Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: W32/Mytob-EW worm & W32/Sdbot-BN backdoor worm


  • This topic is locked This topic is locked
84 replies to this topic

#1 Momadice

Momadice

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 26 April 2015 - 05:39 PM

Processor:  AMD A4-6210 APU with Radeon R3 Graphics 1.80 GHz
Installed RAM  4.00 GB (3.46 GB usable)
System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display

Edition:  Windows 8.1
Manufacturer   Acer    Aspire E5-721

Canon MX452 all in one printer

Emsisoft is my main anti malware program.

 

Infected with W32/Mytob-EW worm and W32/Sdbot-BN backdoor worm

 

Bleeping brought this to my attention  while I was researching strange behaviour on my pc.  Several drive wipes with a factory install performed over the last four weeks.  Four wipes.  One done by my college computer technician.  Frustration over what was going on triggered the slow one by one process analysis using Task Manager.  When I selected the end task on these (so called worm in disguise) processes, they immediately started up again.  Using the right-click feature on the entries, to search online what they were, brought me directly to the Bleeping Computer description.  Upon further investigation it was unanimous that Bleepings information was correct.

 

My emsisoft was consistently detecting and quarantining two registry keys, over and over even after I deleted them.  I am no different than anyone else and have saved logs of other scans from JRT, adware, rogue killer, rkill, etc etc.  They usually don't help that much, but if you are curious I have them.

 

I almost failed one of my last law courses due to these computer issues.  I have been working with another one of Bleepings tech's, and they said it is time I get some advanced help, and directed me this forum.

 

emsisoft detects a registry problem, quarantines it, Ithen delete it. It keeps returning

 

Emsisoft Anti-Malware v. 9.0.0.5066
© 2003-2014 Emsisoft - www.emsisoft.com

ID   Object

0    Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A).

1    Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)

 

This is an export log that shows the detection, quarantine, and deletion, and the miraculous resurrection of the same thing over and over.  I have given up on deleting them, as they just come back.  Some kind of malware cemetery horror movie.

 

Emsisoft Anti-Malware - Version 9.0
Quarantine log

Date Source Event Detection 
2015-04-26 9:14:09 PM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Moved to quarantine Setting.DisableTaskMgr (A) 
2015-04-26 9:14:08 PM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Moved to quarantine Setting.DisableRegistryTools (A) 
2015-04-26 10:51:40 AM C:\users\cindy\documents\programs\ninja-setup-3.0.6.exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:26:10 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Restored from quarantine Application.InstallAd (A) 
2015-04-26 3:25:12 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:25:12 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:22:23 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:22:17 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:22:06 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:21:55 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\M4K1MRAB\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 3:19:00 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\MDNQNNK6\ninja-setup-3.0.6[1].exe Restored from quarantine Application.InstallAd (A) 
2015-04-26 2:59:10 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\MDNQNNK6\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 2:59:10 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\MDNQNNK6\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-26 2:58:44 AM C:\Users\Cindy\AppData\Local\Microsoft\Windows\INetCache\Low\IE\MDNQNNK6\ninja-setup-3.0.6[1].exe Moved to quarantine Application.InstallAd (A) 
2015-04-25 10:41:01 AM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Permanently deleted Setting.DisableRegistryTools (A) 
2015-04-24 8:36:15 PM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Permanently deleted Setting.DisableTaskMgr (A) 
2015-04-24 8:36:08 PM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Permanently deleted Setting.DisableRegistryTools (A) 
2015-04-24 8:36:02 PM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Permanently deleted Setting.DisableRegistryTools (A) 
2015-04-24 8:35:54 PM Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Permanently deleted Setting.DisableTaskMgr (A) 

 

Bleepings' epitaph on the two worms:

 

A.  Home > Startup Programs Database > remote.exe Information

 
   This is an undesirable program.

 This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums. 

Name: Remote Procedure Call (RPC) Remote
Filename: remote.exe
Command: %System%\remote.exe

Description:
 
Added by the W32/Mytob-EW worm. This infection, when started, connects to an IRC server where it sits on a channel awaiting commands.

File Location: %System%
Startup Type: This startup entry is installed as a Windows service.
Service Name: RpcRemotes
Service Display Name: Remote Procedure Call (RPC) Remote
HijackThis Category: O23 Entry 
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.
Removal Instructions:  How to remove a Trojan, Virus, Worm, or other Malware 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
B.  This is an undesirable program.

 This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums. 

Name: Spooler SubSystem App
Filename: spoolv.exe
Command: Unknown at this time.

Description:
 
Added by the W32/Sdbot-BN backdoor worm. When this infection starts it will connect to an IRC server where it will wait for remote commands to execute. This infection also steals cd keys from popular games and applications.

File Location: %System%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry 
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7.
Removal Instructions:  How to remove a Trojan, Virus, Worm, or other Malware 
 

FARBAR logs in the works...  as this pc is unstable, I wanted to post some information while I still could.  It is very difficult to get to the correct download page for some tools, and even more difficult to save them and sometimes run them.  fARBAR was no exception.


Edited by Momadice, 27 April 2015 - 03:13 PM.


BC AdBot (Login to Remove)

 


#2 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 26 April 2015 - 05:58 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-04-2015
Ran by Cindy (administrator) on PERFECTPC on 26-04-2015 18:46:01
Running from C:\Users\Cindy\Desktop
Loaded Profiles: Cindy (Available profiles: Cindy & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QASvc.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAEvent.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerWinMonitor.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAMsg.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
(Farbar) C:\Users\Cindy\Desktop\itybityspider.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672304 2014-03-20] (Realtek Semiconductor)
HKLM\...\Run: [Zemana AntiMalware] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [11800944 2015-04-08] (Zemana Ltd.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-03-23] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [emsisoft anti-malware] => c:\program files (x86)\emsisoft anti-malware\a2guard.exe [4886608 2015-03-24] (Emsisoft GmbH)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [134784 2014-02-26] (Qualcomm®Atheros®)
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\Run: [Wipe Maintance] => C:\Program Files\Wipe\net1.exe [546456 2015-04-26] (www.privacyroot.com)
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\Run: [CCleaner] => C:\Users\Cindy\Documents\Programs\CCleaner 23 April 2015\CCleaner64.exe [7451928 2015-04-23] (Piriform Ltd)
Startup: C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2015-04-25] ()
Startup: C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wipe Tray Agent.lnk [2015-04-26]
ShortcutTarget: Wipe Tray Agent.lnk -> C:\Program Files\Wipe\Wipe.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://ca.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001 -> {4B44DE15-5F8E-4550-
ACC3-9A20DBE3AB05} URL =
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-04-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 24.226.10.193 24.226.10.194 24.226.1.94

FireFox:
========
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-04-21] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> c:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-09-05] (Adobe Systems Inc.)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [5020520 2015-03-24] (Emsisoft GmbH)
S4 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [319104 2014-02-26] (Windows ® Win 7 DDK provider) [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2719928 2015-03-18] (Microsoft Corporation)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [2573544 2014-03-21] (Acer Incorporated)
R3 QASvc; C:\Program Files\Acer\Acer Quick Access\QASvc.exe [457960 2014-03-21] (Acer Incorporate)
S4 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [254512 2012-04-24] ()
S4 RMSvc; C:\Program Files\Acer\Acer Quick Access\RMSvc.exe [449768 2014-03-21] (Acer Incorporate)
R2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [51712 2014-02-24] (Advanced Micro Devices, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [11800944 2015-04-08] (Zemana Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 amdkmcsp; C:\Windows\system32\DRIVERS\amdkmcsp.sys [85704 2014-02-24] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36608 2013-12-12] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\Windows\System32\DRIVERS\amdpsp.sys [230088 2014-02-24] (Advanced Micro Devices, Inc. )
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3888640 2014-02-14] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2013-12-20] (Advanced Micro Devices)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-02-26] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R1 epp64; C:\Windows\System32\DRIVERS\epp64.sys [135800 2015-03-24] (Emsisoft GmbH)
U5 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [107208 2014-01-17] (GenesysLogic)
S3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
S3 QRDCIO; C:\Windows\System32\drivers\QRDCIO.sys [9728 2009-10-20] (QUANTA)
S3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [42224 2014-02-19] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-04-24] ()
S3 trufos; C:\Windows\System32\drivers\trufos.sys [350160 2015-04-26] (BitDefender S.R.L.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [103752 2015-04-26] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


Edited by Momadice, 26 April 2015 - 09:06 PM.


#3 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 26 April 2015 - 05:59 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-04-2015
Ran by Cindy at 2015-04-26 18:48:15
Running from C:\Users\Cindy\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3697784714-1533898605-4234074958-500 - Administrator - Disabled) => C:\Users\Administrator
Cindy (S-1-5-21-3697784714-1533898605-4234074958-1001 - Administrator - Enabled) => C:\Users\Cindy
Guest (S-1-5-21-3697784714-1533898605-4234074958-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3697784714-1533898605-4234074958-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Emsisoft Anti-Malware (Disabled - Up to date) {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Emsisoft Anti-Malware (Disabled - Up to date) {3E653F0B-EA3E-10F8-1B87-CAD78F211367}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.8104 - Acer Incorporated)
Acer Quick Access (HKLM\...\{C1FA525F-D701-4B31-9D32-504FC0CF0B98}) (Version: 1.01.3012 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.8106 - Acer Incorporated)
Adobe Reader XI (11.0.04)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.04 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{E433737F-59A9-ADC0-A2B5-7714003EFC50}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.2.10148.2 - Cisco Consumer Products LLC)
CyberLink PhotoDirector 3 (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.4917 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.3721 - CyberLink Corp.)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.3914.57 - CyberLink Corp.)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd.)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.3.1.0 - Genesys Logic)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.8101 - Acer Incorporated)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.8100 - Acer Incorporated)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 15.0.4711.1002 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
OEM Application Profile (HKLM-x32\...\{276FD4A2-030F-8A24-7DFE-9B1384131BCD}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4711.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4711.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4711.1002 - Microsoft Corporation) Hidden
PSP Application (Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.318 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.29 - Qualcomm Atheros)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7218 - Realtek Semiconductor Corp.)
System Ninja version 3.0.6 (HKLM-x32\...\{6E67710E-206D-43AB-BF21-E7CD63056C55}_is1) (Version: 3.0.6 - SingularLabs)
Wipe (HKLM\...\wipe) (Version: 2015.03 - PrivacyRoot.com)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.10.2.18 - Zemana Ltd.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

21-04-2015 19:47:12 21From5ROSE
23-04-2015 21:01:00 affter installing emsisoft
25-04-2015 15:33:20 Language Pack Removal

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 09:25 - 2015-04-23 23:13 - 00000747 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {1A8BCE9C-72F9-4058-83B3-8496300242DF} - System32\Tasks\Quick Access Quick Launcher => C:\Program Files\Acer\Acer Quick Access\QALauncher.exe [2014-03-21] (Acer Incorporate)
Task: {35967A00-73FF-4019-8E9A-F58A5AA177FB} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-23] (Microsoft Corporation)
Task: {416DDE1E-AD1F-4D50-9121-17AC2A43F798} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
Task: {4BB1003B-403C-467B-9D7D-A4C5D0C96FCA} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2015-03-10] (Microsoft Corporation)
Task: {5C7A1620-3E04-476F-8E11-6BB48E8A9ED2} - System32\Tasks\Microsoft Office 15 Sync Maintenance for PERFECTPC-Cindy PerfectPC => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2015-04-21] (Microsoft Corporation)
Task: {656C3C70-A16D-4DCC-8993-33E59F93DB0D} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2015-04-21] (Microsoft Corporation)
Task: {834234FB-CA49-40CB-A112-C70CB357ADFB} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
Task: {8B47279E-8FA8-4D9D-AEB0-73FC73A4F03D} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-04-01] (Microsoft Corporation)
Task: {AA9DBEB6-3E01-49C1-92F6-4AB6C04EF596} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2015-03-10] (Microsoft Corporation)
Task: {B25CEB8A-7A3B-4084-A067-0317E59D7171} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTrayLauncher.exe [2014-03-21] (Acer Incorporated)
Task: {B44D9C39-3A61-4C69-8D6E-1691376FB69C} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe [2014-03-18] (Acer Incorporated)
Task: {B78B56C2-3A84-4AD7-B6A6-0D4FEFF386E4} - System32\Tasks\Quick Access => C:\Program Files\Acer\Acer Quick Access\QALauncher.exe [2014-03-21] (Acer Incorporate)
Task: {D5059A2B-4E8D-4BC8-841B-436BFBC699A1} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-23] (Microsoft Corporation)
Task: {E3B7B649-2947-4C2A-AD66-2F844ABBDBAA} - \Optimize Start Menu Cache Files-S-1-5-21-3697784714-1533898605-4234074958-500 No Task File <==== ATTENTION
Task: {FBA77062-F483-4E89-82B3-67E1523B8FE7} - \Optimize Start Menu Cache Files-S-1-5-21-3697784714-1533898605-4234074958-1001 No Task File <==== ATTENTION

==================== Loaded Modules (whitelisted) ==============

2015-04-21 18:00 - 2014-05-20 09:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2014-06-14 13:47 - 2014-01-03 17:13 - 00111872 _____ () C:\Program Files (x86)\Acer\clear.fi plug-in\Clearfishellext_x64.dll
2014-02-26 01:14 - 2014-02-26 01:14 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2014-02-26 01:11 - 2014-02-26 01:11 - 00086016 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2014-02-26 01:17 - 2014-02-26 01:17 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Cindy\OneDrive:ms-properties

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\blackboard.com -> hxxps://niagara.blackboard.com
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\cogeco.ca -> hxxps://www.cogeco.ca
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\jw.org -> hxxps://www.jw.org

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 24.226.10.193 - 24.226.10.194

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\StartupFolder: => "$McRebootA5E6DEAA56$.lnk"
HKLM\...\StartupApproved\Run: => "StartCCC"
HKLM\...\StartupApproved\Run: => "RTHDVCPL"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKLM\...\StartupApproved\Run32: => "emsisoft anti-malware"
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk"
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\StartupApproved\StartupFolder: => "Wipe Tray Agent.lnk"
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\StartupApproved\Run: => "RESTART_STICKY_NOTES"
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\StartupApproved\Run: => "Uninstall C:\Users\Cindy\AppData\Local\Microsoft\OneDrive\17.3.4726.0226"
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\StartupApproved\Run: => " Maintance"
HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\StartupApproved\Run: => "Wipe Maintance"

==================== FirewallRules (whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

FirewallRules: [Wininit-Shutdown-In-Rule-TCP-RPC] => (Allow) %systemroot%\system32\wininit.exe
FirewallRules: [Wininit-Shutdown-In-Rule-TCP-RPC-EPMapper] => (Allow) %systemroot%\system32\wininit.exe
FirewallRules: [ProximityUxHost-Sharing-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\proximityuxhost.exe
FirewallRules: [ProximityUxHost-Sharing-Out-TCP-NoScope] => (Allow) %SystemRoot%\system32\proximityuxhost.exe
FirewallRules: [NETDIS-DAS-In-UDP-Active] => (Allow) %SystemRoot%\system32\dashost.exe
FirewallRules: [NETDIS-DAS-In-UDP] => (Allow) %SystemRoot%\system32\dashost.exe
FirewallRules: [EventForwarder-In-TCP] => (Allow) %SystemRoot%\system32\NetEvtFwdr.exe
FirewallRules: [TPMVSCMGR-Server-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\RmtTpmVscMgrSvr.exe
FirewallRules: [TPMVSCMGR-Server-Out-TCP-NoScope] => (Allow) %SystemRoot%\system32\RmtTpmVscMgrSvr.exe
FirewallRules: [TPMVSCMGR-Server-In-TCP] => (Allow) %SystemRoot%\system32\RmtTpmVscMgrSvr.exe
FirewallRules: [TPMVSCMGR-Server-Out-TCP] => (Allow) %SystemRoot%\system32\RmtTpmVscMgrSvr.exe
FirewallRules: [PlayTo-In-UDP-NoScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-In-UDP-LocalSubnetScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-In-UDP-PlayToScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-Out-UDP-NoScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-Out-UDP-LocalSubnetScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-Out-UDP-PlayToScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-In-RTSP-NoScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-In-RTSP-LocalSubnetScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [PlayTo-In-RTSP-PlayToScope] => (Allow) %SystemRoot%\system32\mdeserver.exe
FirewallRules: [WFDPRINT-DAFWSD-In-Active] => (Allow) %SystemRoot%\system32\dashost.exe
FirewallRules: [WFDPRINT-DAFWSD-Out-Active] => (Allow) %SystemRoot%\system32\dashost.exe
FirewallRules: [{C27A5385-6007-4A0B-B88F-6C4A5329ACFD}] => (Allow) C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\BackItUp.exe
FirewallRules: [{E90CAEAD-4895-494F-B633-6C767A8E2B32}] => (Allow) C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\BackItUp.exe
FirewallRules: [{0C2EBA54-B7B7-493C-A0D2-35F896983A8F}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{89D4E894-12DB-4C0E-9C5D-E8CC5DC697E2}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{D8759515-D7EE-44B5-8C37-0A0CF33D2629}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{8F9ED836-E239-42CD-B8C2-4D4F2080CD40}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{11C57CCF-A206-45C8-B8F6-17343AD0EF18}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{B2D33791-42D0-4D43-B635-1A1F5D8C2641}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{C14E694D-F5D8-44BB-B836-3FD93B97A312}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{392D8695-3EFA-4FD2-89D1-77E5FE249725}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{A84445C4-75CD-4EF7-AD2A-32844EF4FA40}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{78367889-0628-48C1-B84D-5CB067F9C9ED}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{E33C4ADF-A49C-4C48-BA6D-C0C40CD0DA40}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{272F528A-E1F1-41EB-A167-50022FED3BFB}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{69D98BFA-2ECC-4D9E-B893-8D831BD360FB}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{5843CC73-0C28-4541-B500-75576AEE41C0}] => (Allow) %SystemRoot%\system32\proximityuxhost.exe
FirewallRules: [{84C9CA85-515C-4B70-BFFD-DC69D3E1593F}] => (Allow) %SystemRoot%\system32\proximityuxhost.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (04/26/2015 08:22:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Notification.exe, version: 6.0.3012.0, time stamp: 0x53281d82
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0xdd4
Faulting application start time: 0xNotification.exe0
Faulting application path: Notification.exe1
Faulting module path: Notification.exe2
Report Id: Notification.exe3
Faulting package full name: Notification.exe4
Faulting package-relative application ID: Notification.exe5

Error: (04/26/2015 08:22:31 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Notification.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ComponentModel.Win32Exception
Stack:
   at System.Diagnostics.Process.GetProcessHandle(Int32, Boolean)
   at System.Diagnostics.Process.OpenProcessHandle(Int32)
   at System.Diagnostics.Process.get_Handle()
   at Notification.Form1.CheckAppContainer(System.Diagnostics.Process)
   at Notification.Form1.CheckResolution()
   at Notification.Form1..ctor()
   at Notification.Program.Main()

Error: (04/26/2015 03:42:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Wipe.exe, version: 2015.3.0.0, time stamp: 0x551317d4
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434f4d
Fault offset: 0x0000000000008b9c
Faulting process id: 0x68c
Faulting application start time: 0xWipe.exe0
Faulting application path: Wipe.exe1
Faulting module path: Wipe.exe2
Report Id: Wipe.exe3
Faulting package full name: Wipe.exe4
Faulting package-relative application ID: Wipe.exe5

Error: (04/26/2015 00:14:17 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: f6c

Start Time: 01d07fd6bfd08638

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

Report Id: b36a844f-ebca-11e4-8266-c45444a059de

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (04/25/2015 06:51:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WINWORD.EXE, version: 15.0.4709.1000, time stamp: 0x54fe8bbc
Faulting module name: wwlib.dll, version: 15.0.4711.1001, time stamp: 0x5510ee3f
Exception code: 0xc0000005
Fault offset: 0x00499e24
Faulting process id: 0x100c
Faulting application start time: 0xWINWORD.EXE0
Faulting application path: WINWORD.EXE1
Faulting module path: WINWORD.EXE2
Report Id: WINWORD.EXE3
Faulting package full name: WINWORD.EXE4
Faulting package-relative application ID: WINWORD.EXE5

Error: (04/25/2015 02:00:42 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider ProtectionManagement attempted to register query "select * from MSFT_MpEvent" whose target class "MSFT_MpEvent" in //./root/microsoft/protectionManagement namespace does not exist. The query will be ignored.

Error: (04/25/2015 02:00:42 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider  attempted to register query "select * from MSFT_MpEvent" whose target class "MSFT_MpEvent" in //./root/microsoft/protectionManagement namespace does not exist. The query will be ignored.

Error: (04/25/2015 08:55:58 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20689 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d04

Start Time: 01d07ef68cbe78e1

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe

Report Id: fb328c7d-eb02-11e4-8263-c45444a059de

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (04/25/2015 08:54:13 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PERFECTPC)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2147024865 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (04/24/2015 08:41:59 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program SystemSettings.exe version 6.3.9600.17031 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 11dc

Start Time: 01d07ef021a73a22

Termination Time: 4294967295

Application Path: C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe

Report Id: 78cb51a4-eae3-11e4-8263-c45444a059de

Faulting package full name: windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy

Faulting package-relative application ID: microsoft.windows.immersivecontrolpanel

System errors:
=============
Error: (04/26/2015 00:19:02 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1069

Error: (04/26/2015 00:19:02 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The WSearch service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (04/26/2015 00:18:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 3 time(s).

Error: (04/26/2015 00:18:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Microsoft Office ClickToRun Service service terminated unexpectedly.  It has done this 3 time(s).

Error: (04/26/2015 00:18:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/26/2015 11:52:15 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (04/26/2015 11:52:15 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (04/26/2015 11:52:15 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Microsoft Office ClickToRun Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (04/26/2015 11:52:14 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Emsisoft Protection Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (04/26/2015 11:49:40 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Microsoft Office Sessions:
=========================
Error: (04/26/2015 08:22:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Notification.exe6.0.3012.053281d82KERNELBASE.dll6.3.9600.1741554505737e04343520000000000008b9cdd401d0801baa004c48C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exeC:\WINDOWS\system32\KERNELBASE.dlle8e78c5c-ec0e-11e4-8267-c45444a059de

Error: (04/26/2015 08:22:31 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Notification.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.ComponentModel.Win32Exception
Stack:
   at System.Diagnostics.Process.GetProcessHandle(Int32, Boolean)
   at System.Diagnostics.Process.OpenProcessHandle(Int32)
   at System.Diagnostics.Process.get_Handle()
   at Notification.Form1.CheckAppContainer(System.Diagnostics.Process)
   at Notification.Form1.CheckResolution()
   at Notification.Form1..ctor()
   at Notification.Program.Main()

Error: (04/26/2015 03:42:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Wipe.exe2015.3.0.0551317d4KERNELBASE.dll6.3.9600.1741554505737e0434f4d0000000000008b9c68c01d07ff2ecfa2373C:\Program Files\Wipe\Wipe.exeC:\WINDOWS\system32\KERNELBASE.dlld6f7d2f7-ebe7-11e4-8266-c45444a059de

Error: (04/26/2015 00:14:17 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: LiveComm.exe17.5.9600.20689f6c01d07fd6bfd086384294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exeb36a844f-ebca-11e4-8266-c45444a059demicrosoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

Error: (04/25/2015 06:51:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: WINWORD.EXE15.0.4709.100054fe8bbcwwlib.dll15.0.4711.10015510ee3fc000000500499e24100c01d07fa1f651a63dC:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXEC:\Program Files\Microsoft Office 15\Root\Office15\wwlib.dll99a48d62-eb9d-11e4-8266-c45444a059de

Error: (04/25/2015 02:00:42 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: ProtectionManagementselect * from MSFT_MpEventMSFT_MpEvent//./root/microsoft/protectionManagement

Error: (04/25/2015 02:00:42 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: select * from MSFT_MpEventMSFT_MpEvent//./root/microsoft/protectionManagement

Error: (04/25/2015 08:55:58 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: LiveComm.exe17.5.9600.20689d0401d07ef68cbe78e14294967295C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exefb328c7d-eb02-11e4-8263-c45444a059demicrosoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

Error: (04/25/2015 08:54:13 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PERFECTPC)
Description: microsoft.windowscommunicationsapps_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1-2147024865

Error: (04/24/2015 08:41:59 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: SystemSettings.exe6.3.9600.1703111dc01d07ef021a73a224294967295C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe78cb51a4-eae3-11e4-8263-c45444a059dewindows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewymicrosoft.windows.immersivecontrolpanel

CodeIntegrity Errors:
===================================
  Date: 2015-04-25 19:34:59.236
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:58.798
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:58.001
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:57.564
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:56.548
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:55.751
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:54.751
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:54.283
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:53.564
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

  Date: 2015-04-25 19:34:53.111
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Store signing level requirements.

==================== Memory info ===========================

Processor: AMD A4-6210 APU with AMD Radeon R3 Graphics
Percentage of memory in use: 39%
Total physical RAM: 3543.23 MB
Available physical RAM: 2142.1 MB
Total Pagefile: 4887.23 MB
Available Pagefile: 2643.73 MB
Total Virtual: 131072 MB
Available Virtual: 131071.77 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:447.76 GB) (Free:409.45 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: B3525D64)

Partition: GPT Partition Type.

==================== End Of Log ============================



#4 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 26 April 2015 - 09:11 PM

Emsisoft cant get rid of these:
 
ID   Object
0    Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
1    Value: HKEY_USERS\S-1-5-21-3697784714-1533898605-4234074958-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
 
They get detected, quarantined, then I delete them using the delete option.  Then they come back.
 
Just before creating this thread,  I was still following the instructions of my last helper and was running a scan with 9-lab and here is what it came up with.  I haven't used the program before and do not know if the found items are just a report or if they were deleted and then I got the report.  I realize you don't want anything done that affects the logs for your analysis.
 

[BCA7C7F35103894AC6D403C0917DF0F3] Rogue.Win32.FakePAV.cc!s3 [C:\Users\Cindy\Desktop\adwcleaner_4.202.exe]
[BCA7C7F35103894AC6D403C0917DF0F3] Rogue.Win32.FakePAV.cc!s3 [C:\Users\Cindy\Documents\Programs\adwcleaner_4.202.exe]

 
Prior to this thread I was working with someone from Emsisoft, as I use their program, and they were always making a change for any item "Search Scopes" from FARBAR.  I have noticed they are back.
 
Four Weeks & Four drive wipes and fresh installs.  A little history.  I am in college and have been under the gun for assignments and exams.  90% of my school work needs the internet as I am a law clerk student and need to read a lot of case law and do a lot of research.  over the past four weeks I have done a factory reinstall of my laptop.  In face the school technician did one for me, as I was unable to get into my college blackboard etc. And I started falling severely behind in school.  The school granted me an extension on every class as they saw my problems were real, and the school technician even did a follow up, as things were starting to act up again.  I had to resort to borrowing computers, going to other peoples homes to use their wifi and much more.  I have one assignment left to hand in, and I will be using someone else's computer and internet today to accomplish this.
 
What would be awesome is to find a way to wipe this hard drive and have windows 8.1 installed without the hundred or so preinstalled apps and programs that come with doing a factory reinstall, have internet access, Microsoft Office, solitaire and SimCity.  The problems I am having have nearly cost me my whole term.  I have been using Task Manager, as a clean wipe of the drive doesn't do anything, and one by one picking out the running in the background sources and searching online what they are.  That's how I found the two worms.  There is an extreme amount of virtual and remote type descriptions in Window Task Manager, but I have no clue whats suppose to be there or not.  Also '\one drive" is on my pc and I do not use that.  I suspect it is being used, not by me.  Before my last complete drive wipe, during a diagnositcs break, I discovered 15 private networks and 4 of my wifi named networks, and then they magically disappeared.  That is what triggered the Task Manager one process at a time investigation.

I SHOULD MENTION THAT THIS PC GETS STUCK ON A ETERNAL LOOP OF NOT INSTALLING UPDATES.. I GET THE SAME MAG OVER AND OVER: WE COULDN'T COMPLETE THE UPDATES UNDOING CHANGES DON'T TURN OFF YOUR COMPUTER..IT DID THIS THREE TIMES IN A ROW

THERE ARE MANY REFERENCES THAT SEEM TO TELL ME I'M A VIRTUAL MACHINE OR THE PHYSICAL MACHINE. NOT SURE WHICH ONE I AM.

Edited by Momadice, 27 April 2015 - 06:30 PM.


#5 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 30 April 2015 - 10:57 PM

Ok: Although I'm sure there is more than one, while using process explorer I found another suspicious file by selecting it and using the virus total option. This it's what it had to say...
ikanus win32.suspectEd
McAfee Artemis!a006ecf8e773
Rising pe:trojan.agent!.667C
Trend micro suspicious gen f47vo310

#6 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 01 May 2015 - 12:39 AM

Virus total has confirmed four different warnings on a file.

#7 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 01 May 2015 - 05:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/574485 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#8 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 01:12 PM

I am still having a lot of problems. I just finished typing then when my pic crashed. I had to restart it and I'll see if it works again. It's installing updates however it usually says it can't install them and does a reversal. I'll see if it works this time. I did manage to get some updates installed.

I still have them same problems as above. I did go out and buy Bridgewater this morning. I have a use on my pc that I can't find when I go into the control panel. It's there as other when I turn" my pc. But no where after that. I even made my own use called user, and it shows up no problem on the pc when I start it and in control panel. The mystery one I cannot find.

I'll download faever now and run it as soon as my pc is done rejecting the install up dates.

#9 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 01:14 PM

I had typed a lot more on my pc, but it crashed and now I have to use my tablet and it's a little frustrating to type on.
I'll go find my Bluetooth keyboard for this and type the rest.

#10 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 01:47 PM

I still have all the same problems listed earlier except i have found a myster user account that only shows up on the initial log on page. I can't find it in control pannel, guest account is turned off. and i created another user sitht hhe same name "OTHER" and it shows up on control pannel, and now on the initial log on screen I have two OTHERS. AND!!!!!!! Now when I am at the log in screen it automatically brings me to one of the OTHERS (the one I have made) and gets stuck as it doesn't know the password. But I did not select it from the initial logon screen. It sits ther for a while and then it dissappears and my initial logon screen doesn't even show it anymore. So it only show the user accounts that i created. it's like someone is loggin on before I do, then dissapperars and i only have my normal accounts.

#11 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 01:52 PM

I sould also mention that my love account was hacked on the 9th of April. I nve use it and only have it becaause it's a win 8.1 pc. i decided I would go and change all my passwords on everything, and that is how I discovered it. I have since put estra security measures in place like authentication codes that go to my phone. The ip address is thousands of miles away from me. the log is still o live.

I have not used this pc (that I bought in Decmber 2014) for anything other than school. I have no documents, or pictures etc to loose. I have done so many factory reinstalls (5 in the last four weeks) an havne't gotten it stable enought to even bother installing the normal progams I enjoy using.

#12 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 01:57 PM

bit derender has started to become unresponsive. and I have to use alt crt delete and restart. task manager cant even stop the process

What is amusing is that Other user tries to log on and the password is incorrect. I didn't select it to begin with nor did I put in a user password, and it is hooked up through my live accout, and I set mineup with out an account anywhere!! Putting a second user on my pc with the same name has really caused a problem for whoeer is trying to log in. Normally the user account pops up, yu put your password in and then you are allowed access to the desktop. In this case like I said, it pops up to the same named account with a live log in, and the password has been entered incorrectly and want the password entered again. I just ignore it and go back to the user account I want to use and proceed from there. like I said, i created my own user with the same name and it has really buggered things up for whoever is trying to log on.

Edited by Momadice, 02 May 2015 - 02:06 PM.


#13 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 02:21 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-05-2015
Ran by Cindy at 2015-05-02 15:15:52
Running from C:\Users\Cindy\Downloads
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3697784714-1533898605-4234074958-500 - Administrator - Disabled) => C:\Users\Administrator
Cindy (S-1-5-21-3697784714-1533898605-4234074958-1001 - Administrator - Enabled) => C:\Users\Cindy
Cindy_2 (S-1-5-21-3697784714-1533898605-4234074958-1004 - Limited - Enabled) => C:\Users\Cindy_2
Guest (S-1-5-21-3697784714-1533898605-4234074958-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3697784714-1533898605-4234074958-1003 - Limited - Enabled)
OTHER (S-1-5-21-3697784714-1533898605-4234074958-1005 - Limited - Enabled) => C:\Users\OTHER

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Emsisoft Anti-Malware (Enabled - Up to date) {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AV: Bitdefender Antivirus (Enabled - Up to date) {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Bitdefender Antispyware (Enabled - Up to date) {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
FW: Bitdefender Firewall (Enabled) {A23392FD-84B9-F933-2C71-81E751F6EF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.04)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.04 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{E433737F-59A9-ADC0-A2B5-7714003EFC50}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Bitdefender Total Security 2015 (HKLM\...\Bitdefender) (Version: 18.17.0.1227 - Bitdefender)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.135 - Google Inc.)
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.8101 - Acer Incorporated)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.8100 - Acer Incorporated)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Mozilla Firefox 37.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 37.0.2 (x86 en-US)) (Version: 37.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 37.0.2 - Mozilla)
OEM Application Profile (HKLM-x32\...\{276FD4A2-030F-8A24-7DFE-9B1384131BCD}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
PSP Application (Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.318 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.29 - Qualcomm Atheros)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7218 - Realtek Semiconductor Corp.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

30-04-2015 19:09:42 im.aksejdcf;l

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 09:25 - 2013-08-22 09:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {17135AE4-58E7-4807-8A5E-06A0F6AAA531} - System32\Tasks\ALU => C:\Program Files (x86)\Acer\Live Updater\updater.exe [2013-07-08] ()
Task: {260D955D-FFCF-4EEC-839B-C3C1712A90EC} - System32\Tasks\Process Explorer-PERFECTOAST-Cindy => C:\USERS\CINDY\DOCUMENTS\PROGRAMS\PROCESSEXPLORER\PROCEXP.EXE [2015-04-28] (Sysinternals - www.sysinternals.com)
Task: {2C001B7A-ABD3-4B0A-86E6-B6E4ECA9FC43} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-01] (Google Inc.)
Task: {8DE3397F-D133-4B59-9C18-A594755723AB} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Acer\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {8EEBE90C-437A-475D-9118-BD1124CF5292} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-01] (Google Inc.)
Task: {E3B7B649-2947-4C2A-AD66-2F844ABBDBAA} - \Optimize Start Menu Cache Files-S-1-5-21-3697784714-1533898605-4234074958-500 No Task File <==== ATTENTION
Task: {EA0E48A4-DADE-45CB-8A5B-3318FFA324BF} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-02] (Adobe Systems Incorporated)
Task: {F7FA578E-2AD5-4E5E-852A-69636672617B} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-04-01] (Microsoft Corporation)
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2015-05-01 20:29 - 2014-08-27 16:31 - 00265080 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\txmlutil.dll
2015-05-01 20:29 - 2013-09-03 14:29 - 00101328 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdmetrics.dll
2015-05-01 20:29 - 2014-10-02 15:19 - 00003072 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\UI\accessl.ui
2015-05-01 20:29 - 2012-10-29 14:22 - 00152816 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdfwcore.dll
2015-05-01 20:43 - 2015-05-01 20:43 - 00789856 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00250_002\ashttpbr.mdl
2015-05-01 20:43 - 2015-05-01 20:43 - 00710016 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00250_002\ashttpdsp.mdl
2015-05-01 20:43 - 2015-05-01 20:43 - 02683008 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00250_002\ashttpph.mdl
2015-05-01 20:43 - 2015-05-01 20:43 - 01325480 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00250_002\ashttprbl.mdl
2015-05-01 20:43 - 2015-05-01 20:43 - 03109440 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00250_002\ashttpf.mdl
2014-02-26 01:14 - 2014-02-26 01:14 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2014-02-26 01:11 - 2014-02-26 01:11 - 00086016 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2014-02-26 01:17 - 2014-02-26 01:17 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Cindy\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Cindy\Downloads\FRST64.exe:BDU

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\bleepingcomputer.com -> hxxps://www.bleepingcomputer.com
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\cogeco.ca -> hxxps://www.cogeco.ca
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\gmail.com -> hxxps://www.gmail.com
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\jw.org -> hxxps://www.jw.org
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\metaldesignz.com -> hxxps://www.metaldesignz.com
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\niagaracollege.ca -> hxxps://www.niagaracollege.ca
IE trusted site: HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\...\theringlord.com -> hxxps://www.theringlord.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3697784714-1533898605-4234074958-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 24.226.10.193 - 24.226.10.194

