkill which...
dragon-lilly Resolved HJT Threads 31 05-26-2011 03:18 PM
Virus Removal Assistance Requested
I am helping my Fiances cousin with her desktop. She told me she thought she had a virus (or malware) and she definitely does. It appears she's infected with the "Windows Restore" virus (or malware). I have ran DDS and attached what I could. I would run GMER on the machine both in safe mode and...
tigerfansince84 Resolved HJT Threads 13 04-26-2011 06:56 PM
.dll files missing, browser opens new tabs, google search redirects.
Hello, I'm a complete computer novice, but I know things are not right. At startup I get two pop-ups stating some .dll files are missing. I've googled these files and only got a couple of hits, it seems they're some kind of virus. My browser also opens up new tabs on it's own, and google search...
jtatauburn Resolved HJT Threads 24 04-02-2011 09:38 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:09 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts