Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Hack, Corruption, Permissions, Policies...


  • This topic is locked This topic is locked
36 replies to this topic

#1 fjrules

fjrules

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 24 October 2015 - 02:26 PM

 
 
 
 

Hi.  I hope I'm posting this in the right forum; if not, feel free to move it.

 

I am the sole user of my desktop which has Windows 7.  Other than some freezes/hangs and a very slow Firefox startup, my browsing is otherwise smooth.

 

I have a few issues and hopefully you can triage me, so to speak.  If you find something that is out of your scope, kindly direct me elsewhere.  I don't think I have an active infection because I've run multiple scans using a variety of programs and they all come up clean; rather, it could be the after effects of malware and policies it implemented.  Emsisoft was the only program that found something - setting.disabletaskmgr and setting.disableregistrytool - which I deleted.

 

First, I need to know whether I've been hacked.  Yesterday I stumbled upon the netstat.exe tool and when I run it, I see an IP address that isn't mine as well as a ton of active connections which concerns me because I am the only user.

 

There are entries for maconfig_tcp and maconfig_udp as programs my Firewall allows.  I can't find any information on what those entries are.

 

Corruption is also a problem.  Windows Search - There are *content source MAPI* Event ID 3036 errors galore in my Event Viewer and I have to reset Windows Search on a daily basis.  Windows Media Player - the troubleshooter is worthless.  Corruption constantly present.  I've run sfc /scannow a ton of times and it keeps giving me "WRP has found corruption but cannot fix..."  From looking at the log all but one of the corrupt files they found is in my sample music/photo libraries.  I read about the sfcfix tool and am wondering if you may be able to make one for me.  Other error messages that concern me are NTFS error 55 "file system structure corrupt and unstable run chkdsk on volume shadow copy 10," corrupted registry hive, and registry file still in use. 

 

Drivers - I have error messages for WPD FileSystem Volume Drivers and can't get them to update.

 

I should also mention that I used Namebench and changed my DNS server in hopes of achieving better speed.

 

Here is my FRST log and I've attached the "Addition" log.  Thank you and I look forward to hearing back from you!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:24-10-2015
Ran by Joe (administrator) on JOE-PC (24-10-2015 14:44:50)
Running from C:\Users\Joe\Desktop\Mlwre Tools
Loaded Profiles: Joe (Available Profiles: Joe)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

NOTE: I needed to delete the prior FRST log and rerun it.  Below pasted is the correct one.  I'm sorry for the inconvenience.  The additions log is the same so I didn't reenclose it.


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-10-2015
Ran by Joe (administrator) on JOE-PC (24-10-2015 19:00:25)
Running from C:\Users\Joe\Desktop
Loaded Profiles: Joe (Available Profiles: Joe)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(6XGate Incorporated) C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [12336856 2015-06-18] (Realtek Semiconductor)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6134544 2015-09-23] (AVAST Software)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2620728 2015-07-22] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoResolveSearch] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-09-23] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Preloader.lnk [2015-04-13]
ShortcutTarget: Firefox Preloader.lnk -> C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe (6XGate Incorporated)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5AC59C76-E506-4058-9050-80801E872FBA}: [NameServer] 71.242.0.12,151.197.0.39
Tcpip\..\Interfaces\{5AC59C76-E506-4058-9050-80801E872FBA}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-956595361-2088304539-1011358878-1000 -> DefaultScope {0C7FAAAF-A6BA-476D-AC5C-BB183454E529} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-956595361-2088304539-1011358878-1000 -> {0C7FAAAF-A6BA-476D-AC5C-BB183454E529} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_66\bin\ssv.dll [2015-10-24] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-10-24] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: AutorunsDisabled\intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll [2014-01-16] (Intuit, Inc.)
Handler: AutorunsDisabled\mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL [2009-03-24] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default
FF DefaultSearchEngine.US: Google
FF Homepage: www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-17] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-10-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-10-24] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-08-27] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\artur.dubovoy@gmail.com [2015-10-04]
FF Extension: Flash and Video Download - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2015-10-04]
FF Extension: Disconnect - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\2.0@disconnect.me.xpi [2015-07-05]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\adblockpopups@jessehakanen.net.xpi [2015-05-31]
FF Extension: Ghostery - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\firefox@ghostery.com.xpi [2015-09-19]
FF Extension: uBlock Origin - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\uBlock0@raymondhill.net.xpi [2015-10-21]
FF Extension: Yet Another Smooth Scrolling - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\yetanothersmoothscrolling@kataho.xpi [2015-05-31]
FF Extension: NoScript - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-10-11]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-09-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [7084784 2015-10-14] (Emsisoft Ltd)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-23] (AVAST Software)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [713016 2015-07-22] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-01-16] (Intuit) [File not signed]
S4 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2013-06-19] (Intuit Inc.) [File not signed]
S4 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-06-19] (Intuit Inc.) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-09-23] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [76000 2015-09-23] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81728 2015-09-23] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-09-23] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [789296 2015-09-23] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [434184 2015-09-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [115640 2015-09-23] (AVAST Software)
R1 epp32; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp32.sys [114200 2015-10-14] (Emsisoft GmbH)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2015-07-22] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2015-10-24] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R0 nvamacpi; C:\Windows\System32\DRIVERS\NVAMACPI.sys [24680 1999-12-31] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [32912 2014-11-22] (NVIDIA Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 WiseHDInfo; C:\Windows\WiseHDInfo32.dll [11816 2015-04-22] (wisecleaner.com) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-24 19:00 - 2015-10-24 19:00 - 00012290 _____ C:\Users\Joe\Desktop\FRST.txt
2015-10-24 19:00 - 2015-10-24 19:00 - 00000000 ____D C:\Users\Joe\Desktop\FRST-OlderVersion
2015-10-24 15:10 - 2015-10-24 14:20 - 04480319 _____ C:\Users\Joe\Desktop\CBS.log
2015-10-24 14:37 - 2015-10-24 19:00 - 00000000 ____D C:\FRST
2015-10-24 14:17 - 2015-10-24 14:17 - 00068296 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-24 14:14 - 2015-10-24 19:00 - 00043962 _____ C:\Windows\WindowsUpdate.log
2015-10-24 14:14 - 2015-10-24 14:17 - 00016330 _____ C:\Windows\setupact.log
2015-10-24 14:14 - 2015-10-24 14:14 - 00296320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-24 14:14 - 2015-10-24 14:14 - 00000000 _____ C:\Windows\setuperr.log
2015-10-24 13:43 - 2015-10-24 13:43 - 00001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-10-24 12:39 - 2015-10-24 12:39 - 00000000 ____D C:\Program Files\Common Files\Java
2015-10-24 12:28 - 2015-05-29 03:43 - 00303744 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-10-24 00:53 - 2015-10-24 13:37 - 00000000 ____D C:\Program Files\Java
2015-10-24 00:53 - 2015-10-24 13:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-24 00:53 - 2015-10-24 12:37 - 00095840 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-10-23 23:17 - 2015-10-23 23:19 - 00000000 ____D C:\Program Files\EEK
2015-10-23 11:08 - 2015-10-23 11:08 - 00000218 _____ C:\Users\Joe\AppData\Local\recently-used.xbel
2015-10-15 12:50 - 2015-10-16 10:54 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-10-14 23:13 - 2015-10-14 23:13 - 00000207 _____ C:\Windows\tweaking.com-regbackup-JOE-PC-Windows-7-Ultimate-(32-bit).dat
2015-10-14 14:27 - 2015-10-14 14:27 - 00001105 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-10-14 12:45 - 2015-10-14 12:45 - 00000000 ____D C:\ProgramData\Emsisoft
2015-10-14 11:25 - 2015-10-24 18:19 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2015-10-14 11:25 - 2015-10-14 13:09 - 00114200 _____ (Emsisoft GmbH) C:\Windows\system32\Drivers\epp32.sys
2015-10-14 11:25 - 2015-10-14 11:25 - 00001049 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2015-10-14 11:25 - 2015-10-14 11:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2015-10-14 00:27 - 2015-10-14 00:27 - 00448512 _____ (OldTimer Tools) C:\Users\Joe\Desktop\TFC.exe
2015-10-13 19:19 - 2015-09-28 23:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-10-13 19:19 - 2015-09-28 23:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-13 19:19 - 2015-09-28 23:02 - 01308160 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-13 19:19 - 2015-09-28 22:58 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-13 19:19 - 2015-09-28 22:58 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-13 19:19 - 2015-09-28 22:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-13 19:19 - 2015-09-28 22:58 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-13 19:19 - 2015-09-28 22:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-13 19:19 - 2015-09-28 22:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-13 19:19 - 2015-09-28 22:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-13 19:19 - 2015-09-28 22:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-13 19:19 - 2015-09-28 22:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-13 19:19 - 2015-09-28 22:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-13 19:19 - 2015-09-28 21:43 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-13 19:19 - 2015-09-28 21:43 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-13 19:19 - 2015-09-28 21:43 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-13 19:19 - 2015-09-15 13:42 - 00139096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-13 19:19 - 2015-09-15 13:42 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-13 19:19 - 2015-09-15 13:36 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-13 19:19 - 2015-09-15 13:35 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-13 19:18 - 2015-10-01 13:50 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-13 19:18 - 2015-10-01 13:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-13 19:18 - 2015-10-01 13:50 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-13 19:18 - 2015-10-01 13:50 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-13 19:18 - 2015-10-01 13:50 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-13 19:18 - 2015-10-01 12:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-13 19:18 - 2015-08-06 13:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-13 19:18 - 2015-08-06 13:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2015-10-13 19:17 - 2015-09-18 14:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-13 19:17 - 2015-09-15 23:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-13 19:17 - 2015-09-15 23:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-13 19:17 - 2015-09-15 23:45 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-13 19:17 - 2015-09-15 23:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-13 19:17 - 2015-09-15 23:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-13 19:17 - 2015-09-15 23:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-13 19:17 - 2015-09-15 23:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-13 19:17 - 2015-09-15 23:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-13 19:17 - 2015-09-15 23:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-13 19:17 - 2015-09-15 23:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-13 19:17 - 2015-09-15 23:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-13 19:17 - 2015-09-15 23:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-13 19:17 - 2015-09-15 23:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-13 19:17 - 2015-09-15 23:23 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-13 19:17 - 2015-09-15 23:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-13 19:17 - 2015-09-15 23:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-13 19:17 - 2015-09-15 23:18 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-13 19:17 - 2015-09-15 23:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-13 19:17 - 2015-09-15 23:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-13 19:17 - 2015-09-15 23:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-13 19:17 - 2015-09-15 23:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-13 19:17 - 2015-09-15 23:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-13 19:17 - 2015-09-15 23:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-13 19:17 - 2015-09-15 23:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-13 19:17 - 2015-09-15 22:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-13 19:17 - 2015-09-15 22:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-13 19:17 - 2015-09-15 22:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-13 19:17 - 2015-09-15 22:56 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-13 19:17 - 2015-09-15 22:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-13 19:17 - 2015-09-15 22:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-13 19:17 - 2015-09-15 22:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-13 19:17 - 2015-09-15 22:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-13 19:17 - 2015-09-15 22:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-08 18:15 - 2015-09-25 13:59 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-08 18:15 - 2015-09-25 13:59 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-08 18:15 - 2015-09-25 13:58 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-08 18:15 - 2015-09-25 13:58 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 02955776 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 02061824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 00566784 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-08 18:14 - 2015-09-25 13:58 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-08 18:14 - 2015-09-25 13:58 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-08 10:41 - 2015-10-08 10:41 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\246E7A2B.sys
2015-10-07 23:19 - 2015-10-07 23:20 - 00003935 _____ C:\Windows\system32\drivers.txt
2015-10-03 13:52 - 2015-10-03 14:35 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2015-10-03 13:52 - 2015-10-03 13:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2015-10-01 10:20 - 2015-10-01 10:20 - 00000000 ____D C:\Users\Joe\AppData\Local\CEF
2015-09-26 14:49 - 2015-09-26 14:53 - 00000000 ____D C:\Users\Joe\AppData\Local\Deployment
2015-09-25 15:23 - 2015-09-25 15:23 - 00683606 _____ C:\Users\Joe\Desktop\bookmarks.html
2015-09-25 15:09 - 2015-09-23 14:09 - 00313472 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-24 19:00 - 2015-05-07 10:59 - 01700864 _____ (Farbar) C:\Users\Joe\Desktop\FRST.exe
2015-10-24 18:32 - 2015-04-10 18:27 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-10-24 18:17 - 2015-04-12 23:20 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-24 18:16 - 2010-11-20 17:01 - 00776356 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-24 15:21 - 2015-05-13 13:51 - 00000000 ____D C:\Users\Joe\Desktop\Mlwre Tools
2015-10-24 14:22 - 2015-04-08 13:37 - 00009712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-24 14:22 - 2015-04-08 13:37 - 00009712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-24 14:14 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-24 14:12 - 2015-04-20 15:13 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Wise Disk Cleaner
2015-10-24 14:11 - 2015-08-26 23:02 - 00000000 ____D C:\Users\Joe
2015-10-24 14:11 - 2015-07-05 19:44 - 00000000 ____D C:\Users\Joe\AppData\LocalLow\Adblock Plus for IE
2015-10-24 11:21 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Help
2015-10-24 01:17 - 2015-04-22 15:11 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Wise Registry Cleaner
2015-10-24 00:54 - 2015-04-10 09:56 - 00000000 ____D C:\ProgramData\Oracle
2015-10-23 22:09 - 2011-09-03 16:45 - 00000000 ___DC C:\Users\Joe\Desktop\Tools
2015-10-23 13:00 - 2015-04-17 23:13 - 00000000 ____D C:\Users\Joe\AppData\Roaming\vlc
2015-10-23 11:58 - 2015-04-13 14:42 - 00000000 ____D C:\Program Files\CCleaner
2015-10-22 21:49 - 2015-05-05 23:36 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-10-17 11:17 - 2015-04-10 09:56 - 00000000 ____D C:\Users\Joe\AppData\Local\Adobe
2015-10-17 11:15 - 2015-04-13 14:33 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-10-17 11:15 - 2015-04-13 14:33 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 11:12 - 2015-06-09 12:41 - 00000000 ____D C:\Users\Joe\AppData\Roaming\WiseUpdate
2015-10-17 10:50 - 2015-04-10 10:00 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-10-17 10:50 - 2015-04-10 09:57 - 00000000 ____D C:\Program Files\7-Zip
2015-10-17 10:50 - 2015-04-10 09:54 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-10-16 15:00 - 2015-04-10 10:00 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-16 15:00 - 2015-04-10 10:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-16 13:32 - 2015-07-14 21:16 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-10-16 11:34 - 2011-02-21 19:02 - 00000000 ___DC C:\Users\Joe\Documents\Health Insurance
2015-10-16 00:20 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\registration
2015-10-15 22:42 - 2015-04-10 21:16 - 00000000 ____D C:\Users\Joe\AppData\Local\Apps\2.0
2015-10-15 00:22 - 2015-08-03 16:12 - 00000000 ____D C:\Users\Joe\Desktop\mbar
2015-10-14 22:55 - 2009-07-13 22:37 - 00000000 __RHD C:\Users\Default
2015-10-14 14:27 - 2015-04-10 09:54 - 00001117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-10-14 13:58 - 2015-08-21 19:14 - 00002117 _____ C:\Users\Joe\Desktop\Tweaking.com - Windows Repair.lnk
2015-10-14 13:34 - 2015-05-20 15:44 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-10-14 00:49 - 2015-04-07 18:09 - 00000000 ____D C:\Users\Joe\AppData\Local\VirtualStore
2015-10-13 23:48 - 2015-04-08 17:57 - 00000000 ____D C:\Windows\system32\MRT
2015-10-13 23:41 - 2015-08-27 20:52 - 141105520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-12 12:48 - 2009-08-14 09:21 - 00000000 ___DC C:\Users\Joe\Documents\Employment
2015-10-08 10:33 - 2013-11-11 15:48 - 00000000 ___DC C:\Users\Joe\Documents\Personal Health
2015-10-07 02:18 - 2015-08-23 17:32 - 00000000 ____D C:\Program Files\Defraggler
2015-10-05 09:50 - 2015-04-10 10:00 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 09:50 - 2015-04-10 10:00 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2015-04-10 10:00 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-10-02 02:37 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\wfp
2015-10-02 02:35 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\LogFiles
2015-09-30 13:57 - 2009-07-13 22:04 - 00000215 _____ C:\Windows\system.ini
2015-09-30 13:56 - 2006-11-02 06:23 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts_bak_709
2015-09-30 13:01 - 2015-04-14 00:28 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-09-29 23:13 - 2015-08-26 22:51 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2015-09-29 21:33 - 2015-05-05 15:29 - 00000000 ____D C:\Program Files\ESET
2015-09-26 15:29 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\NDF
2015-09-25 23:18 - 2015-04-13 14:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox Preloader
2015-09-25 23:10 - 2015-04-13 14:42 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-09-25 15:11 - 2015-04-15 23:24 - 00002003 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-09-25 14:59 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system
2015-09-24 01:19 - 2015-08-15 17:07 - 00000000 ____D C:\Windows\system32\catroot2.bak
2015-09-24 01:19 - 2015-04-13 14:57 - 00000000 ____D C:\Windows\pss
2015-09-24 01:19 - 2015-04-13 14:08 - 00000000 ____D C:\Program Files\FirefoxPreloader
2015-09-24 01:19 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\Msdtc
2015-09-24 01:02 - 2015-04-24 00:24 - 00000000 ____D C:\ProgramData\Apple Computer
2015-09-24 01:02 - 2015-04-24 00:22 - 00000000 ____D C:\ProgramData\Apple

==================== Files in the root of some directories =======

2015-10-23 11:08 - 2015-10-23 11:08 - 0000218 _____ () C:\Users\Joe\AppData\Local\recently-used.xbel
2015-08-30 16:01 - 2015-08-30 16:04 - 0007654 _____ () C:\Users\Joe\AppData\Local\resmon.resmoncfg

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-24 16:44

==================== End of FRST.txt ============================

 

 


Edited by fjrules, 24 October 2015 - 06:06 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 29 October 2015 - 02:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/594336 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 30 October 2015 - 09:52 AM