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

FirewallRules: [vm-monitoring-nb-session] => (Block) LPort=139
FirewallRules: [{0C2EBA54-B7B7-493C-A0D2-35F896983A8F}] => (Block) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{89D4E894-12DB-4C0E-9C5D-E8CC5DC697E2}] => (Block) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{7F1AE9DD-C70F-451F-9E79-B5BDDAACC48A}] => (Block) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{6ADA4DC8-3682-4454-870A-3BD6D101783B}] => (Block) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{876D3AF8-AA79-419E-9316-73148903214B}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{65FA43DF-2661-433E-8F77-4F8691CDE75E}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{AFFA9710-9A37-40D6-A851-07CB91270FB6}] => (Block) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{EBA5FBD7-284F-4FAC-98A2-9DE4CF82DD33}] => (Block) C:\Program Files (x86)\Acer\Acer Media\DMCDaemon.exe
FirewallRules: [{444314CB-5A64-4E11-9323-D28A60C498C0}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{55E48AF4-B2E7-45BC-BAA9-9A61A5455602}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{3C92E2CC-D909-4258-BC7A-24516EF75F61}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{16F91CB4-326C-4866-BE12-43BDF521802D}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{3C17C475-552C-4FFC-8CBE-DD32624A3898}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{AB311EFA-646B-49EA-926F-DFCF972E41FC}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{228F3533-4F8D-4FF3-B536-47DBD3775593}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{12EE8CEC-8223-4E0F-BB0A-7EFAE0D89ACF}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\DMCDaemon.exe
FirewallRules: [{23DB3885-0067-47AA-955C-E837EBA9A283}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{1F6766F2-9366-41BA-BA9A-E5054C7E46F9}] => (Block) C:\Program Files (x86)\Acer\Acer Photo\WindowsUpnp.exe
FirewallRules: [{F1E30D73-1296-468A-89A1-32D65C6AE08A}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{B6E79074-63D4-4249-8563-3BE965EFD592}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{0ACB25A9-D52A-4144-A7B5-66A9A40E0FF4}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\Sdd.exe
FirewallRules: [{A780481A-09D9-439B-ADE3-177CB3744ACE}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\Sdd.exe
FirewallRules: [{754950D1-665F-4A9C-8EE9-6E5B1EF86A3F}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\virtualdrive.exe
FirewallRules: [{40110806-1B39-42EC-9534-D28AACE50CEC}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\virtualdrive.exe
FirewallRules: [{10FCF23F-43AE-4E6C-8F83-93464D349595}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{51694ECF-057A-4346-955E-C78E1657624A}] => (Block) C:\Program Files (x86)\Acer\Acer Portal\ccd.exe
FirewallRules: [{5C92A1C7-B6E3-42C4-B579-9BD4382F2412}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{E064F4D2-D371-44E9-AFCF-EC33B0CC0D16}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{69D86D44-8BA2-4D21-81C5-B140E784D9F4}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{77704B7B-97FC-4375-8AD9-9D9FD4B429BB}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{7993A036-8405-49BB-ADED-B947EBB02685}] => (Block) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{999E83ED-79FF-4473-9AEF-EA9BB47F7B73}] => (Allow) C:\Program Files\Internet Explorer\iexplore.exe
FirewallRules: [{55DC8073-5EFA-44B3-AEC5-570BC7041B97}] => (Allow) C:\Program Files\Internet Explorer\iexplore.exe
FirewallRules: [{158CBF9A-67A2-42CD-93F5-D68244C7FA1B}] => (Allow) C:\Program Files\Internet Explorer\iexplore.exe
FirewallRules: [{E1A9AD29-6492-4FD7-82A4-8A30A4FC1272}] => (Allow) C:\Program Files\Internet Explorer\iexplore.exe
FirewallRules: [{2290CC35-13A6-4DBD-98BA-4AECC2CAD13F}] => (Allow) C:\WINDOWS\System32\Control.exe
FirewallRules: [{98EE038F-4161-4A73-92C1-6F5CD0C3ADE1}] => (Allow) C:\WINDOWS\System32\Control.exe
FirewallRules: [{C5FC9906-DC9C-4504-9C43-653DE77E1D2B}] => (Allow) C:\WINDOWS\System32\Control.exe
FirewallRules: [{21A09B90-301E-4F01-AB1C-B521570C2373}] => (Allow) C:\WINDOWS\System32\Control.exe
FirewallRules: [{D3298230-CA4F-4185-9932-36C94E435F72}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{00C88B7F-0E9E-48BD-BCE5-13CEF48A0087}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{CFE0930F-AFED-458B-8FCF-FD14D3FB213C}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{134C2D72-062A-4025-8DE8-8AB84B1FC562}] => (Allow) C:\Program Files\Windows Defender\MSASCui.exe
FirewallRules: [{349809DD-7A97-4EFE-94D4-1C1B71AA8341}] => (Allow) C:\Users\Cindy\Desktop\autoruns.exe
FirewallRules: [{D6B1849F-EFF5-4B32-9FB7-102BE1AC4642}] => (Allow) C:\Users\Cindy\Desktop\autoruns.exe
FirewallRules: [{0551A0C8-1937-47EA-A549-FA12A66C986B}] => (Allow) C:\Users\Cindy\Desktop\autoruns.exe
FirewallRules: [{34280B21-89FB-4807-9436-EFF77D95E197}] => (Allow) C:\Users\Cindy\Desktop\autoruns.exe
FirewallRules: [{95790CA1-DBBE-4814-8FA3-18E0107E0A65}] => (Allow) C:\Users\Cindy\Documents\Programs\ProcessExplorer\procexp.exe
FirewallRules: [{EEAA8C66-47B7-4B00-9E42-CA9E6ACF0076}] => (Allow) C:\Users\Cindy\Documents\Programs\ProcessExplorer\procexp.exe
FirewallRules: [{5357251A-6262-40FC-8C78-193217B5A3C8}] => (Allow) C:\Users\Cindy\Documents\Programs\ProcessExplorer\procexp.exe
FirewallRules: [{ED25FA14-5827-4ABA-B515-9EDA1E153AF7}] => (Allow) C:\Users\Cindy\Documents\Programs\ProcessExplorer\procexp.exe
FirewallRules: [{4E3DDDE0-5BF5-45F4-8C5A-420B6720C731}] => (Allow) C:\Program Files (x86)\Emsisoft Anti-Malware\a2start.exe
FirewallRules: [{21C44F45-19F7-490F-A300-DF5DBC4AED2F}] => (Allow) C:\Program Files (x86)\Emsisoft Anti-Malware\a2start.exe
FirewallRules: [{6C9DA502-A508-4A26-BAB2-0306674FAFD5}] => (Allow) C:\Program Files (x86)\Emsisoft Anti-Malware\a2start.exe
FirewallRules: [{44313BC1-8B94-4C7D-9283-EEB768AB5EC8}] => (Allow) C:\Program Files (x86)\Emsisoft Anti-Malware\a2start.exe
FirewallRules: [{14E0091E-BB0B-4A5D-A703-C3B1DB0EFA45}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E55238FB-D376-4C4E-B670-41A163C453CB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{ACEE063D-C84D-4A1C-9E07-9506A7CD8301}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{2A7FE0FE-F42D-4F28-8045-777C1D628D60}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{89410180-8684-4879-8159-54C681FF758F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{2889A53D-BB54-4698-85D9-EFDA3D88828D}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{C67C691F-37B1-4CA2-B352-1F9B18504FDA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{525734EB-C3A5-4D51-8351-DC2928F20D83}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe
FirewallRules: [{CF36B71D-581C-40A5-B962-74F706CE298E}] => (Allow) C:\Program Files (x86)\Acer\Acer Media\WindowsUpnpMV.exe

==================== Faulty Device Manager Devices =============

Name: HD WebCam
Description: USB Video Device
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Microsoft
Service: usbvideo
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (05/02/2015 00:18:50 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider ProtectionManagement attempted to register query "select * from MSFT_MpEvent" whose target class "MSFT_MpEvent" in //./root/microsoft/protectionManagement namespace does not exist. The query will be ignored.

Error: (05/02/2015 00:18:50 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider  attempted to register query "select * from MSFT_MpEvent" whose target class "MSFT_MpEvent" in //./root/microsoft/protectionManagement namespace does not exist. The query will be ignored.

Error: (05/02/2015 10:56:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: PERFECTOAST)
Description: Package windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy+microsoft.windows.immersivecontrolpanel was terminated because it took too long to suspend.

