Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can upload Malware on computer, can't get it to work


  • This topic is locked This topic is locked
22 replies to this topic

#1 mexxomp

mexxomp

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 24 April 2016 - 05:25 PM

I have been working in the "Am I infested" forum with Buddy215 and he suggested I post in this forum to get help from the experts here.

 

My computer's been acting strange and then I had a file uploaded to my website hosting account call "htaccess" which was re-directing my Mexonline.com website to porn and viagra sites. So when some searched Google, they would find my site and then 5 seconds later it would switch to those sites. I deleted that file and it has stopped, but they somehow got in there.

 

He had my uploading MalwareBytes, which I did. Then when I would, I would try to run it and an error box would pop up saying I had a bad image in "Windows/System32/sfc.dll" and then nothing.

 

That's where I am now.

 

Thanks,

Ted



BC AdBot (Login to Remove)

 


#2 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 25 April 2016 - 07:39 AM

Hello Ted

I am Marie Curie and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.
 

  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.

--------------------------------------------------------------

Please run the following diagnostic scans so I can ascertain the state of your computer.

STEP 1
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Double-Click FRST.exe or FRST64.exe to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.

STEP 2
aA7bkRO.pngaswMBR

  • Please download aswMBR and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click aswMBR.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes when prompted to download avast! virus definitions. Wait until AVAST engine defs: ### appears.
  • If you are prompted to enable the use of "Virtualization Technology", click Yes.
  • Click the AV Scan: drop down box and click C:\.
  • Click Scan.
  • Upon completion, you will see Scan finished successfully. Click Save log. Save the log to your Desktop.
  • Re-enable your anti-virus software.
  • Attach the log in your next reply.

Note: Do NOT click Fix or FixMBR.
Note: A file (MBR.dat) will be created on your Desktop. Do NOT click or delete it.
 
======================================================
 
STEP 3
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • FRST.txt
  • Addition.txt
  • aswMBR log

 



#3 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 25 April 2016 - 01:53 PM

OK, so most of this worked, but for some reason Step 2 was running and scanning my computer for a good 20 minutes when the whole computer restarted. There is no log (or do I need to open up aswMBR to see it?).

 

Also, when I first ran Farbar, an error popup box came up for a second and then disappeared. There was something around "Eurent.exe" or something in it. Went so fast, can't remember.

 