I am still having the issues I expressed in my first post.  I look forward to hearing back from you soon.  Thanks again.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:29-10-2015
Ran by Joe (administrator) on JOE-PC (30-10-2015 10:39:37)
Running from C:\Users\Joe\Downloads
Loaded Profiles: Joe (Available Profiles: Joe)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(6XGate Incorporated) C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmplayer.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Eyeo GmbH) C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [12336856 2015-06-18] (Realtek Semiconductor)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6134544 2015-09-23] (AVAST Software)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2620728 2015-07-22] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoResolveSearch] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-09-23] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Preloader.lnk [2015-04-13]
ShortcutTarget: Firefox Preloader.lnk -> C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe (6XGate Incorporated)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5AC59C76-E506-4058-9050-80801E872FBA}: [NameServer] 71.242.0.12,151.197.0.39
Tcpip\..\Interfaces\{5AC59C76-E506-4058-9050-80801E872FBA}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-956595361-2088304539-1011358878-1000 -> DefaultScope {0C7FAAAF-A6BA-476D-AC5C-BB183454E529} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-956595361-2088304539-1011358878-1000 -> {0C7FAAAF-A6BA-476D-AC5C-BB183454E529} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_66\bin\ssv.dll [2015-10-24] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-10-24] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: AutorunsDisabled\intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll [2014-01-16] (Intuit, Inc.)
Handler: AutorunsDisabled\mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL [2009-03-24] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default
FF DefaultSearchEngine.US: Google
FF Homepage: www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-17] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-10-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-10-24] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-08-27] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\artur.dubovoy@gmail.com [2015-10-04]
FF Extension: Flash and Video Download - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2015-10-29]
FF Extension: Disconnect - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\2.0@disconnect.me.xpi [2015-07-05]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\adblockpopups@jessehakanen.net.xpi [2015-05-31]
FF Extension: Ghostery - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\firefox@ghostery.com.xpi [2015-09-19]
FF Extension: uBlock Origin - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\uBlock0@raymondhill.net.xpi [2015-10-28]
FF Extension: Yet Another Smooth Scrolling - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\yetanothersmoothscrolling@kataho.xpi [2015-05-31]
FF Extension: NoScript - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-10-26]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-10-09]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
S4 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [7084784 2015-10-14] (Emsisoft Ltd)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-23] (AVAST Software)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [713016 2015-07-22] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-01-16] (Intuit) [File not signed]
S4 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2013-06-19] (Intuit Inc.) [File not signed]
S4 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-06-19] (Intuit Inc.) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-09-23] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [76000 2015-09-23] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81728 2015-09-23] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-09-23] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [789296 2015-09-23] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [434184 2015-09-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [115640 2015-09-23] (AVAST Software)
R1 epp32; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp32.sys [114200 2015-10-14] (Emsisoft GmbH)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2015-07-22] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2015-10-30] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R0 nvamacpi; C:\Windows\System32\DRIVERS\NVAMACPI.sys [24680 1999-12-31] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [32912 2014-11-22] (NVIDIA Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 WiseHDInfo; C:\Windows\WiseHDInfo32.dll [11816 2015-04-22] (wisecleaner.com) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-30 10:39 - 2015-10-30 10:40 - 00012533 _____ C:\Users\Joe\Downloads\FRST.txt
2015-10-30 10:38 - 2015-10-30 10:38 - 01701888 _____ (Farbar) C:\Users\Joe\Desktop\FRST.exe
2015-10-30 09:29 - 2015-10-30 09:33 - 00014740 _____ C:\Windows\setupact.log
2015-10-30 09:29 - 2015-10-30 09:29 - 00296320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-30 09:29 - 2015-10-30 09:29 - 00000666 _____ C:\Windows\PFRO.log
2015-10-30 09:29 - 2015-10-30 09:29 - 00000000 _____ C:\Windows\setuperr.log
2015-10-27 23:10 - 2015-10-27 23:23 - 00001753 _____ C:\Users\Public\Desktop\iTunes.lnk
2015-10-27 23:10 - 2015-10-27 23:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-10-27 23:07 - 2015-10-27 23:10 - 00000000 ____D C:\Program Files\iTunes
2015-10-27 23:07 - 2015-10-27 23:07 - 00000000 ____D C:\Program Files\iPod
2015-10-27 12:49 - 2015-10-27 12:49 - 00000000 ____D C:\Windows\wsusoffline102
2015-10-27 12:37 - 2015-10-27 12:37 - 00689664 _____ C:\Users\Joe\Downloads\MicrosoftFixit50202.msi
2015-10-25 20:56 - 2015-10-26 19:53 - 00000000 ____D C:\Users\Joe\Desktop\mbar
2015-10-24 14:37 - 2015-10-30 10:39 - 00000000 ____D C:\FRST
2015-10-24 14:14 - 2015-10-30 10:36 - 00980510 _____ C:\Windows\WindowsUpdate.log
2015-10-24 13:43 - 2015-10-24 13:43 - 00001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-10-24 12:39 - 2015-10-24 12:39 - 00000000 ____D C:\Program Files\Common Files\Java
2015-10-24 12:28 - 2015-05-29 03:43 - 00303744 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-10-24 00:53 - 2015-10-24 13:37 - 00000000 ____D C:\Program Files\Java
2015-10-24 00:53 - 2015-10-24 13:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-24 00:53 - 2015-10-24 12:37 - 00095840 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-10-23 23:17 - 2015-10-23 23:19 - 00000000 ____D C:\Program Files\EEK
2015-10-23 11:08 - 2015-10-23 11:08 - 00000218 _____ C:\Users\Joe\AppData\Local\recently-used.xbel
2015-10-15 12:50 - 2015-10-16 10:54 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-10-14 23:13 - 2015-10-14 23:13 - 00000207 _____ C:\Windows\tweaking.com-regbackup-JOE-PC-Windows-7-Ultimate-(32-bit).dat
2015-10-14 14:27 - 2015-10-14 14:27 - 00001105 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-10-14 12:45 - 2015-10-14 12:45 - 00000000 ____D C:\ProgramData\Emsisoft
2015-10-14 11:25 - 2015-10-28 11:28 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2015-10-14 11:25 - 2015-10-14 13:09 - 00114200 _____ (Emsisoft GmbH) C:\Windows\system32\Drivers\epp32.sys
2015-10-14 11:25 - 2015-10-14 11:25 - 00001049 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2015-10-14 11:25 - 2015-10-14 11:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2015-10-14 00:27 - 2015-10-14 00:27 - 00448512 _____ (OldTimer Tools) C:\Users\Joe\Desktop\TFC.exe
2015-10-13 19:19 - 2015-09-28 23:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-10-13 19:19 - 2015-09-28 23:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-13 19:19 - 2015-09-28 23:02 - 01308160 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-13 19:19 - 2015-09-28 22:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-13 19:19 - 2015-09-28 22:58 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-13 19:19 - 2015-09-28 22:58 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-13 19:19 - 2015-09-28 22:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-13 19:19 - 2015-09-28 22:58 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-13 19:19 - 2015-09-28 22:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-13 19:19 - 2015-09-28 22:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-13 19:19 - 2015-09-28 22:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-13 19:19 - 2015-09-28 22:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-13 19:19 - 2015-09-28 22:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-13 19:19 - 2015-09-28 22:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-13 19:19 - 2015-09-28 21:43 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-13 19:19 - 2015-09-28 21:43 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-13 19:19 - 2015-09-28 21:43 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-13 19:19 - 2015-09-15 13:42 - 00139096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-13 19:19 - 2015-09-15 13:42 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-13 19:19 - 2015-09-15 13:36 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-13 19:19 - 2015-09-15 13:36 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-13 19:19 - 2015-09-15 13:35 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-13 19:18 - 2015-10-01 13:50 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-13 19:18 - 2015-10-01 13:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-13 19:18 - 2015-10-01 13:50 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-13 19:18 - 2015-10-01 13:50 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-13 19:18 - 2015-10-01 13:50 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-13 19:18 - 2015-10-01 12:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-13 19:18 - 2015-08-06 13:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-13 19:18 - 2015-08-06 13:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2015-10-13 19:17 - 2015-09-18 14:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-13 19:17 - 2015-09-15 23:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-13 19:17 - 2015-09-15 23:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-13 19:17 - 2015-09-15 23:45 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-13 19:17 - 2015-09-15 23:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-13 19:17 - 2015-09-15 23:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-13 19:17 - 2015-09-15 23:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-13 19:17 - 2015-09-15 23:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-13 19:17 - 2015-09-15 23:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-13 19:17 - 2015-09-15 23:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-13 19:17 - 2015-09-15 23:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-13 19:17 - 2015-09-15 23:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-13 19:17 - 2015-09-15 23:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-13 19:17 - 2015-09-15 23:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-13 19:17 - 2015-09-15 23:23 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-13 19:17 - 2015-09-15 23:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-13 19:17 - 2015-09-15 23:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-13 19:17 - 2015-09-15 23:18 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-13 19:17 - 2015-09-15 23:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-13 19:17 - 2015-09-15 23:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-13 19:17 - 2015-09-15 23:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-13 19:17 - 2015-09-15 23:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-13 19:17 - 2015-09-15 23:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-13 19:17 - 2015-09-15 23:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-13 19:17 - 2015-09-15 23:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-13 19:17 - 2015-09-15 22:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-13 19:17 - 2015-09-15 22:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-13 19:17 - 2015-09-15 22:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-13 19:17 - 2015-09-15 22:56 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-13 19:17 - 2015-09-15 22:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-13 19:17 - 2015-09-15 22:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-13 19:17 - 2015-09-15 22:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-13 19:17 - 2015-09-15 22:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-13 19:17 - 2015-09-15 22:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-08 18:15 - 2015-09-25 13:59 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-08 18:15 - 2015-09-25 13:59 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-08 18:15 - 2015-09-25 13:58 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-08 18:15 - 2015-09-25 13:58 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 02955776 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 02061824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 00566784 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-08 18:14 - 2015-09-25 13:59 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-08 18:14 - 2015-09-25 13:58 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-08 18:14 - 2015-09-25 13:58 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-08 10:41 - 2015-10-08 10:41 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\246E7A2B.sys
2015-10-07 23:19 - 2015-10-07 23:20 - 00003935 _____ C:\Windows\system32\drivers.txt
2015-10-03 13:52 - 2015-10-03 14:35 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2015-10-03 13:52 - 2015-10-03 13:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2015-10-01 10:20 - 2015-10-01 10:20 - 00000000 ____D C:\Users\Joe\AppData\Local\CEF