Error: (05/01/2015 09:23:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17031 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: e78

Start Time: 01d08476802bd1a7

Termination Time: 0

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: c8d8459e-f069-11e4-8265-c45444a059de

Faulting package full name:

Faulting package-relative application ID:

Error: (05/01/2015 07:16:35 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PERFECTOAST)
Description: Activation of app AcerIncorporated.AcerExplorer_48frkmn4z8aw4!AcerExplorer failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (05/01/2015 07:10:47 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PERFECTOAST)
Description: Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (05/01/2015 01:38:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmc.exe version 6.3.9600.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 12f4

Start Time: 01d0843277e9dd8d

Termination Time: 4294967295

Application Path: C:\WINDOWS\system32\mmc.exe

Report Id: d94689d4-f028-11e4-8263-c45444a059de

Faulting package full name:

Faulting package-relative application ID:

Error: (05/01/2015 01:37:58 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program procexp64.exe version 16.5.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 10d4

Start Time: 01d0841762edec64

Termination Time: 4294967295

Application Path: C:\Users\Cindy\AppData\Local\Temp\procexp64.exe

Report Id: ca0ec385-f028-11e4-8263-c45444a059de

Faulting package full name:

Faulting package-relative application ID:

Error: (05/01/2015 09:01:11 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: autoruns.exe, version: 13.0.0.0, time stamp: 0x54c5c706
Faulting module name: autoruns.exe, version: 13.0.0.0, time stamp: 0x54c5c706
Exception code: 0xc0000005
Fault offset: 0x0000c2bb
Faulting process id: 0x50c
Faulting application start time: 0xautoruns.exe0
Faulting application path: autoruns.exe1
Faulting module path: autoruns.exe2
Report Id: autoruns.exe3
Faulting package full name: autoruns.exe4
Faulting package-relative application ID: autoruns.exe5

Error: (04/30/2015 11:28:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17031 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13a0

Start Time: 01d083bec95b09df

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 180444c2-efb2-11e4-8262-c45444a059de

Faulting package full name:

Faulting package-relative application ID:


System errors:
=============
Error: (05/02/2015 02:42:01 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {752073A1-23F2-4396-85F0-8FDB879ED0ED}

Error: (05/02/2015 02:39:06 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Bitdefender Virus Shield service hung on starting.

Error: (05/02/2015 01:53:49 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Update for Windows 8.1 for x64-based Systems (KB3022796).

Error: (05/02/2015 01:53:49 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Windows 8.1 for x64-based Systems (KB2976897).

Error: (05/02/2015 01:53:49 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2979573).

Error: (05/02/2015 01:53:49 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Windows 8.1 for x64-based Systems (KB3032323).

Error: (05/02/2015 01:53:49 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Windows 8.1 for x64-based Systems (KB2978668).

Error: (05/02/2015 01:53:45 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Windows 8.1 for x64-based Systems (KB2957189).

Error: (05/02/2015 01:53:45 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Windows 8.1 for x64-based Systems (KB2993651).

Error: (05/02/2015 01:53:45 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80246013: Security Update for Microsoft .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2966826).


Microsoft Office Sessions:
=========================
Error: (05/02/2015 00:18:50 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: ProtectionManagementselect * from MSFT_MpEventMSFT_MpEvent//./root/microsoft/protectionManagement

Error: (05/02/2015 00:18:50 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: select * from MSFT_MpEventMSFT_MpEvent//./root/microsoft/protectionManagement

Error: (05/02/2015 10:56:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: PERFECTOAST)
Description: windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy+microsoft.windows.immersivecontrolpanel

Error: (05/01/2015 09:23:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.17031e7801d08476802bd1a70C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEc8d8459e-f069-11e4-8265-c45444a059de

Error: (05/01/2015 07:16:35 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PERFECTOAST)
Description: AcerIncorporated.AcerExplorer_48frkmn4z8aw4!AcerExplorer-2144927141

Error: (05/01/2015 07:10:47 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PERFECTOAST)
Description: winstore_cw5n1h2txyewy!Windows.Store-2144927142

Error: (05/01/2015 01:38:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: mmc.exe6.3.9600.1638412f401d0843277e9dd8d4294967295C:\WINDOWS\system32\mmc.exed94689d4-f028-11e4-8263-c45444a059de

Error: (05/01/2015 01:37:58 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: procexp64.exe16.5.0.010d401d0841762edec644294967295C:\Users\Cindy\AppData\Local\Temp\procexp64.execa0ec385-f028-11e4-8263-c45444a059de

Error: (05/01/2015 09:01:11 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: autoruns.exe13.0.0.054c5c706autoruns.exe13.0.0.054c5c706c00000050000c2bb50c01d0840ee4621e83C:\Users\Cindy\Desktop\autoruns.exeC:\Users\Cindy\Desktop\autoruns.exe23b25da0-f002-11e4-8263-c45444a059de

Error: (04/30/2015 11:28:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.1703113a001d083bec95b09df4294967295C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE180444c2-efb2-11e4-8262-c45444a059de


CodeIntegrity Errors:
===================================
  Date: 2015-05-01 04:43:59.798
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:59.345
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:57.470
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:56.376
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:54.564
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:54.126
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:53.095
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:52.689
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:51.486
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.

  Date: 2015-05-01 04:43:50.705
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Store signing level requirements.


==================== Memory info ===========================

Processor: AMD A4-6210 APU with AMD Radeon R3 Graphics
Percentage of memory in use: 48%
Total physical RAM: 3543.23 MB
Available physical RAM: 1822.93 MB
Total Pagefile: 7127.23 MB
Available Pagefile: 4783.65 MB
Total Virtual: 131072 MB
Available Virtual: 131071.81 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:447.76 GB) (Free:400.3 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: B3525D64)

Partition: GPT Partition Type.

==================== End Of Log ============================



#14 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 02:47 PM

I am having difficuty post the reports.  my pc keeps hanging



#15 Momadice

Momadice
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Ontario, Canada
  • Local time:04:21 AM

Posted 02 May 2015 - 02:51 PM

There is an ap that comes pre installed on this computer that emsisoft is  has been flagging as a behavior Trojan down loader.

Now it is being flagged, I quarantine it and after looking at the path, there are two for the same program ,bur different users, both which are not users I have made.  One is the infamous OTHER and the other one is Cindy_2, who I also have never made!!  Every browser is getting flagged with a quarantining recommendation, chrome, Firefox and ie with a warning that it is trying to simulate mouse and keyboard activity., and Bit defender is constantly crashing.

 

interestingly enough, I decided to pause emsisoft and pulled up bit-defender and ran a vulnerability scan.

 

It found 13 critical windows updates

adobe acrobate reader 11 and

(a key symbol) with Cindy_2  (change password at login)  Who the hell is this?  i can't change a password for someone I can't find.

(a key symbol) with OTHER (change password at login)  Who the hell is this?  i can't change a password for someone I can't find.

 

Of course, when I attempt to view the details on bit defender, it says the password is weak but I am required to have the original password, which I do not have.

 

Both these Cindy_2 and OTHER are not my creations and a clue that I am on to some naughty behavior.


Edited by Momadice, 02 May 2015 - 03:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users