Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Pick an app" window randomly popping up every few minutes, Start Menu broken


  • This topic is locked This topic is locked
6 replies to this topic

#1 9001M

9001M

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 23 July 2016 - 01:32 PM

I need help finding and killing a ghost that is lingering in the system following a malware infection.

 

This Windows 10 desktop system was brought to my attention with the following symptom:  At random intervals, but rarely longer than 5 minutes, the "Pick an app" process (OpenWith.exe) kicks off presenting the following list of apps to choose:

 

-  Adobe Acrobat Reader DC
-  Internet Explorer
-  Movie Maker
-  Notepad
-  Paint
-  Photo Gallery
-  Windows Media Player
-  Windows Photo Viewer
-  Wordpad

 

Suspecting this was being triggered by a malware infection, I ran a Malwarebytes scan - almost 500 threats were detected and cleaned.  Following are the detected threats:

 

-  PUP.Optional.HijackModifiedExtension (233 folders, 248 files)
-  PUP.Optional.eShopComp (4 files)

 

I then went through my full malware cleanup process, first in Safe Mode, then in Normal operating mode, using the following tools:

 

-  RKill
-  Malwarebytes AntiRootkit
-  Malwarebytes AntiMalware (1.75 and 2.2)
-  RogueKiller
-  AdwareCleaner
-  Junkware Removal Tool
-  Hitman Pro
-  ESET Online Scanner

 

Beyond the initial threat detection by MBam, a small number of additional threats were detected by RogueKiller, AdwareCleaner and JRT.  All other scans came back clean.

 

Unfortunately, the "Pick an app" window continues to pop up.

 

I ran SFC /scannow (no integrity violations) and DISM /online /cleanup-image /restorehealth (The restore operation completed successfully).

 

"Pick an app" continues to pop up.

 

I then created a second user profile to see if the issue persists - it does.

 

In this second user profile, I decided to test certain "Pick an app" selections to see what would happen:

 

-  If I choose Notepad and click OK, it launches notepad and pops up the message "Cannot find the C:\Program.txt file.  Do you want to create a new file?". 

-  If I choose Windows Photo Viewer, I get "AVScanner - Windows Photo Viewer" in the upper left corner of the PV window and a message of "Windows Photo Viewer can't open this picture because ... doesn't support this file format, or..."

-  If I choose Photo Gallery I get an error message "An error is preventing the photo or video from being displayed.  Error code 0x8000000a"

-  If I choose Paint, I get an error message "C:\Program.png was not found"

-  Similar results with all other programs in the list...

 

NOTE:  Once I chose any app in the Pick an app list, the Start Menu button (lower-left Task Bar) became and remains non-operational - with either left-click or right-click.  I can left-click or right-click any other item - Desktop, Taskbar, Notification icons, Desktop icons - and I get the expected response.  It's only the Start Menu button that has become disabled.  It remains disabled through reboots.  The Start Menu is still fully functional in the original user profile.

 

Let me know if you would like me to supply any of the malware scan logs.

 

Thanks in advance for your help!

 

Best regards,

 

Steve

 

------------------

FRST64 Log:

------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-07-2016 02
Ran by Michael Wecksler (administrator) on MICHAELW (23-07-2016 10:49:31)
Running from C:\Users\Michael Wecksler\Desktop
Loaded Profiles: Michael & Michael Wecksler (Available Profiles: Michael & Michael Wecksler)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_service.exe
(Intel® Corporation) C:\Program Files\Intel\BCA\pabeSvc64.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
() C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
(DELL Inc.) C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_comm_customer.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_system_customer.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McTkSchedulerService.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_user_customer.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRSync.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInRC.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8512760 2015-11-30] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-11-30] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [402344 2015-12-19] ()
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-11-30] (Realtek Semiconductor)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2015-06-15] (LogMeIn, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595992 2016-05-20] (Oracle Corporation)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_winlogonx64.dll (Citrix Systems, Inc.)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayBackupFile] -> {831CEBDD-6BAF-4432-BE76-9E0989C14AEF} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayModifiedBackupFile] -> {275E4FD7-21EF-45CF-A836-832E5D2CC1B3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{59148793-1430-483c-ba69-90a6d163a802}: [NameServer] 8.8.8.8,4.2.2.2
Tcpip\..\Interfaces\{59148793-1430-483c-ba69-90a6d163a802}: [DhcpNameServer] 10.0.0.1

Internet Explorer:
==================
HKU\S-1-5-21-3168003271-666603217-98645872-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE01&ocid=UE01DHP
HKU\S-1-5-21-3168003271-666603217-98645872-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-3168003271-666603217-98645872-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?pc=UE01&ocid=UE01DHP
HKU\S-1-5-21-3168003271-666603217-98645872-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-3168003271-666603217-98645872-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
URLSearchHook: [S-1-5-21-3168003271-666603217-98645872-1004] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope {B37AA81B-8823-45DE-9CEA-19524D51DD29} URL =
SearchScopes: HKU\S-1-5-21-3168003271-666603217-98645872-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_9399765a_1201_1401_20160714_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
SearchScopes: HKU\S-1-5-21-3168003271-666603217-98645872-1004 -> {8CDE19E6-71C2-4B46-89B7-35F6A18C571A} URL =
BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-07-15] (Intel Security)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-07-14] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-07-14] (Oracle Corporation)
Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-07-15] (Intel Security)
Toolbar: HKU\S-1-5-21-3168003271-666603217-98645872-1001 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File