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-30 10:16 - 2015-07-05 19:44 - 00000000 ____D C:\Users\Joe\AppData\LocalLow\Adblock Plus for IE
2015-10-30 10:12 - 2015-04-12 23:20 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-30 10:10 - 2010-11-20 17:01 - 00776356 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-30 09:58 - 2015-04-17 23:13 - 00000000 ____D C:\Users\Joe\AppData\Roaming\vlc
2015-10-30 09:39 - 2015-04-08 13:37 - 00009712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-30 09:39 - 2015-04-08 13:37 - 00009712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-30 09:29 - 2015-08-26 23:02 - 00000000 ____D C:\Users\Joe
2015-10-30 09:29 - 2015-04-10 18:27 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-10-30 09:29 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-30 01:19 - 2015-04-22 15:11 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Wise Registry Cleaner
2015-10-30 01:17 - 2015-04-20 15:13 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Wise Disk Cleaner
2015-10-30 01:16 - 2015-05-13 13:51 - 00000000 ____D C:\Users\Joe\Desktop\Mlwre Tools
2015-10-30 01:09 - 2015-04-13 14:42 - 00000000 ____D C:\Program Files\CCleaner
2015-10-28 02:11 - 2015-04-24 00:24 - 00000000 ____D C:\ProgramData\Apple Computer
2015-10-28 02:11 - 2015-04-24 00:22 - 00000000 ____D C:\ProgramData\Apple
2015-10-27 23:40 - 2013-11-11 15:48 - 00000000 ___DC C:\Users\Joe\Documents\Personal Health
2015-10-27 23:07 - 2015-04-24 00:22 - 00000000 ____D C:\Program Files\Common Files\Apple
2015-10-27 14:04 - 2015-04-13 14:42 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-10-26 19:53 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Help
2015-10-26 14:32 - 2015-05-20 15:44 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-10-26 14:27 - 2015-04-10 10:00 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-25 21:57 - 2015-04-10 10:00 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-10-25 12:40 - 2015-04-14 00:28 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-10-24 20:40 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\NDF
2015-10-24 00:54 - 2015-04-10 09:56 - 00000000 ____D C:\ProgramData\Oracle
2015-10-23 22:09 - 2011-09-03 16:45 - 00000000 ___DC C:\Users\Joe\Desktop\Tools
2015-10-22 21:49 - 2015-05-05 23:36 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-10-17 11:17 - 2015-04-10 09:56 - 00000000 ____D C:\Users\Joe\AppData\Local\Adobe
2015-10-17 11:15 - 2015-04-13 14:33 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-10-17 11:15 - 2015-04-13 14:33 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 11:12 - 2015-06-09 12:41 - 00000000 ____D C:\Users\Joe\AppData\Roaming\WiseUpdate
2015-10-17 10:50 - 2015-04-10 09:57 - 00000000 ____D C:\Program Files\7-Zip
2015-10-17 10:50 - 2015-04-10 09:54 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-10-16 15:00 - 2015-04-10 10:00 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-16 15:00 - 2015-04-10 10:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-16 13:32 - 2015-07-14 21:16 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-10-16 11:34 - 2011-02-21 19:02 - 00000000 ___DC C:\Users\Joe\Documents\Health Insurance
2015-10-16 00:20 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\registration
2015-10-15 22:42 - 2015-04-10 21:16 - 00000000 ____D C:\Users\Joe\AppData\Local\Apps\2.0
2015-10-14 22:55 - 2009-07-13 22:37 - 00000000 __RHD C:\Users\Default
2015-10-14 14:27 - 2015-04-10 09:54 - 00001117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-10-14 13:58 - 2015-08-21 19:14 - 00002117 _____ C:\Users\Joe\Desktop\Tweaking.com - Windows Repair.lnk
2015-10-14 00:49 - 2015-04-07 18:09 - 00000000 ____D C:\Users\Joe\AppData\Local\VirtualStore
2015-10-13 23:48 - 2015-04-08 17:57 - 00000000 ____D C:\Windows\system32\MRT
2015-10-12 12:48 - 2009-08-14 09:21 - 00000000 ___DC C:\Users\Joe\Documents\Employment
2015-10-07 02:18 - 2015-08-23 17:32 - 00000000 ____D C:\Program Files\Defraggler
2015-10-05 09:50 - 2015-04-10 10:00 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2015-04-10 10:00 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-10-02 12:10 - 2015-08-27 20:52 - 141105520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-02 02:37 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\wfp
2015-10-02 02:35 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\LogFiles
2015-09-30 13:57 - 2009-07-13 22:04 - 00000215 _____ C:\Windows\system.ini
2015-09-30 13:56 - 2006-11-02 06:23 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts_bak_709

==================== Files in the root of some directories =======

2015-10-23 11:08 - 2015-10-23 11:08 - 0000218 _____ () C:\Users\Joe\AppData\Local\recently-used.xbel
2015-08-30 16:01 - 2015-08-30 16:04 - 0007654 _____ () C:\Users\Joe\AppData\Local\resmon.resmoncfg

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-29 00:31

==================== End of FRST.txt ============================



#4 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 05 November 2015 - 12:22 AM

Hi fjrules :)

 

My name is polskamachina and I will be helping you with your malware issues.

What follows below are some ground rules for this forum.

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions. Thank you for your patience.

 

polskamachina



#5 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 05 November 2015 - 08:14 PM

Hi fjrules :)

 

Good job posting the FRST.txt log but I also need to see a copy of the Addition.txt log. Since you have run the FRST tool more than one time, by default it will not provide this log unless you manually check the box for Addition.txt before clicking on the scan button.

 

  • Please run FRST again.
  • When the FRST window opens, check the box for Addition.txt.
  • Click the scan button.
  • The Addition.txt and FRST logs will pop up when the scan has completed.
  • Please copy and paste the Addition.txt and FRST.txt log into your next reply to me.

Let me know if you have any questions.

 

polskamachina



#6 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 05 November 2015 - 10:21 PM

Hello,

 