So here are the two text files.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-04-2016
Ran by TedD (administrator) on MADBUM-PC (25-04-2016 10:12:32)
Running from C:\Users\TedD\Desktop
Loaded Profiles: TedD (Available Profiles: TedD)
Platform: Windows 8.1 Connected (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(IObit) C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
() C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe
(DELL Inc.) C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Expression\Web 2\WebDesigner\EXPRWD.EXE
(dotPDN LLC) C:\Program Files\paint.net\PaintDotNet.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRSync.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_213.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_213.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [5776712 2013-11-25] (Dell Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7506648 2013-12-27] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374424 2014-01-09] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [285272 2013-12-30] (Waves Audio Ltd.)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374424 2014-01-09] (Realtek Semiconductor)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKU\S-1-5-21-2404292630-3466018394-1638579335-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8686296 2016-03-11] (Piriform Ltd)
HKU\S-1-5-21-2404292630-3466018394-1638579335-1001\...\MountPoints2: {8784ff57-cf21-11e4-8268-b45ae8a782b4} - "E:\VZW_Software_upgrade_assistant.exe"
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2014-12-30] (Softthinks SAS)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2014-12-30] (Softthinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayBackupFile] -> {831CEBDD-6BAF-4432-BE76-9E0989C14AEF} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2014-12-30] (Softthinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayModifiedBackupFile] -> {275E4FD7-21EF-45CF-A836-832E5D2CC1B3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2014-12-30] (Softthinks SAS)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{F2C63394-29A4-44B4-9AFD-494C69B6A8D1}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2404292630-3466018394-1638579335-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://mexico-visitor.blogspot.com/
HKU\S-1-5-21-2404292630-3466018394-1638579335-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2404292630-3466018394-1638579335-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2404292630-3466018394-1638579335-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2014-04-25] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2014-04-25] (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\TedD\AppData\Roaming\Mozilla\Firefox\Profiles\rslg2ovi.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: hxxp://www.mexonline.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-24] ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-24] ()
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2014-04-25] ()
FF Extension: Pin It Button - C:\Users\TedD\AppData\Roaming\Mozilla\Firefox\Profiles\rslg2ovi.default\Extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi [2015-02-12] [not signed]
FF Extension: Flash and Video Download - C:\Users\TedD\AppData\Roaming\Mozilla\Firefox\Profiles\rslg2ovi.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2016-03-24]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2572024 2016-03-10] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [202488 2016-03-10] (Dell Inc.)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [278568 2014-10-31] (Aviata, Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [315352 2014-05-21] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [887232 2013-12-24] (Intel® Corporation)
R2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2945312 2016-03-07] (IObit)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334608 2013-07-24] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [2005392 2015-02-11] (SoftThinks SAS)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-03-14] (Dell Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WysePocketCloud; C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe [16176 2013-08-22] ()
R2 WyseRemoteAccess; C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe [1785344 2013-08-19] (DELL Inc.) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3855872 2013-09-11] (Qualcomm Atheros Communications, Inc.)
S3 AX88772; C:\Windows\system32\DRIVERS\ax88772.sys [113664 2013-12-16] (ASIX Electronics Corp.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70600 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-02-19] (Synaptics Incorporated)
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-10] (Apple, Inc.) [File not signed]
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 10:12 - 2016-04-25 10:13 - 00013096 _____ C:\Users\TedD\Desktop\FRST.txt
2016-04-25 10:09 - 2016-04-25 10:09 - 02376192 _____ (Farbar) C:\Users\TedD\Desktop\FRST64.exe
2016-04-25 10:08 - 2016-04-25 10:09 - 01726976 _____ (Farbar) C:\Users\TedD\Desktop\FRST.exe
2016-04-25 08:28 - 2016-04-25 08:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-04-24 10:24 - 2016-04-24 10:24 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2016-04-24 10:23 - 2016-04-24 10:26 - 00185540 _____ C:\Windows\Tweaking.com - Windows Repair Setup Log.txt
2016-04-23 00:21 - 2016-04-23 00:21 - 00000000 ____D C:\Users\TedD\AppData\Roaming\ProductData
2016-04-22 22:39 - 2016-04-23 00:10 - 00000000 ____D C:\EEK
2016-04-22 17:56 - 2016-04-23 14:28 - 00003486 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2016-04-22 12:04 - 2016-04-22 12:17 - 00000000 ____D C:\AdwCleaner
2016-04-22 11:54 - 2016-04-23 14:28 - 00002792 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-04-22 11:54 - 2016-04-22 11:54 - 00000836 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-04-22 11:54 - 2016-04-22 11:54 - 00000000 ____D C:\Program Files\CCleaner
2016-04-20 22:43 - 2016-04-21 13:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-20 10:04 - 2016-04-25 10:12 - 00000000 ____D C:\FRST
2016-04-19 18:00 - 2016-04-20 10:23 - 00000000 ____D C:\Users\TedD\AppData\Roaming\IObit
2016-04-19 18:00 - 2016-04-19 18:00 - 00000000 ____D C:\Users\TedD\AppData\LocalLow\IObit
2016-04-19 17:51 - 2016-04-20 10:23 - 00000000 ____D C:\Program Files (x86)\IObit
2016-04-19 17:50 - 2016-04-19 18:00 - 00000000 ____D C:\ProgramData\IObit
2016-04-19 17:50 - 2016-04-19 17:50 - 00000000 ____D C:\ProgramData\{BE2ACE5C-32B7-4777-9BDF-ECF87CDAB705}
2016-04-13 17:12 - 2016-04-05 14:53 - 00829944 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-04-13 17:12 - 2016-04-05 14:53 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-04-13 08:30 - 2016-03-03 09:47 - 02345472 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2016-04-13 08:30 - 2016-03-03 09:33 - 01556992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2016-04-13 08:30 - 2016-03-02 18:39 - 01661576 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-04-13 08:30 - 2016-03-02 18:39 - 01212248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-04-13 08:30 - 2016-02-08 12:48 - 12879360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2016-04-13 08:30 - 2016-02-05 07:46 - 01455104 _____ (Microsoft Corporation) C:\Windows\system32\VSSVC.exe
2016-04-13 08:30 - 2016-02-03 08:14 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\IPMIDrv.sys
2016-04-13 08:30 - 2016-02-02 11:16 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rasl2tp.sys
2016-04-13 08:30 - 2016-02-02 10:51 - 00162304 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2016-04-13 08:30 - 2016-02-02 10:19 - 00144384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2016-04-13 08:30 - 2016-02-02 10:01 - 00031744 _____ (Microsoft Corporation) C:\Windows\system32\WsmAgent.dll
2016-04-13 08:30 - 2016-02-02 09:51 - 02609152 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2016-04-13 08:30 - 2016-02-02 09:48 - 00285184 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2016-04-13 08:30 - 2016-02-02 09:46 - 00026112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAgent.dll
2016-04-13 08:30 - 2016-02-02 09:41 - 02170880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2016-04-13 08:30 - 2016-02-02 09:39 - 00236032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2016-04-13 08:30 - 2016-01-27 08:18 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2016-04-13 08:30 - 2016-01-21 12:35 - 00952928 _____ (Microsoft Corporation) C:\Windows\system32\mfmp4srcsnk.dll
2016-04-13 08:30 - 2016-01-21 11:42 - 00786152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfmp4srcsnk.dll
2016-04-13 08:29 - 2016-04-03 23:35 - 00046768 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-04-13 08:29 - 2016-04-02 06:26 - 01386496 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-04-13 08:29 - 2016-04-02 06:26 - 01169408 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-04-13 08:29 - 2016-03-28 06:21 - 00698368 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-04-13 08:29 - 2016-03-28 06:21 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-04-13 08:29 - 2016-03-28 06:21 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-04-13 08:29 - 2016-02-08 18:31 - 22365472 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-04-13 08:29 - 2016-02-08 18:31 - 19794896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-04-13 08:29 - 2016-02-08 18:31 - 02757616 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-04-13 08:29 - 2016-02-08 18:31 - 02412576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2016-04-13 08:29 - 2016-02-08 18:31 - 00273264 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsAdminFlows.exe
2016-04-13 08:29 - 2016-02-08 13:55 - 02712576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2016-04-13 08:29 - 2016-02-08 13:15 - 02551808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\themecpl.dll
2016-04-13 08:29 - 2016-02-08 13:02 - 01197056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usercpl.dll
2016-04-13 08:29 - 2016-02-08 12:43 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncHost.exe
2016-04-13 08:29 - 2016-02-08 12:40 - 00539648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hgcpl.dll
2016-04-13 08:29 - 2016-02-08 12:39 - 00305152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\stobject.dll
2016-04-13 08:29 - 2016-02-08 12:37 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingMonitor.dll
2016-04-13 08:29 - 2016-02-08 12:35 - 00954880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.appcore.dll
2016-04-13 08:29 - 2016-02-08 12:34 - 00667648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncCore.dll
2016-04-13 08:29 - 2016-02-08 12:33 - 00520192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSync.dll
2016-04-13 08:29 - 2016-02-08 11:50 - 03120640 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2016-04-13 08:29 - 2016-02-08 10:55 - 02592256 _____ (Microsoft Corporation) C:\Windows\system32\themecpl.dll
2016-04-13 08:29 - 2016-02-08 10:33 - 01278464 _____ (Microsoft Corporation) C:\Windows\system32\usercpl.dll
2016-04-13 08:29 - 2016-02-08 10:12 - 14466560 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2016-04-13 08:29 - 2016-02-08 10:02 - 00653824 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncHost.exe
2016-04-13 08:29 - 2016-02-08 10:00 - 00599552 _____ (Microsoft Corporation) C:\Windows\system32\hgcpl.dll
2016-04-13 08:29 - 2016-02-08 09:58 - 00336384 _____ (Microsoft Corporation) C:\Windows\system32\stobject.dll
2016-04-13 08:29 - 2016-02-08 09:55 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\SettingMonitor.dll
2016-04-13 08:29 - 2016-02-08 09:53 - 02171904 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsAdminFlowUI.dll
2016-04-13 08:29 - 2016-02-08 09:53 - 01348096 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2016-04-13 08:29 - 2016-02-08 09:50 - 01220096 _____ (Microsoft Corporation) C:\Windows\system32\twinui.appcore.dll
2016-04-13 08:29 - 2016-02-08 09:50 - 00841728 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncCore.dll
2016-04-13 08:29 - 2016-02-08 09:48 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\SettingSync.dll
2016-04-13 08:29 - 2016-02-08 09:47 - 02819584 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers.dll
2016-04-13 08:29 - 2016-02-08 09:44 - 00955392 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.dll
2016-04-13 08:29 - 2014-11-07 19:38 - 00166912 _____ (Microsoft Corporation) C:\Windows\system32\AppxAllUserStore.dll
2016-04-13 08:29 - 2014-11-07 19:17 - 00143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxAllUserStore.dll