FRST reposted and addition attached.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-11-2015
Ran by Joe (administrator) on JOE-PC (05-11-2015 22:13:35)
Running from C:\Users\Joe\Desktop
Loaded Profiles: Joe (Available Profiles: Joe)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(6XGate Incorporated) C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Eyeo GmbH) C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [12336856 2015-06-18] (Realtek Semiconductor)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6134544 2015-09-23] (AVAST Software)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2620728 2015-07-22] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\Policies\Explorer: [NoResolveSearch] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-09-23] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Preloader.lnk [2015-04-13]
ShortcutTarget: Firefox Preloader.lnk -> C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe (6XGate Incorporated)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5AC59C76-E506-4058-9050-80801E872FBA}: [NameServer] 198.6.1.3,71.242.0.12
Tcpip\..\Interfaces\{5AC59C76-E506-4058-9050-80801E872FBA}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-956595361-2088304539-1011358878-1000 -> DefaultScope {0C7FAAAF-A6BA-476D-AC5C-BB183454E529} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-956595361-2088304539-1011358878-1000 -> {0C7FAAAF-A6BA-476D-AC5C-BB183454E529} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_66\bin\ssv.dll [2015-10-24] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-10-24] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: AutorunsDisabled\intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll [2014-01-16] (Intuit, Inc.)
Handler: AutorunsDisabled\mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL [2009-03-24] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default
FF DefaultSearchEngine.US: Google
FF Homepage: www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-17] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-10-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-10-24] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll [2015-08-27] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\artur.dubovoy@gmail.com [2015-10-30]
FF Extension: Flash and Video Download - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2015-10-29]
FF Extension: Disconnect - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\2.0@disconnect.me.xpi [2015-07-05]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\adblockpopups@jessehakanen.net.xpi [2015-05-31]
FF Extension: Ghostery - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\firefox@ghostery.com.xpi [2015-11-05]
FF Extension: uBlock Origin - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\uBlock0@raymondhill.net.xpi [2015-10-28]
FF Extension: Yet Another Smooth Scrolling - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\yetanothersmoothscrolling@kataho.xpi [2015-05-31]
FF Extension: NoScript - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\cbmbzeye.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-10-26]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-10-09]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-23] (AVAST Software)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [713016 2015-07-22] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-01-16] (Intuit) [File not signed]
S4 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2013-06-19] (Intuit Inc.) [File not signed]
S4 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-06-19] (Intuit Inc.) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-09-23] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [76000 2015-09-23] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81728 2015-09-23] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-09-23] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [789296 2015-09-23] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [434184 2015-09-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [115640 2015-09-23] (AVAST Software)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2015-07-22] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2015-11-05] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R0 nvamacpi; C:\Windows\System32\DRIVERS\NVAMACPI.sys [24680 1999-12-31] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [32912 2014-11-22] (NVIDIA Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 WiseHDInfo; C:\Windows\WiseHDInfo32.dll [11816 2015-04-22] (wisecleaner.com) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-05 22:13 - 2015-11-05 22:13 - 00012235 _____ C:\Users\Joe\Desktop\FRST.txt
2015-11-05 22:13 - 2015-11-05 22:13 - 00000000 ____D C:\Users\Joe\Desktop\FRST-OlderVersion
2015-11-05 22:13 - 2015-11-05 22:13 - 00000000 ____D C:\FRST
2015-11-05 11:51 - 2015-11-05 11:51 - 00068296 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2015-11-05 10:32 - 2015-11-05 10:35 - 00016330 _____ C:\Windows\setupact.log
2015-11-05 10:32 - 2015-11-05 10:32 - 00296320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-11-05 10:32 - 2015-11-05 10:32 - 00000000 _____ C:\Windows\setuperr.log
2015-11-03 21:31 - 2015-11-03 21:31 - 00000000 ____D C:\Users\Joe\Desktop\Tweaking.com - svchost.exe Lookup Tool
2015-11-03 19:51 - 2015-10-20 12:46 - 02955776 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-11-03 19:51 - 2015-10-20 12:46 - 02061824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-11-03 19:51 - 2015-10-20 12:46 - 00566784 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-11-03 19:51 - 2015-10-20 12:46 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-11-03 19:51 - 2015-10-20 12:46 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-11-03 19:51 - 2015-10-20 12:46 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-11-03 19:51 - 2015-10-20 12:46 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-11-03 19:51 - 2015-10-20 12:45 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-11-03 19:51 - 2015-10-20 12:45 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-11-03 19:51 - 2015-10-20 12:45 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-11-03 19:51 - 2015-10-20 12:45 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-11-03 10:44 - 2015-11-03 20:58 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-11-01 11:37 - 2013-08-28 20:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-11-01 11:37 - 2013-08-28 20:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-11-01 10:07 - 2015-09-14 14:53 - 02385920 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-11-01 01:11 - 2015-07-14 21:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-10-31 23:11 - 2015-11-05 22:07 - 01448959 _____ C:\Windows\WindowsUpdate.log
2015-10-31 20:35 - 2015-10-31 20:35 - 00000711 _____ C:\Users\Joe\Desktop\JRT.txt
2015-10-31 20:23 - 2015-10-31 20:23 - 01801288 _____ (Malwarebytes) C:\Users\Joe\Desktop\JRT.exe
2015-10-30 09:38 - 2015-11-05 22:13 - 01702400 _____ (Farbar) C:\Users\Joe\Desktop\FRST.exe
2015-10-27 22:10 - 2015-10-27 22:23 - 00001753 _____ C:\Users\Public\Desktop\iTunes.lnk
2015-10-27 22:10 - 2015-10-27 22:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-10-27 22:07 - 2015-10-27 22:10 - 00000000 ____D C:\Program Files\iTunes
2015-10-27 22:07 - 2015-10-27 22:07 - 00000000 ____D C:\Program Files\iPod
2015-10-27 11:49 - 2015-10-27 11:49 - 00000000 ____D C:\Windows\wsusoffline102
2015-10-25 19:56 - 2015-10-26 18:53 - 00000000 ____D C:\Users\Joe\Desktop\mbar
2015-10-24 13:37 - 2015-10-30 09:41 - 00000000 ____D C:\Program Files\FRST
2015-10-24 12:43 - 2015-10-24 12:43 - 00001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-10-24 11:39 - 2015-10-24 11:39 - 00000000 ____D C:\Program Files\Common Files\Java
2015-10-24 11:28 - 2015-05-29 02:43 - 00303744 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-10-23 23:53 - 2015-10-24 12:37 - 00000000 ____D C:\Program Files\Java
2015-10-23 23:53 - 2015-10-24 12:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-23 23:53 - 2015-10-24 11:37 - 00095840 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-10-23 22:17 - 2015-11-02 13:24 - 00000000 ____D C:\Program Files\EEK
2015-10-23 10:08 - 2015-10-23 10:08 - 00000218 _____ C:\Users\Joe\AppData\Local\recently-used.xbel
2015-10-14 22:13 - 2015-10-14 22:13 - 00000207 _____ C:\Windows\tweaking.com-regbackup-JOE-PC-Windows-7-Ultimate-(32-bit).dat
2015-10-14 13:27 - 2015-11-03 10:50 - 00001105 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-10-14 11:45 - 2015-11-02 12:53 - 00000000 ____D C:\ProgramData\Emsisoft
2015-10-14 10:25 - 2015-11-02 12:51 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2015-10-14 10:25 - 2015-10-14 12:09 - 00114200 _____ (Emsisoft GmbH) C:\Windows\system32\Drivers\epp32.sys
2015-10-13 23:27 - 2015-10-13 23:27 - 00448512 _____ (OldTimer Tools) C:\Users\Joe\Desktop\TFC.exe
2015-10-13 18:19 - 2015-09-28 22:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-10-13 18:19 - 2015-09-28 22:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-13 18:19 - 2015-09-28 22:02 - 01308160 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-13 18:19 - 2015-09-28 21:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-13 18:19 - 2015-09-28 21:58 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-13 18:19 - 2015-09-28 21:58 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-13 18:19 - 2015-09-28 21:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-13 18:19 - 2015-09-28 21:58 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-13 18:19 - 2015-09-28 21:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-13 18:19 - 2015-09-28 21:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-13 18:19 - 2015-09-28 21:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-13 18:19 - 2015-09-28 21:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-13 18:19 - 2015-09-28 21:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-13 18:19 - 2015-09-28 21:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-13 18:19 - 2015-09-28 20:43 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-13 18:19 - 2015-09-28 20:43 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-13 18:19 - 2015-09-28 20:43 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-13 18:19 - 2015-09-15 12:42 - 00139096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-13 18:19 - 2015-09-15 12:42 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-13 18:19 - 2015-09-15 12:36 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-13 18:19 - 2015-09-15 12:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-13 18:19 - 2015-09-15 12:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-13 18:19 - 2015-09-15 12:36 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-13 18:19 - 2015-09-15 12:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-13 18:19 - 2015-09-15 12:36 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-13 18:19 - 2015-09-15 12:35 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-13 18:18 - 2015-10-01 12:50 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-13 18:18 - 2015-10-01 12:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-13 18:18 - 2015-10-01 12:50 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-13 18:18 - 2015-10-01 12:50 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-13 18:18 - 2015-10-01 12:50 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-13 18:18 - 2015-10-01 11:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-13 18:18 - 2015-08-06 12:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-13 18:18 - 2015-08-06 12:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2015-10-13 18:17 - 2015-09-18 13:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-13 18:17 - 2015-09-15 22:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-13 18:17 - 2015-09-15 22:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-13 18:17 - 2015-09-15 22:45 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-13 18:17 - 2015-09-15 22:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-13 18:17 - 2015-09-15 22:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-13 18:17 - 2015-09-15 22:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-13 18:17 - 2015-09-15 22:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-13 18:17 - 2015-09-15 22:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-13 18:17 - 2015-09-15 22:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-13 18:17 - 2015-09-15 22:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-13 18:17 - 2015-09-15 22:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-13 18:17 - 2015-09-15 22:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-13 18:17 - 2015-09-15 22:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-13 18:17 - 2015-09-15 22:23 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-13 18:17 - 2015-09-15 22:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-13 18:17 - 2015-09-15 22:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-13 18:17 - 2015-09-15 22:18 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-13 18:17 - 2015-09-15 22:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-13 18:17 - 2015-09-15 22:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-13 18:17 - 2015-09-15 22:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-13 18:17 - 2015-09-15 22:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-13 18:17 - 2015-09-15 22:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-13 18:17 - 2015-09-15 22:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-13 18:17 - 2015-09-15 22:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-13 18:17 - 2015-09-15 21:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-13 18:17 - 2015-09-15 21:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-13 18:17 - 2015-09-15 21:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-13 18:17 - 2015-09-15 21:56 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-13 18:17 - 2015-09-15 21:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-13 18:17 - 2015-09-15 21:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-13 18:17 - 2015-09-15 21:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-13 18:17 - 2015-09-15 21:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-13 18:17 - 2015-09-15 21:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-08 09:41 - 2015-10-08 09:41 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\246E7A2B.sys
2015-10-07 22:19 - 2015-10-07 22:20 - 00003935 _____ C:\Windows\system32\drivers.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-05 21:16 - 2015-04-12 22:20 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-05 15:41 - 2010-11-20 16:01 - 00776356 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-05 13:42 - 2011-02-21 18:02 - 00000000 ___DC C:\Users\Joe\Documents\Health Insurance
2015-11-05 10:41 - 2015-04-08 12:37 - 00009712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-05 10:41 - 2015-04-08 12:37 - 00009712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-05 10:33 - 2015-04-10 17:27 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-11-05 10:33 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-05 01:15 - 2015-07-05 18:44 - 00000000 ____D C:\Users\Joe\AppData\LocalLow\Adblock Plus for IE
2015-11-05 00:36 - 2015-05-13 12:51 - 00000000 ____D C:\Users\Joe\Desktop\Mlwre Tools
2015-11-05 00:34 - 2015-04-22 14:11 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Wise Registry Cleaner
2015-11-05 00:31 - 2015-04-20 14:13 - 00000000 ____D C:\Users\Joe\AppData\Roaming\Wise Disk Cleaner
2015-11-05 00:29 - 2015-04-13 13:42 - 00000000 ____D C:\Program Files\CCleaner
2015-11-05 00:17 - 2015-05-05 22:36 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-11-03 21:04 - 2015-08-26 22:02 - 00000000 ____D C:\Users\Joe
2015-11-03 21:00 - 2011-09-03 15:45 - 00000000 ___DC C:\Users\Joe\Desktop\Tools
2015-11-03 20:45 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\system32\NDF
2015-11-03 14:42 - 2015-04-17 22:13 - 00000000 ____D C:\Users\Joe\AppData\Roaming\vlc
2015-11-03 11:45 - 2013-11-11 14:48 - 00000000 ___DC C:\Users\Joe\Documents\Personal Health
2015-11-03 10:50 - 2015-04-10 08:54 - 00001117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-11-03 10:45 - 2015-04-10 08:54 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-11-02 09:43 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\Help
2015-11-02 01:29 - 2015-04-20 13:22 - 00000000 ____D C:\Program Files\MSECache
2015-11-01 11:16 - 2015-08-28 04:08 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-11-01 11:16 - 2015-08-28 04:08 - 00000000 ____D C:\Windows\system32\appraiser
2015-10-31 22:52 - 2015-08-21 18:14 - 00002117 _____ C:\Users\Joe\Desktop\Tweaking.com - Windows Repair.lnk
2015-10-31 20:15 - 2015-06-09 11:41 - 00000000 ____D C:\Users\Joe\AppData\Roaming\WiseUpdate
2015-10-28 01:11 - 2015-04-23 23:24 - 00000000 ____D C:\ProgramData\Apple Computer
2015-10-28 01:11 - 2015-04-23 23:22 - 00000000 ____D C:\ProgramData\Apple
2015-10-27 22:07 - 2015-04-23 23:22 - 00000000 ____D C:\Program Files\Common Files\Apple
2015-10-27 13:04 - 2015-04-13 13:42 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-10-26 13:32 - 2015-05-20 14:44 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-10-26 13:27 - 2015-04-10 09:00 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-25 20:57 - 2015-04-10 09:00 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-10-25 11:40 - 2015-04-13 23:28 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-10-23 23:54 - 2015-04-10 08:56 - 00000000 ____D C:\ProgramData\Oracle
2015-10-17 10:17 - 2015-04-10 08:56 - 00000000 ____D C:\Users\Joe\AppData\Local\Adobe
2015-10-17 10:15 - 2015-04-13 13:33 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-10-17 10:15 - 2015-04-13 13:33 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 09:50 - 2015-04-10 08:57 - 00000000 ____D C:\Program Files\7-Zip
2015-10-16 14:00 - 2015-04-10 09:00 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-16 14:00 - 2015-04-10 09:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-16 12:32 - 2015-07-14 20:16 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-10-15 23:20 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\registration
2015-10-15 21:42 - 2015-04-10 20:16 - 00000000 ____D C:\Users\Joe\AppData\Local\Apps\2.0
2015-10-14 21:55 - 2009-07-13 21:37 - 00000000 __RHD C:\Users\Default
2015-10-13 23:49 - 2015-04-07 17:09 - 00000000 ____D C:\Users\Joe\AppData\Local\VirtualStore
2015-10-13 22:48 - 2015-04-08 16:57 - 00000000 ____D C:\Windows\system32\MRT
2015-10-12 11:48 - 2009-08-14 08:21 - 00000000 ___DC C:\Users\Joe\Documents\Employment
2015-10-07 01:18 - 2015-08-23 16:32 - 00000000 ____D C:\Program Files\Defraggler

==================== Files in the root of some directories =======

2015-10-31 21:33 - 2015-10-31 21:37 - 0001852 _____ () C:\Users\Joe\AppData\Local\MediaCopeLogTemp.txt
2015-10-23 10:08 - 2015-10-23 10:08 - 0000218 _____ () C:\Users\Joe\AppData\Local\recently-used.xbel
2015-08-30 15:01 - 2015-08-30 15:04 - 0007654 _____ () C:\Users\Joe\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
C:\Users\Joe\AppData\Local\temp\dllnt_dump.dll
C:\Users\Joe\AppData\Local\temp\namebench.exe
C:\Users\Joe\AppData\Local\temp\python27.dll
C:\Users\Joe\AppData\Local\temp\tcl85.dll
C:\Users\Joe\AppData\Local\temp\tk85.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-11-05 14:52

==================== End of FRST.txt ============================



#7 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 06 November 2015 - 01:21 AM

Hi fjrules :)

 

I'm not seeing the addition.txt attachment. Here's how to retrieve it:

  • Please open Notepad.
  • Click on  File -> Open...and navigate to C:\FRST\Logs
  • Locate the Addition log whose file name will have the format of: Addition_day_month_year_time.txt
  • Double-click this file and it will open.
  • Copy and paste the entire contents of the file into your next reply to me.

 

Let me know if you have any questions.

 

polskamachina



#8 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 06 November 2015 - 12:25 PM

Additional scan result of Farbar Recovery Scan Tool (x86) Version:05-11-2015
Ran by Joe (2015-11-05 22:14:24)
Running from C:\Users\Joe\Desktop
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) (2015-08-27 14:01:42)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-956595361-2088304539-1011358878-500 - Administrator - Disabled)
Guest (S-1-5-21-956595361-2088304539-1011358878-501 - Limited - Disabled)
Joe (S-1-5-21-956595361-2088304539-1011358878-1000 - Administrator - Enabled) => C:\Users\Joe
UpdatusUser (S-1-5-21-956595361-2088304539-1011358878-1004 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.09 beta (HKLM\...\7-Zip) (Version: 15.09 - Igor Pavlov)
Adblock Plus for IE (32-bit) (HKLM\...\{E93152F1-E3AE-4B2A-9BAC-F770203F67E5}) (Version: 1.5 - Eyeo GmbH)
Adobe Acrobat Reader DC (HKLM\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20069 - Adobe Systems Incorporated)
Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.226 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.226 - Adobe Systems Incorporated)
AMDAway INF (HKLM\...\AMDAway INF) (Version:  - )
Apple Application Support (32-bit) (HKLM\...\{649A1FD9-5892-46AD-8DF0-C4A43FF61CB7}) (Version: 4.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{9A629DCB-415D-4A50-85B9-5C2E4F8F74A8}) (Version: 9.1.0.6 - Apple Inc.)
Avast Free Antivirus (HKLM\...\Avast) (Version: 10.4.2233 - AVAST Software)
Belkin Desktop PCI Card Driver (HKLM\...\{50D47CE8-9C16-42D1-A8D8-B143B22E232A}) (Version: 1.12.0005 - Belkin)
CCleaner (HKLM\...\CCleaner) (Version: 5.11 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Defraggler (HKLM\...\Defraggler) (Version: 2.19 - Piriform)
Device Remover (HKLM\...\{EFA597E4-73D3-4142-90DB-BE28E5589F99}_is1) (Version: 0.9 - Kerem Gümrükcü)
Firefox Preloader (HKLM\...\Firefox Preloader_is1) (Version: 1.0.366.0 - 6XGate Incorporated)
Free Video Cutter 1.2 (HKLM\...\FreeVideoCutter) (Version:  - Tomatosoft)
HP Deskjet 3050A J611 series Basic Device Software (HKLM\...\{AB2228C5-EA86-44E1-AFF6-58B9CC260CE3}) (Version: 23.0.504.0 - Hewlett-Packard Co.)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
iTunes (HKLM\...\{8862F11A-A9A0-4899-9F50-B5A79F12F3C2}) (Version: 12.3.1.23 - Apple Inc.)
Java 8 Update 66 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.17 - Oracle Corporation)
Malwarebytes Anti-Exploit version 1.07.1.1015 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.07.1.1015 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Media Cope 4.0 (HKLM\...\Media Cope_is1) (Version:  - Media Cope)
Microsoft Office 2000 SR-1 Premium (HKLM\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.3821 - Microsoft Corporation)
Microsoft Office 2003 Primary Interop Assemblies (HKLM\...\{91490409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.6553.0 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (HKLM\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 RC Redistributable (x86) - 14.0.22816 (HKLM\...\{714692fa-709b-4925-8170-821d51135f42}) (Version: 14.0.22816.0 - Microsoft Corporation)
Mozilla Firefox 42.0 (x86 en-US) (HKLM\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)
QuickBooks (Version: 23.0.4012.2305 - Intuit Inc.) Hidden
QuickBooks Pro 2013 (HKLM\...\{3C631966-387E-4054-85D9-BBFFABE32BD8}) (Version: 23.0.4012.2305 - Intuit Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7541 - )
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1186 - SUPERAntiSpyware.com)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Tweaking.com - Registry Compressor (HKLM\...\Tweaking.com - Registry Compressor) (Version: 1.1.0 - Tweaking.com)
Tweaking.com - Simple System Tweaker (HKLM\...\Tweaking.com - Simple System Tweaker) (Version: 2.2.0 - Tweaking.com)
Tweaking.com - Windows Repair (HKLM\...\Tweaking.com - Windows Repair) (Version: 3.6.1 - Tweaking.com)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Wise Disk Cleaner 8.84 (HKLM\...\Wise Disk Cleaner_is1) (Version: 8.84 - WiseCleaner.com, Inc.)
Wise Registry Cleaner 8.81 (HKLM\...\Wise Registry Cleaner_is1) (Version: 8.81 - WiseCleaner.com, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{23CEE673-F947-4d94-9D54-F4BA00C8B73D}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{3CDEA288-D759-4C3B-B07F-7AFBCC842D98}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-956595361-2088304539-1011358878-1000_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Restore Points =========================

14-10-2015 23:24:08 Created by Wise Disk Cleaner
19-10-2015 17:38:22 JRT Pre-Junkware Removal
21-10-2015 08:07:14 Windows Backup
25-10-2015 21:02:28 JRT Pre-Junkware Removal
28-10-2015 01:06:30 Revo Uninstaller's restore point - Apple Software Update
30-10-2015 13:32:56 Windows Update
03-11-2015 19:51:22 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 05:23 - 2015-10-14 22:50 - 00000855 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {544020C9-FD51-4D79-B914-B6FA5DBBF456} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-10-19] (Piriform Ltd)
Task: {67E46649-C062-42C4-85B8-1462EB9FCC84} - System32\Tasks\Tweaking.com - Windows Repair Tray Icon => C:\Program Files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [2015-03-11] (Tweaking.com)
Task: {769062B3-A98C-4335-846B-5C6CF3028220} - System32\Tasks\{F7882A4C-795E-4CF4-9642-ACE82E92109D} => pcalua.exe -a C:\Users\Joe\Downloads\jxpiinstall.exe -d C:\Users\Joe\Downloads
Task: {A71E2ADF-D78E-4495-B4D0-79DBA94D5194} - System32\Tasks\WiseCleaner\WRCSkipUAC => C:\Program Files\Wise\Wise Registry Cleaner\WiseRegCleaner.exe [2015-10-27] (WiseCleaner.com)
Task: {E19077D1-3A5E-43B9-BA53-F033BBA274CF} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-09-23] (AVAST Software)
Task: {E5920D3C-8E51-4EE5-BC19-EB76A67C8576} - System32\Tasks\WiseCleaner\WDCSkipUAC => C:\Program Files\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe [2015-10-14] (WiseCleaner.com)
Task: {F44592D3-7718-4E21-A982-02620284864C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Loaded Modules (Whitelisted) ==============