2016-04-13 08:28 - 2016-03-28 06:21 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-04-13 08:28 - 2016-03-28 06:21 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-04-13 08:28 - 2016-03-15 16:00 - 00561952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2016-04-13 08:28 - 2016-03-15 07:14 - 01441792 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-04-13 08:28 - 2016-03-11 07:48 - 00833024 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2016-04-13 08:28 - 2016-03-10 11:22 - 00201728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-04-13 08:28 - 2016-03-10 11:21 - 00401920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-04-13 08:28 - 2016-03-10 11:20 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-04-13 08:28 - 2016-03-10 10:44 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-04-13 08:28 - 2016-03-10 10:16 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-04-13 08:28 - 2016-03-10 10:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2016-04-13 08:28 - 2016-03-10 09:48 - 00064512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2016-04-13 08:27 - 2016-03-30 17:54 - 25817600 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-04-13 08:27 - 2016-03-30 17:03 - 20352512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-04-13 08:27 - 2016-03-30 16:39 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-04-13 08:26 - 2016-03-30 17:31 - 02892800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-04-13 08:26 - 2016-03-30 17:28 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-04-13 08:26 - 2016-03-30 17:25 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-04-13 08:26 - 2016-03-30 17:17 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-04-13 08:26 - 2016-03-30 16:56 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2016-04-13 08:26 - 2016-03-30 16:56 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-04-13 08:26 - 2016-03-30 16:55 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-04-13 08:26 - 2016-03-30 16:53 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-04-13 08:26 - 2016-03-30 16:51 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-04-13 08:26 - 2016-03-30 16:50 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-04-13 08:26 - 2016-03-30 16:45 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-04-13 08:26 - 2016-03-30 16:45 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-04-13 08:26 - 2016-03-30 16:43 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-04-13 08:26 - 2016-03-30 16:43 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-04-13 08:26 - 2016-03-30 16:43 - 00379392 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-04-13 08:26 - 2016-03-30 16:42 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-04-13 08:26 - 2016-03-30 16:30 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-04-13 08:26 - 2016-03-30 16:30 - 02596864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-04-13 08:26 - 2016-03-30 16:30 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-04-13 08:26 - 2016-03-30 16:30 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2016-04-13 08:26 - 2016-03-30 16:27 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-04-13 08:26 - 2016-03-30 16:24 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-04-13 08:26 - 2016-03-30 16:23 - 02056192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-04-13 08:26 - 2016-03-30 16:23 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-04-13 08:26 - 2016-03-30 16:23 - 00330752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-04-13 08:26 - 2016-03-30 16:21 - 13811712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-04-13 08:26 - 2016-03-30 16:18 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-04-13 08:26 - 2016-03-30 16:06 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-04-13 08:26 - 2016-03-30 16:05 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-04-13 08:26 - 2016-03-30 16:02 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-04-13 08:26 - 2016-03-30 16:00 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-04-13 08:23 - 2016-02-05 12:07 - 00378712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2016-04-13 08:23 - 2016-02-04 11:07 - 00222720 _____ (Microsoft Corporation) C:\Windows\system32\dhcpsapi.dll
2016-04-13 08:23 - 2016-02-04 10:35 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dhcpsapi.dll
2016-04-13 08:23 - 2016-02-03 08:11 - 01673728 _____ (Microsoft Corporation) C:\Windows\system32\workfolderssvc.dll
2016-04-13 08:23 - 2016-02-02 10:15 - 00787456 _____ (Microsoft Corporation) C:\Windows\system32\WorkfoldersControl.dll
2016-04-13 08:23 - 2016-01-26 12:15 - 00072024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpci.sys
2016-04-13 08:23 - 2016-01-21 22:22 - 02487296 _____ (Microsoft Corporation) C:\Windows\system32\storagewmi.dll
2016-04-13 08:23 - 2016-01-21 22:11 - 01482240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\storagewmi.dll
2016-04-13 08:22 - 2016-02-02 10:18 - 01574912 _____ (Microsoft Corporation) C:\Windows\system32\wbengine.exe
2016-04-13 08:22 - 2016-01-31 10:17 - 00779264 _____ (Microsoft Corporation) C:\Windows\system32\WindowsAnytimeUpgradeui.exe
2016-04-13 08:22 - 2016-01-20 15:40 - 00099672 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\disk.sys
2016-04-13 08:21 - 2016-03-10 12:19 - 07452512 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-04-13 08:21 - 2016-03-10 12:17 - 01663192 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-04-13 08:21 - 2016-03-10 12:17 - 01523216 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2016-04-13 08:21 - 2016-03-10 12:17 - 01490128 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-04-13 08:21 - 2016-03-10 12:17 - 01358960 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2016-04-13 08:21 - 2016-03-10 12:17 - 01133752 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-04-13 08:21 - 2016-03-10 10:48 - 00862720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-04-13 08:21 - 2016-03-10 10:43 - 00161280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msorcl32.dll
2016-04-13 08:21 - 2016-03-10 09:55 - 00166400 _____ (Microsoft Corporation) C:\Windows\system32\mtxoci.dll
2016-04-13 08:21 - 2016-03-10 09:42 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mtxoci.dll
2016-04-13 08:20 - 2016-03-03 09:13 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\basesrv.dll
2016-04-13 08:20 - 2016-02-06 16:05 - 00551256 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\vhdmp.sys
2016-04-13 08:20 - 2016-02-06 15:41 - 00316760 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
2016-04-13 08:20 - 2016-02-05 08:11 - 00845312 _____ (Microsoft Corporation) C:\Windows\system32\BFE.DLL
2016-04-13 08:20 - 2016-02-05 08:11 - 00422400 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2016-04-13 08:20 - 2016-02-05 08:07 - 00272384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2016-04-13 08:20 - 2016-02-05 08:02 - 01083904 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2016-04-13 08:20 - 2016-02-04 09:23 - 00713216 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2016-04-13 08:20 - 2016-02-04 09:22 - 00561664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2016-04-13 08:19 - 2016-03-29 07:05 - 04175872 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-04-08 21:05 - 2016-04-08 21:05 - 00000000 __HDC C:\ProgramData\{05EE3202-A879-4F9D-895C-AC535855E0A9}
2016-03-27 22:11 - 2016-04-23 14:28 - 00003342 _____ C:\Windows\System32\Tasks\PCDDataUploadTask
2016-03-27 22:11 - 2016-04-23 14:28 - 00003220 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2016-03-27 22:11 - 2016-03-27 22:11 - 00000000 ____D C:\ProgramData\PC-Doctor for Windows
2016-03-27 22:11 - 2016-03-27 22:11 - 00000000 ____D C:\Program Files\Dell Support Center

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 09:59 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\Inf
2016-04-25 08:33 - 2014-10-29 22:47 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2404292630-3466018394-1638579335-1001
2016-04-25 08:31 - 2014-08-14 02:14 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-04-25 08:27 - 2014-11-01 14:59 - 00003926 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F5C7FA93-310B-47BE-A41D-6F9737A5E808}
2016-04-24 23:49 - 2015-01-09 23:24 - 00053248 ___SH C:\Users\TedD\Documents\Thumbs.db
2016-04-24 23:29 - 2014-12-02 21:58 - 13400576 ___SH C:\Users\TedD\Desktop\Thumbs.db
2016-04-24 23:15 - 2014-12-23 00:19 - 00068608 _____ C:\Users\TedD\Desktop\1-annual.xls
2016-04-24 22:54 - 2014-12-03 12:19 - 00000000 ____D C:\Users\TedD\AppData\Local\Adobe
2016-04-24 15:36 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-23 14:28 - 2015-02-11 21:38 - 00003822 _____ C:\Windows\System32\Tasks\Dell SupportAssistAgent AutoUpdate
2016-04-22 11:59 - 2014-08-14 01:47 - 00000000 ____D C:\Windows\Panther
2016-04-22 00:57 - 2015-01-11 16:31 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-21 13:39 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-04-21 13:32 - 2014-08-14 02:09 - 00000000 ____D C:\ProgramData\McAfee
2016-04-21 13:32 - 2014-08-14 02:09 - 00000000 ____D C:\Program Files\mcafee
2016-04-21 13:32 - 2014-08-14 02:09 - 00000000 ____D C:\Program Files\Common Files\mcafee
2016-04-21 13:32 - 2014-08-14 02:09 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-04-21 13:31 - 2014-11-21 14:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-20 13:20 - 2014-03-18 02:53 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-19 18:09 - 2015-12-03 11:52 - 00000000 ____D C:\Users\TedD\AppData\Local\ElevatedDiagnostics
2016-04-19 00:06 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\AppReadiness
2016-04-18 23:33 - 2016-03-18 19:55 - 00000000 ____D C:\Windows\Minidump
2016-04-17 22:51 - 2014-12-03 12:25 - 00000916 _____ C:\Users\TedD\Desktop\mexico.txt
2016-04-17 19:55 - 2014-12-10 14:49 - 00005843 _____ C:\Users\TedD\Desktop\to_do_list.txt
2016-04-15 08:30 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\rescache
2016-04-13 17:12 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2016-04-13 17:11 - 2013-08-22 07:44 - 00376840 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-13 17:03 - 2014-12-12 00:38 - 00000000 ____D C:\Windows\system32\appraiser
2016-04-13 17:03 - 2013-08-22 08:36 - 00000000 ___RD C:\Windows\ToastData
2016-04-13 11:40 - 2013-08-22 08:20 - 00000000 ____D C:\Windows\CbsTemp
2016-04-13 11:35 - 2014-11-30 01:17 - 00000000 ____D C:\Windows\system32\MRT
2016-04-13 11:32 - 2014-11-30 01:17 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-13 10:07 - 2014-12-10 14:49 - 00003349 _____ C:\Users\TedD\Desktop\tianguis_2012.txt
2016-04-12 21:46 - 2016-01-13 12:01 - 00177488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-04-12 19:18 - 2016-03-08 11:54 - 01737080 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-04-12 19:18 - 2016-03-08 11:54 - 01501488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-04-12 19:18 - 2016-03-08 11:54 - 00246784 _____ (Microsoft Corporation) C:\Windows\system32\microsoft-windows-system-events.dll
2016-03-28 11:34 - 2015-04-06 11:42 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2016-03-28 11:34 - 2015-04-06 11:42 - 00000000 ___SD C:\Windows\system32\GWX
2016-03-27 22:11 - 2014-08-14 02:07 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2016-03-27 22:08 - 2014-08-14 02:08 - 00000000 ____D C:\ProgramData\PCDr
2016-03-26 23:27 - 2014-11-21 14:40 - 00001202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2016-03-26 23:27 - 2014-11-21 14:40 - 00001190 _____ C:\Users\Public\Desktop\paint.net.lnk
2016-03-26 23:27 - 2014-11-21 14:39 - 00000000 ____D C:\Program Files\paint.net
2016-03-26 20:46 - 2015-02-11 21:37 - 00000000 ____D C:\ProgramData\SupportAssistAgent

==================== Files in the root of some directories =======

2015-12-02 14:54 - 2015-12-02 14:54 - 0007599 _____ () C:\Users\TedD\AppData\Local\Resmon.ResmonCfg
2014-08-14 02:04 - 2014-08-14 02:04 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-23 14:37

==================== End of FRST.txt ============================

 

 

and the addition TXT file:

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:25-04-2016
Ran by TedD (2016-04-25 10:15:52)
Running from C:\Users\TedD\Desktop
Windows 8.1 Connected (X64) (2014-10-30 05:41:57)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2404292630-3466018394-1638579335-500 - Administrator - Disabled)
Guest (S-1-5-21-2404292630-3466018394-1638579335-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2404292630-3466018394-1638579335-1003 - Limited - Enabled)
TedD (S-1-5-21-2404292630-3466018394-1638579335-1001 - Administrator - Enabled) => C:\Users\TedD

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.213 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.16 - Piriform)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.8.1.70 - Dell Inc.)
Dell Customer Connect (HKLM-x32\...\{FEFDCDCF-C49C-45D0-AAF8-5345858ADEC7}) (Version: 1.2.1.0 - Dell Inc.)
Dell Data Vault (Version: 4.3.8.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{D850CB7E-72BC-4510-BA4F-48932BFAB295}) (Version: 2.9.901.0 - Dell Products, LP)
Dell Product Registration (HKLM-x32\...\{24F2AD94-CC1B-4294-B184-D4D31A3186A7}) (Version: 2.42.0012 - Aviata Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.2.6793.01 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{B57A8AFE-6735-4497-BD52-BD2F838F5CF0}) (Version: 1.2.1.31 - Dell)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 18.1.2.1 - Synaptics Incorporated)
Dell Update (HKLM-x32\...\{3FB000F3-7444-41C1-A0A6-53E8FD0B7D9C}) (Version: 1.6.1007.0 - Dell Inc.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3621 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
McAfee LiveSafe – Internet Security (HKLM-x32\...\MSC) (Version: 12.8.992 - McAfee, Inc.)
Microsoft Expression Web 2 (HKLM-x32\...\XWeb) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Expression Web 4 (HKLM-x32\...\Web_4.0.1460.0) (Version: 4.0.1460.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Mozilla Firefox 45.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.2 (x86 en-US)) (Version: 45.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.2.5941 - Mozilla)
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
paint.net (HKLM\...\{DADC2AF6-DC9F-4BCF-BFCE-DCEC16EF507C}) (Version: 4.0.9 - dotPDN LLC)
PocketCloud (HKLM-x32\...\{D9752C7D-A595-4687-A0D5-362E9C311C55}) (Version: 2.7.14 - Wyse Technology)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 10.16.005 - Dell Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.39048 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7152 - Realtek Semiconductor Corp.)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0CCCE4B5-36AB-4CB7-9947-F1C821BEEC1B} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2016-03-14] (Dell Inc.)
Task: {22EEFDAF-57F1-45B7-BCF3-4C2E1A0B901B} - System32\Tasks\Dell\Dell Product Registration => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-10-31] (Aviata Inc)
Task: {3A60EF89-3C60-4426-98BF-CA1DCE266F7D} - System32\Tasks\PocketCloud => C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudDesktopApp.exe [2013-08-22] ()
Task: {414352C3-BF42-4E9E-97B0-4BC4754A79EE} - System32\Tasks\PocketCloudVirtualChannel => C:\Program Files (x86)\Wyse\PocketCloud\WPCRDPVirtualChannelServer.exe [2013-08-22] ()
Task: {53488206-89FB-46FB-BED6-476B87A100AF} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\Dell\SupportAssist\sessionchecker.exe [2016-03-24] (PC-Doctor, Inc.)
Task: {5F059CF0-5EAC-466F-B1AF-70F9DDD66C8D} - System32\Tasks\Dell\Dell Product Registration Update => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-10-31] (Aviata Inc)
Task: {9AC5F53B-EBBA-4C0E-8EF6-77C103123699} - System32\Tasks\PCDDataUploadTask => uaclauncher.exe
Task: {A0871232-E201-4B37-8DB7-244211E6479C} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2016-04-13] (Microsoft Corporation)
Task: {ADF308B8-4D5B-478A-83E6-5CCE3B7E9097} - System32\Tasks\PocketCloudUpdater => C:\Program
Task: {DE79FBD6-0819-49F1-9F76-A883BC3F283E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-03-11] (Piriform Ltd)
Task: {E933D66B-7225-4A78-BC70-4FE15AA5E24A} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2014-02-19] (Synaptics Incorporated)
Task: {FF6F8070-7AD9-4459-943E-811F90D1A2DC} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2013-08-22 11:40 - 2013-08-22 11:40 - 00016176 _____ () C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe
2016-03-26 23:28 - 2016-03-26 23:28 - 03047936 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_64\PaintDotNetc8826574#\506634a7d9701683c0fd94ac43e93f6b\PaintDotNet.SystemLayer.Native.x64.ni.dll
2016-01-05 08:55 - 2016-01-05 08:55 - 01083464 _____ () C:\Program Files\paint.net\PaintDotNet.SystemLayer.Native.x64.dll
2016-04-19 18:00 - 2016-01-11 09:52 - 00625440 _____ () C:\Program Files (x86)\IObit\LiveUpdate\ProductStatistics.dll
2015-02-26 09:07 - 2015-02-09 08:14 - 01905904 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\STRestoreAPI.dll
2014-08-14 02:16 - 2012-11-25 23:19 - 01153384 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\libxml2.dll
2015-02-26 09:07 - 2014-02-18 11:12 - 00117568 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\zlib1.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2404292630-3466018394-1638579335-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\TedD\Desktop\14_04_01 234.JPG
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "AVG_UI"
HKLM\...\StartupApproved\Run32: => "AvgUi"
HKU\S-1-5-21-2404292630-3466018394-1638579335-1001\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{40183357-7251-474D-B6F9-1005EABB2661}] => (Allow) C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudDesktopApp.exe
FirewallRules: [{634E5E0F-6510-46AE-9028-7F28702BC999}] => (Allow) C:\Program Files (x86)\Wyse\PocketCloud\AetherWindowsService.exe
FirewallRules: [{D275305E-C1DD-4C05-802B-9817A9F74A77}] => (Allow) C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe
FirewallRules: [{91D5D33A-0D7F-4405-8EE0-7D2E2019AF93}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{828EC66B-357E-4D42-B270-C2D63B305D1F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{161289F9-F267-479A-9B1F-59A5055D317B}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{1D11CD28-747F-4B68-A072-0BC9BB800F4D}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{16F07DC7-152A-4C24-B51C-CE84698ED306}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{40F0D9BE-C8EB-493D-AC1A-5D1DA3D82911}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5B8C59FD-E9DD-4747-A71B-9FF43179ACBD}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
FirewallRules: [{5E18D7B0-FA5C-4CEB-97C7-1F7BFD0D0DDD}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
FirewallRules: [{F651CE46-A7BF-4E53-96BB-44DB968D877F}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{81637C0D-59C5-4EB6-98FF-A9DA10AA86A1}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{0D5BDE29-9C27-4835-9840-35EF540534ED}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{311E9C97-ACD1-4E80-9147-1FD7BC53151B}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{3F996DDE-DFAB-4CF4-B859-FA2D676A9A5C}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{E633D34D-1704-435B-A2A9-3492BEBA713F}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{9C516408-3D4C-4E6B-8917-5910DD8E2326}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{5FA779C0-A991-43DE-B003-22254811FD52}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe

==================== Restore Points =========================

24-04-2016 16:19:48 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/24/2016 10:55:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_PcaSvc, version: 6.3.9600.17415, time stamp: 0x54504177
Faulting module name: ntdll.dll, version: 6.3.9600.18194, time stamp: 0x56951674
Exception code: 0xc0000008
Fault offset: 0x00000000000925fa
Faulting process id: 0x1a8
Faulting application start time: 0xsvchost.exe_PcaSvc0
Faulting application path: svchost.exe_PcaSvc1
Faulting module path: svchost.exe_PcaSvc2
Report Id: svchost.exe_PcaSvc3
Faulting package full name: svchost.exe_PcaSvc4
Faulting package-relative application ID: svchost.exe_PcaSvc5

Error: (04/24/2016 03:34:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_PcaSvc, version: 6.3.9600.17415, time stamp: 0x54504177
Faulting module name: ntdll.dll, version: 6.3.9600.18194, time stamp: 0x56951674
Exception code: 0xc0000008
Fault offset: 0x00000000000925fa
Faulting process id: 0x1b0
Faulting application start time: 0xsvchost.exe_PcaSvc0
Faulting application path: svchost.exe_PcaSvc1
Faulting module path: svchost.exe_PcaSvc2
Report Id: svchost.exe_PcaSvc3
Faulting package full name: svchost.exe_PcaSvc4
Faulting package-relative application ID: svchost.exe_PcaSvc5

Error: (04/24/2016 03:32:04 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: madbum-pc)
Description: Activation of app windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (04/24/2016 03:31:54 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: madbum-pc)
Description: App windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy+microsoft.windows.immersivecontrolpanel did not launch within its allotted time.

Error: (04/24/2016 03:31:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: madbum-pc)
Description: Activation of app windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (04/24/2016 03:31:22 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: madbum-pc)
Description: App windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy+microsoft.windows.immersivecontrolpanel did not launch within its allotted time.

Error: (04/24/2016 03:27:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.173.0, time stamp: 0x56e065b4
Faulting module name: ntdll.dll, version: 6.3.9600.18194, time stamp: 0x569515fc
Exception code: 0xc0000020
Fault offset: 0x0009d3c2
Faulting process id: 0x16bc
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3
Faulting package full name: mbam.exe4
Faulting package-relative application ID: mbam.exe5

Error: (04/24/2016 03:26:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.173.0, time stamp: 0x56e065b4
Faulting module name: ntdll.dll, version: 6.3.9600.18194, time stamp: 0x569515fc
Exception code: 0xc0000020
Fault offset: 0x0009d3c2
Faulting process id: 0x1558
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3
Faulting package full name: mbam.exe4
Faulting package-relative application ID: mbam.exe5

Error: (04/24/2016 11:13:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_PcaSvc, version: 6.3.9600.17415, time stamp: 0x54504177
Faulting module name: ntdll.dll, version: 6.3.9600.18194, time stamp: 0x56951674
Exception code: 0xc0000008
Fault offset: 0x00000000000925fa
Faulting process id: 0x12c
Faulting application start time: 0xsvchost.exe_PcaSvc0
Faulting application path: svchost.exe_PcaSvc1
Faulting module path: svchost.exe_PcaSvc2
Report Id: svchost.exe_PcaSvc3
Faulting package full name: svchost.exe_PcaSvc4
Faulting package-relative application ID: svchost.exe_PcaSvc5

Error: (04/24/2016 11:08:38 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040154, Class not registered
.


Operation:
   Instantiating VSS server


System errors:
=============
Error: (04/24/2016 10:56:01 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Program Compatibility Assistant Service service, but this action failed with the following error:
%%1056

Error: (04/24/2016 10:56:01 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Device Association Service service, but this action failed with the following error:
%%1056

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The WLAN AutoConfig service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Diagnostic System Host service terminated unexpectedly.  It has done this 1 time(s).

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Distributed Link Tracking Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Superfetch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Program Compatibility Assistant Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Network Connections service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Network Connection Broker service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (04/24/2016 10:55:01 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The HomeGroup Listener service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.


CodeIntegrity:
===================================
  Date: 2016-04-24 11:00:33.680
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-04-23 15:57:46.037
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-04-21 14:07:32.449
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-04-20 10:48:49.507
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-04-14 09:51:10.944
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-04-05 09:23:15.934
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-24 09:38:18.983
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-24 09:38:17.684
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-19 17:33:21.825
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-03-15 13:52:45.769
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel® Celeron® CPU N2830 @ 2.16GHz
Percentage of memory in use: 62%
Total physical RAM: 3979.2 MB
Available physical RAM: 1502.17 MB
Total Virtual: 4683.2 MB
Available Virtual: 2001.53 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:457.49 GB) (Free:360.44 GB) NTFS
Drive d: (ESP) (Fixed) (Total:0.48 GB) (Free:0.46 GB) FAT32
Drive x: (WINRETOOLS) (Fixed) (Total:0.73 GB) (Free:0.45 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 6872AD14)

Partition: GPT.

==================== End of Addition.txt ============================

 

 

So I'm not sure if I need to do Step 2 over again or......

 

Thanks,

Ted



#4 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 25 April 2016 - 02:43 PM

Thank you, Ted.

 

Your system has a serious infection with a backdoor called Bedep. This also explains the resistance towards malware removal tools.

Please read the warning below before you proceed.

 

goGMWSt.gifBackdoor Warning
 
------------------------------
 
One or more of the identified malware is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal system, financial & personal information.
 
If your computer has been used for online banking, has credit card information or other sensitive data, using a non-compromised computer/device you should immediately change all account information (including those used for Email, eBay, Paypal, online forums, etc).
 
Banking and credit card institutions should be notified of the possible security breach. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
 
Whilst the identified malware can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your hard drive and reinstall your Operating System. This is due to the nature of the malware, which allows a remote attacker to make any kind of modification. Many experts in the security community believe that once compromised with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

You now have the choice between cleaning the malware present or reformatting your computer. Ultimately, the decision is yours, and what you're most comfortable with. Once you've read the articles linked above, let me know if you have any questions, and how you wish to proceed.

 

 

STEP 1
xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Search

  • Double click Frst64.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste the following line into the Search: box.

    05EE3202-A879-4F9D-895C-AC535855E0A9;BE2ACE5C-32B7-4777-9BDF-ECF87CDAB705
     
  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.