2015-09-23 13:09 - 2015-09-23 13:09 - 00103376 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2015-09-23 13:09 - 2015-09-23 13:09 - 00123976 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2015-11-04 17:48 - 2015-11-04 17:48 - 02990080 _____ () C:\Program Files\AVAST Software\Avast\defs\15110401\algo.dll
2015-11-05 10:36 - 2015-11-05 10:36 - 02990080 _____ () C:\Program Files\AVAST Software\Avast\defs\15110500\algo.dll
2015-09-23 13:09 - 2015-09-23 13:10 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2011-03-30 16:19 - 2011-03-30 16:19 - 01841000 _____ () C:\Windows\system32\HPScanTRDrv_DJ3050A_J611.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\google.com -> hxxps://www.google.com
IE trusted site: HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\microsoft.com -> hxxp://*.windowsupdate.microsoft.com
IE trusted site: HKU\S-1-5-21-956595361-2088304539-1011358878-1000\...\windowsupdate.com -> hxxp://windowsupdate.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-956595361-2088304539-1011358878-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 198.6.1.3 - 71.242.0.12
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk => C:\Windows\pss\Intuit Data Protect.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk => C:\Windows\pss\QuickBooks Update Agent.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk => C:\Windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
MSCONFIG\startupreg: Intuit SyncManager => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: OffCAT => "C:\Users\Joe\AppData\Local\Microsoft\OffCAT\OffCAT_RTS.exe"
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [UDP Query User{7D098088-A0B1-41E2-916B-E0DD597E56EC}C:\windows\system32\mmc.exe] => (Allow) C:\windows\system32\mmc.exe
FirewallRules: [TCP Query User{FDB40F82-6DF6-4AB1-AEE7-ACFA95F2CEB3}C:\windows\system32\mmc.exe] => (Allow) C:\windows\system32\mmc.exe
FirewallRules: [{740197B5-9B91-43DC-9448-5F2FAA99E4ED}] => (Allow) LPort=48113
FirewallRules: [{3733C92E-EC05-4014-B40F-9E9C9CEC76FE}] => (Allow) LPort=48113
FirewallRules: [{8C4C9F01-E6ED-4EE4-A861-ED9D6069E637}] => (Allow) LPort=1900
FirewallRules: [{DC5FA52D-2EA4-4A63-8CD3-CE3CF4B3D717}] => (Allow) LPort=2869
FirewallRules: [{5E7FA09E-E88A-4B2A-870B-C84B0F84DAE4}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{161A3C92-E922-4B7B-869F-D2A653E500B0}] => (Allow) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
FirewallRules: [{3E151C19-2E58-4674-8F52-41CC7BE579D9}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
FirewallRules: [{2A4ADBA3-F794-49BB-88D6-9E2A9E3903AE}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\DeviceSetup.exe
FirewallRules: [{B090623D-E700-4C76-92C8-40CB8B6926BE}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{B59F637C-41B8-4DAC-B195-FE04C25DE545}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{BC96F977-4923-4AD8-B661-DACDC7F446D4}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{1B1D4144-048F-4FA0-9D6A-0F734076156E}] => (Allow) C:\Program Files\CCleaner\CCleaner.exe
FirewallRules: [{E49F43D1-A17B-4EA0-92F8-6EB6DB873169}] => (Allow) C:\Program Files\CCleaner\CCleaner.exe
FirewallRules: [{4D93C549-6841-4E1B-A55E-49525B0ADEA7}] => (Allow) C:\Program Files\CCleaner\CCleaner.exe
FirewallRules: [{D570D2E9-333E-4E9B-AB89-037A6AC2D3C0}] => (Allow) C:\Program Files\CCleaner\CCleaner.exe
FirewallRules: [{3D73FEAC-1225-4941-A293-B1346AB35A6B}] => (Allow) C:\Program Files\CCleaner\CCEnhancer-4.3.exe
FirewallRules: [{CD416525-5505-4FAA-A771-EFA37AAF0C06}] => (Allow) C:\Program Files\CCleaner\CCEnhancer-4.3.exe
FirewallRules: [{4DA46B97-A167-4CDB-9CED-634D10E10D83}] => (Allow) C:\Program Files\CCleaner\CCEnhancer-4.3.exe
FirewallRules: [{1635A038-5F2E-49FA-B43B-D5FDDBE42425}] => (Allow) C:\Program Files\CCleaner\CCEnhancer-4.3.exe
FirewallRules: [{C776733F-128E-4B3E-9FF1-573B71FB20FC}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{3C501349-DC50-465C-8EF6-209A67C37A26}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{925DECE4-37EB-4A57-AD71-1E37C3C09E1E}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Faulty Device Manager Devices =============

Name: WPD FileSystem Volume Driver
Description: WPD FileSystem Volume Driver
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Microsoft
Service: WUDFRd
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: WPD FileSystem Volume Driver
Description: WPD FileSystem Volume Driver
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Microsoft
Service: WUDFRd
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: WPD FileSystem Volume Driver
Description: WPD FileSystem Volume Driver
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Microsoft
Service: WUDFRd
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: WPD FileSystem Volume Driver
Description: WPD FileSystem Volume Driver
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Microsoft
Service: WUDFRd
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: USB Mass Storage Device
Description: USB Mass Storage Device
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: Compatible USB storage device
Service: USBSTOR
Problem: : Windows cannot use this hardware device because it has been prepared for safe removal, but it has not been removed from the computer. (Code 47)
Resolution: Unplug the device, and then plug it in again. Alternately, restart the computer to make the device available.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/05/2015 01:08:31 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Faulting module name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Exception code: 0xc0000005
Fault offset: 0x0005d889
Faulting process id: 0x8dc
Faulting application start time: 0xProcmon.exe0
Faulting application path: Procmon.exe1
Faulting module path: Procmon.exe2
Report Id: Procmon.exe3

Error: (11/05/2015 01:08:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Faulting module name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Exception code: 0xc0000005
Fault offset: 0x0005d889
Faulting process id: 0xe04
Faulting application start time: 0xProcmon.exe0
Faulting application path: Procmon.exe1
Faulting module path: Procmon.exe2
Report Id: Procmon.exe3

Error: (11/05/2015 01:07:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Faulting module name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Exception code: 0xc0000005
Fault offset: 0x0005d889
Faulting process id: 0x6dc
Faulting application start time: 0xProcmon.exe0
Faulting application path: Procmon.exe1
Faulting module path: Procmon.exe2
Report Id: Procmon.exe3

Error: (11/05/2015 12:58:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Faulting module name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Exception code: 0xc0000005
Fault offset: 0x0005d889
Faulting process id: 0xce0
Faulting application start time: 0xProcmon.exe0
Faulting application path: Procmon.exe1
Faulting module path: Procmon.exe2
Report Id: Procmon.exe3

Error: (11/05/2015 12:57:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Faulting module name: Procmon.exe, version: 3.20.0.0, time stamp: 0x5563c057
Exception code: 0xc0000005
Fault offset: 0x0005d889
Faulting process id: 0xcc0
Faulting application start time: 0xProcmon.exe0
Faulting application path: Procmon.exe1
Faulting module path: Procmon.exe2
Report Id: Procmon.exe3

Error: (11/05/2015 12:37:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 42.0.0.5780, time stamp: 0x5632d0a4
Faulting module name: mozglue.dll, version: 42.0.0.5780, time stamp: 0x5632ba58
Exception code: 0x80000003
Fault offset: 0x0000ed50
Faulting process id: 0xdac
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (11/03/2015 09:07:09 PM) (Source: ESENT) (EventID: 490) (User: )
Description: taskhost (456) WebCacheLocal: An attempt to open the file "C:\Users\Joe\AppData\Local\Microsoft\Windows\WebCache\V01.chk" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (11/03/2015 09:05:03 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (11/03/2015 09:05:03 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (11/03/2015 09:05:03 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

System errors:
=============
Error: (11/05/2015 09:17:08 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 09:17:08 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 09:16:59 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 09:16:59 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 07:30:02 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/05/2015 07:13:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 07:13:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 07:13:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 07:13:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

Error: (11/05/2015 05:10:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1058

CodeIntegrity:
===================================
  Date: 2015-08-04 10:19:53.248
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:53.170
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:53.123
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:53.061
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:47.694
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:47.679
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:47.679
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-08-04 10:19:47.663
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-07-30 14:30:14.594
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

  Date: 2015-07-30 14:30:14.579
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume1\$Windows.~BT\Updates\Critical\37529801-035b-4080-80e8-446c4887e8be\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual Core Processor 4000+
Percentage of memory in use: 48%
Total physical RAM: 3518.49 MB
Available physical RAM: 1814.87 MB
Total Virtual: 4028.8 MB
Available Virtual: 2157.11 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.51 GB) (Free:772.77 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: E63346F5)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#9 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 07 November 2015 - 11:45 PM

When I received the BSOD I had just started running aswmbr (Avast Rootkit).

 

"The computer has rebooted from a bugcheck. The bugcheck was 0x000000f4."  Event ID 1001

 

"Unable to produce a minidump file from the full dump file." Event ID 1005

 

Earlier, after completing its work, Oldtimer TFC caused my computer to have to shut down.  The errors in my event log are:

 

"A critical system process, lsass.exe failed with status code 255.  The machine must now be restarted." faulting application lsass.exe, faulting module ntdll.dll.  Event ID 1000

 

The above descriptions are not verbatim as it doesn't allow me to cut them from event viewer and paste them here.



#10 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 08 November 2015 - 11:31 AM

Hi fjrules :)
 
Good job providing the details of your BSOD issues. I will need to research those further. In the meantime, please follow the instructions below and please don't run any tools unless instructed to do so. Thank you for your patience. :thumbup2:
 
I noticed you have a registry cleaner installed on your system. Though it sounds like a good idea to scrub your registry every so often, the conventional wisdom at Bleeping Computer is that it's not a great idea to let an automated program alter your registry. The feeling is, at best, your computer will still run ok afterward. At worst, it could remove things that may unintentionally disable certain functions. For example, programs may stop running or file associations may be broken.
 
Next, let's start with investigating the unresolved corruption in your systems files.
 
We need to run the SFC /SCANNOW Command

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

Note: Be aware that if you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files such as explorer.exe back to its default state.

Note: Make the appropriate backups of your system files that you have modified for theming if you wish to save them before running sfc /scannow.

  • Click the Windows "Orb" button.
  • Type cmd.
  • Right click on the search result cmd.exe and click Run as Administrator.

Next:

  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)sfc /scannow
  • Press Enter to run the command.
    Note: This may take a while to finish.
  • If SFC could not fix something, then run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command three or more times to completely fix everything that it can.

Retrieving SFC /scannow log

  • Click the Windows "Orb" button.
  • Type cmd.
  • Right click on the search result cmd.exe and click Run as Administrator.
  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)
    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >> "%userprofile%\desktop\sfcdetails.txt"
  • Press Enter to run the command.
  • A text file sfcdetails.txt should appear on your desktop. Copy and paste the contents of the file in your next reply to me.

Next:

  • Make sure you have an active internet connection.
  • Please copy and paste the following text into Notepad:
    @ echo off
    echo. >> C:\Users\joe\Desktop\amihacked.txt
    netstat -b -o >> C:\Users\joe\Desktop\amihacked.txt
    start C:\Users\joe\Desktop\amihacked.txt
  • Save the Notepad file to your desktop as amihacked.bat
  • Open an elevated command prompt:
  • Type the following:
  • C:\Users\joe\Desktop\desktop\amihacked.bat
  • Press the Enter key.
  • A Notepad window will open up with the amihacked.txt file.
  • Close the command prompt window.
  • Copy and paste the contents of amihacked.txt into your next reply to me.

In summary I will need from you:

  • sfcdetails.txt
  • amihacked.txt

Let me know if you have any questions.
 
polskamachina



#11 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 November 2015 - 01:12 PM

I had to attach the sfcdetails because when I clicked "post" it said "post too long."  Please confirm you received it.

 

I couldn't get the amihacked to run in command prompt.  I got "cannot find path specified."

 

Thank you

Attached Files



#12 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 08 November 2015 - 01:40 PM

Hi fjrules :)
 
I received your attached sfcdetails.txt.
 
Regarding the path error in the batch file:

  • Open an elevated command prompt.
  • Manually type in each line, one at a time, of the following.
    echo. >> C:\Users\Joe\Desktop\amihacked.txt
    netstat -b -o >> C:\Users\Joe\Desktop\amihacked.txt
    start C:\Users\Joe\Desktop\amihacked.txt
  • Press the Enter key at the end of each line.
  • Tell me which line(s) is giving you an error.
  • If the commands complete successfully, please copy and paste amihacked.txt into your next reply to me.

polskamachina



#13 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 08 November 2015 - 03:02 PM

OK, I think it ran correctly...

 

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:12995        Joe-PC:52327           TIME_WAIT       0
  TCP    127.0.0.1:49195        Joe-PC:49196           ESTABLISHED     2288
 [firefox.exe]
  TCP    127.0.0.1:49196        Joe-PC:49195           ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:49157      fra08:http             ESTABLISHED     1320
 [AvastSvc.exe]
  TCP    192.168.1.3:51108      104.20.91.192:http     CLOSE_WAIT      1272
 [iexplore.exe]
  TCP    192.168.1.3:52320      ip-static-94-242-227-186:http  ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52329      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52330      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52331      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52332      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52334      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52335      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52336      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52337      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52338      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52339      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52340      ord08s12-in-f0:https   ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52341      a23-206-186-212:https  ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52342      65.216.231.114:http    CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52343      65.216.231.114:http    ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52344      104.28.14.88:http      CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52345      104.28.14.88:http      CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52346      104.28.14.88:http      CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52347      104.28.14.88:http      CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52348      a23-206-183-222:http   ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52349      edge-star-mini-shv-01-lga3:https  ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52350      ord31s21-in-f13:https  ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52351      65.216.231.97:http     ESTABLISHED     1252
  CryptSvc
 [svchost.exe]
  TCP    192.168.1.3:52352      ord08s12-in-f0:https   ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52353      xx-fbcdn-shv-01-lga3:https  ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52354      ord08s12-in-f10:https  ESTABLISHED     4724
 [iexplore.exe]
  TCP    192.168.1.3:52355      ord08s12-in-f15:https  ESTABLISHED     4724
 [iexplore.exe]
 

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:49195        Joe-PC:49196           ESTABLISHED     2288
 [firefox.exe]
  TCP    127.0.0.1:49196        Joe-PC:49195           ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:49157      fra08:http             ESTABLISHED     1320
 [AvastSvc.exe]
  TCP    192.168.1.3:51108      104.20.91.192:http     CLOSE_WAIT      1272
 [iexplore.exe]
  TCP    192.168.1.3:52320      ip-static-94-242-227-186:http  ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52329      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52330      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52331      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52332      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52334      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52335      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52336      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52337      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52338      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52339      104.20.92.192:http     CLOSE_WAIT      4724
 [iexplore.exe]
  TCP    192.168.1.3:52340      ord08s12-in-f0:https   TIME_WAIT       0
  TCP    192.168.1.3:52343      65.216.231.114:http    TIME_WAIT       0
  TCP    192.168.1.3:52348      a23-206-183-222:http   TIME_WAIT       0
  TCP    192.168.1.3:52350      ord31s21-in-f13:https  TIME_WAIT       0
  TCP    192.168.1.3:52352      ord08s12-in-f0:https   TIME_WAIT       0
  TCP    192.168.1.3:52354      ord08s12-in-f10:https  TIME_WAIT       0
  TCP    192.168.1.3:52355      ord08s12-in-f15:https  TIME_WAIT       0
  TCP    192.168.1.3:52358      server-54-230-101-153:https  ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52370      109.201.152.97:http    TIME_WAIT       0
  TCP    192.168.1.3:52401      109.201.152.97:http    TIME_WAIT       0
  TCP    192.168.1.3:52414      109.201.152.97:http    TIME_WAIT       0
  TCP    192.168.1.3:52415      109.201.152.97:http    TIME_WAIT       0
  TCP    192.168.1.3:52416      109.201.152.97:http    TIME_WAIT       0
  TCP    192.168.1.3:52425      ord08s12-in-f18:http   ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52430      104.16.59.144:http     ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52443      104.16.62.144:http     ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52444      104.16.62.144:http     ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52445      104.16.59.144:http     ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52446      199.115.119.84:http    ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52447      199.115.119.83:http    ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52448      199.115.119.90:http    ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52451      ord31s22-in-f10:http   ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52452      go-008:http            ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52453      go-008:http            ESTABLISHED     2288
 [firefox.exe]
  TCP    192.168.1.3:52454      go-008:http            TIME_WAIT       0



#14 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 10 November 2015 - 07:14 PM

Hi fjrules :)
 
Based on your log, it does NOT appear that you have been hacked. However we still need to check the system file issues though.
 
Please follow the directions below:

  • Open an elevated command prompt.
  • Copy and paste (right-click, choose paste) the following text into the command prompt:
  • Dism /Online /Cleanup-Image /RestoreHealth
  • Press the Enter key.
  • When the tool has completed, please navigate to this folder:
  • C:\Windows\Logs\DISM\
  • Open the dism.log file in Notepad.
  • Copy and paste the file into your next reply to me.
  • If it is too large to paste into your reply, try attaching the file. If it is still too large, please let me know.

Next, please rerun the system file checker tool again:

  • Open an elevated command prompt.
  • Copy the following line of text and paste it into a the black box.
    (right-click in the black box and choose paste) sfc /scannow
  • Press Enter to run the command.
    Note: This may take a while to finish.
  • If SFC could not fix something, then run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command three or more times to completely fix everything that it can.

Retrieving SFC /scannow log

  • Click the Windows "Orb" button.
  • Type cmd.
  • Right click on the search result cmd.exe and click Run as Administrator.
  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)
    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >> "%userprofile%\desktop\sfcdetails.txt"
  • Press Enter to run the command.
  • A text file sfcdetails.txt should appear on your desktop. Copy and paste the contents of the file in your next reply to me.

In summary I will need from you:

  • dism.log
  • sfcdetails.txt
  • Are you still having Windows search issues?
  • Are there any other remaining problems?

Finally, I'd like to reassure you that your questions will be answered promptly. I appreciate your PM's to me in an effort to keep things moving along. Rest assured that I like to work at a good pace but I don't like to rush my research just to fill up this space with words. Having the job of Malware Remover Helper comes with the responsibility of giving accurate information, sometimes at the cost of time. If you have any further concerns about time lags, please post them in this forum so the rest of the staff can see. It will also help speed up my replies since I don't have to forward your concerns to the staff. :thumbup2:

 

Let me know if you have any questions.
 
polskamachina



#15 fjrules

fjrules
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 10 November 2015 - 10:45 PM

Hello polskamachina,

Thanks for the reassurance and I will post any follow ups about timeliness in the forum rather than via PM.

I'm glad to know I haven't been hacked and I'm not doubting you but I'm confused as to what the IP address that isn't mine is doing in my Firefox browser, the foreign addresses, and the sheer number of active connections to my computer.  Can you shed further light?

I had to attach both the dism log and the sfcdetails.  Please confirm you received both.

Re: dism, I received error 87 when I ran it, though, along with the error message that "restorehealth option is not recognized in this context."

Would sfcfix tool work in my case?  Are you familiar with it?

Just so you don't have to scroll too much, here are the problems I mentioned in my first post: 

Corruption is also a problem.  Windows Search - There are *content source MAPI* Event ID 3036 errors galore in my Event Viewer and I have to reset Windows Search on a daily basis.  Windows Media Player - the troubleshooter is worthless.  Corruption constantly present.  I've run sfc /scannow a ton of times and it keeps giving me "WRP has found corruption but cannot fix..."  From looking at the log all but one of the corrupt files they found is in my sample music/photo libraries.  I read about the sfcfix tool and am wondering if you may be able to make one for me.  Other error messages that concern me are NTFS error 55 "file system structure corrupt and unstable run chkdsk on volume shadow copy 10," corrupted registry hive, and registry file still in use.

Drivers - I have error messages for WPD FileSystem Volume Drivers and can't get them to update.

Re: Windows Search - it still doesn't work as it should.  I could run the troubleshooter 1,000 times in a row but I'll keep getting the same error messages: windows search doesn't show any results, windows search is crashing & failing, index is corrupt.  I reset the search index but it never stays fixed.

Let me know if you need more info at this time.  Thanks again, polskamachina and I look forward to hearing back from you soon.

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users