 

STEP 2
iAdP9bf.pngMalwarebytes Anti-Rootkit (MBAR)

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Double-Click MBAR.exe.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no malware is found, close the MBAR window.
    • If malware is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Attach both logs in your next reply. Both logs can be found in the MBAR folder.

 
======================================================
 
STEP 3
pfNZP4A.pngLogs
In your next reply please include the following logs.

  • Search.txt
  • mbar-log.txt
  • system-log.txt

 

 

 



#5 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 25 April 2016 - 03:19 PM

Two quick questions before I read everything. If I change my passwords on my email, etc. does it mean they are watching and will have the new ones? And, two I really don't understand the concept of reinstall and reformat. Does it mean I lose everything on my computer like photos, etc.? Oh, I guess I have one more question, how do I know it's not reading this?



#6 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 25 April 2016 - 03:51 PM

Ok, I pretty much read what you linked to above. I am not a tech person so some was foreign to me so I don't understand everything. It seems like a reformat/reinstall would be best I guess. I guess I don't really understand how that works fully.

 

By the way, I am assuming I shouldn't use my email, etc. on this computer right now (even though passwords have been changed)?


Oh, and do you want me to follow those steps anyway?



#7 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 25 April 2016 - 05:05 PM

Ok, so I just followed your instructions. Here is step 1.

 

 

Farbar Recovery Scan Tool (x64) Version:25-04-2016
Ran by TedD (2016-04-25 15:04:17)
Running from C:\Users\TedD\Desktop
Boot Mode: Normal

================== Search Registry: "05EE3202-A879-4F9D-895C-AC535855E0A9;BE2ACE5C-32B7-4777-9BDF-ECF87CDAB705" ===========


===================== Search result for "05EE3202-A879-4F9D-895C-AC535855E0A9" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}]
"UninstallString"="C:\ProgramData\{05EE3202-A879-4F9D-895C-AC535855E0A9}\DDV.exe"

====== End of Search ======



#8 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 25 April 2016 - 05:10 PM

On the 2nd step, I downloaded and double clicked on the program. Then clicked OK and then a box popped up that said:

 

mbar.exe
c:\Windows\SYSTEM32\sfc.dll not designated to run on Windows or it contains an error.

 

Then after I clicked on the OK to get the box off another box popped up that said:

 

mbar.exe is not found



#9 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 25 April 2016 - 05:11 PM

Now another box just popped up call "RunDLL" and it says:

mbar.exe is a not a valid Win32 application



#10 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 26 April 2016 - 02:15 AM

Hi Ted.

 

If I change my passwords on my email, etc. does it mean they are watching and will have the new ones? And, two I really don't understand the concept of reinstall and reformat. Does it mean I lose everything on my computer like photos, etc.? Oh, I guess I have one more question, how do I know it's not reading this? [...] By the way, I am assuming I shouldn't use my email, etc. on this computer right now (even though passwords have been changed)?

 

Reformat means that all data on your system gets wiped out and the operating system needs to be reinstalled. So you have to back up all personal files, e.g., to an external drive, before you attempt a reformat.

You should not use your infected computer to access any important accounts. The malware will just steal your credentials again, even after a password change. Access your accounts and change your passwords only from a clean system.

 

You will need the following things for reformatting your system:

  • Storage device to back up your data, e.g., external harddrive
  • Windows Installation Disk or Installation USB
  • Windows Product Key

Do you have all these?



#11 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 April 2016 - 10:55 AM

Hi,

 

I don't have any of these and not sure what some are like the Installation USB and the Windows Product Key? When I bought the laptop, I don't think it came with a disk.



#12 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 26 April 2016 - 02:45 PM

Hi Ted.

 

The Windows Product Key is essential for the process. It is either on a sticker on your computer or in the Windows package that came with your computer. Such a sticker might look as follows:

 

HardwareCOA.gif?version=401f851a-3017-1e

 

 

Please check if you find such a sticker on your computer or in any package that came with your computer.

 

We can create the installation disk if you have a DVD burner and you may either borrow or buy an external storage device to backup your data.

 

Marie


Edited by Curie, 26 April 2016 - 02:47 PM.


#13 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 April 2016 - 03:11 PM

Hi Marie,

 

I just looked  on the bottom of the computer and I don't have a sticker (why???). I purchased it about 3 years ago (?) at a Fry's Electronics.



#14 mexxomp

mexxomp
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 April 2016 - 05:25 PM

I am going to purchase an external hard drive. Any recommended model or size. I have 1,000's of files and images.

 

Ted



#15 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 27 April 2016 - 01:52 AM

Hi Ted.

I can't tell you where your Windows Key is. But you can try the programme below to obtain it from your current system.
  • Please download Windows Product Key Viewer
  • Double-click winproductkey.exe
  • Choose a location to save the file to and click unzip
  • Click ok and close
  • Navigate to the install location (the default is C:\winproductkey), right-click winproductkey.exe and Run as Administrator.
  • The programme will show you a Windows Product Key in the form of BBBBB-BBBBB-BBBBB-BBBBB-BBBBB with B representing any character or digit.
  • Please note the key down on paper or print it. Do NOT post the key anywhere publicly.
  • Close the programme. It will ask for a donation. If you want to close it, click 'No' and wait until the screen disappears.
Please tell me in your next reply if you could obtain your key this way.

 

I am going to purchase an external hard drive. Any recommended model or size. I have 1,000's of files and images.

Ted


Your harddisk has 500 GB and it is barely filled, so 500 GB should be enough for your external drive as well. I have no model recommendation.

Edited by Curie, 27 April 2016 - 02:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users