FireFox:
========
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-06-26] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-07-14] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-07-14] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3168003271-666603217-98645872-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Michael\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-12-09] (Citrix Online)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_service.exe [610528 2016-04-28] (Citrix Systems, Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2015-12-19] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 IntelBCAsvc; C:\Program Files\Intel\BCA\pabeSvc64.exe [3026584 2016-05-06] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [419336 2016-07-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [509448 2016-07-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2015-06-15] (LogMeIn, Inc.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-07-29] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [312056 2015-11-30] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [2065808 2016-01-04] (SoftThinks SAS)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-04-22] (Dell Inc.)
R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [908256 2016-07-14] (McAfee, Inc.)
R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [15736 2016-07-14] (McAfee, Inc.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86864 2016-07-14] (McAfee, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
R2 WysePocketCloud; C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe [16176 2013-08-22] ()
R2 WyseRemoteAccess; C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe [1785344 2013-08-19] (DELL Inc.) [File not signed]
S2 InstallerService; "C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\drivers\athw10x.sys [4318760 2015-11-30] (Qualcomm Atheros Communications, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
S3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
S3 DellProf; C:\Windows\system32\drivers\DellProf.sys [23312 2015-01-30] (Dell Computer Corporation)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2015-06-15] (LogMeIn, Inc.)
S4 LMIRfsClientNP; no ImagePath
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-07-23] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2016-07-20] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-23 10:49 - 2016-07-23 10:49 - 00017154 _____ C:\Users\Michael Wecksler\Desktop\FRST.txt
2016-07-23 10:46 - 2016-07-23 10:49 - 00000000 ____D C:\FRST
2016-07-23 10:45 - 2016-07-23 10:42 - 02394112 _____ (Farbar) C:\Users\Michael Wecksler\Desktop\FRST64.exe
2016-07-23 10:40 - 2016-07-23 10:40 - 00004134 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E6BCFBFF-312B-4708-8FD3-FD6A81EB8D10}
2016-07-23 10:40 - 2016-07-23 10:40 - 00000000 ____D C:\Users\Michael Wecksler\AppData\Roaming\Macromedia
2016-07-23 02:12 - 2016-07-23 02:12 - 00000000 ____D C:\Users\Michael Wecksler\AppData\LocalLow\Adobe
2016-07-22 12:15 - 2016-07-22 12:15 - 00003560 _____ C:\WINDOWS\System32\Tasks\PCDEventLauncherTask
2016-07-22 01:40 - 2016-07-22 01:40 - 00003664 _____ C:\WINDOWS\System32\Tasks\CreateExplorerShellUnelevatedTask
2016-07-21 22:11 - 2016-07-21 22:11 - 00000000 ____D C:\Users\Michael Wecksler\AppData\Roaming\Leadertech
2016-07-21 22:11 - 2016-07-21 22:11 - 00000000 ____D C:\Users\Michael Wecksler\AppData\Roaming\Intel Corporation
2016-07-21 22:10 - 2016-07-23 02:12 - 00000000 ____D C:\Users\Michael Wecksler\AppData\Roaming\Adobe
2016-07-21 22:10 - 2016-07-22 16:01 - 00000000 __SHD C:\Users\Michael Wecksler\IntelGraphicsProfiles
2016-07-21 22:10 - 2016-07-21 22:10 - 00002330 _____ C:\Users\Michael Wecksler\Desktop\Google Chrome.lnk
2016-07-21 22:10 - 2016-07-21 22:10 - 00000020 ___SH C:\Users\Michael Wecksler\ntuser.ini
2016-07-21 22:10 - 2016-07-21 22:10 - 00000000 _SHDL C:\Users\Michael Wecksler\My Documents
2016-07-21 22:10 - 2016-07-21 22:10 - 00000000 _SHDL C:\Users\Michael Wecksler\Documents\My Videos
2016-07-21 22:10 - 2016-07-21 22:10 - 00000000 _SHDL C:\Users\Michael Wecksler\Documents\My Pictures
2016-07-21 22:10 - 2016-07-21 22:10 - 00000000 _SHDL C:\Users\Michael Wecksler\Documents\My Music
2016-07-21 22:10 - 2016-07-21 22:10 - 00000000 ____D C:\Users\Michael Wecksler
2016-07-21 14:04 - 2016-07-21 14:04 - 00000000 ____D C:\ProgramData\GlassWire
2016-07-21 14:03 - 2016-07-21 14:03 - 30548248 _____ (SecureMix LLC) C:\Users\Michael\Downloads\GlassWireSetup.exe
2016-07-21 11:27 - 2016-07-21 11:27 - 06858912 _____ (ESET spol. s r.o.) C:\Users\Michael\Downloads\esetonlinescanner_enu(1).exe
2016-07-20 23:03 - 2016-07-21 16:26 - 00000000 ___HD C:\ProgramData\CanonIJFAX
2016-07-20 23:03 - 2011-09-21 05:00 - 00302592 _____ (CANON INC.) C:\WINDOWS\system32\CNCALB2.DLL
2016-07-20 23:01 - 2016-07-21 16:26 - 00000000 ___HD C:\ProgramData\CanonBJ
2016-07-20 23:01 - 2012-03-14 05:00 - 00385024 _____ (CANON INC.) C:\WINDOWS\system32\CNMLMB2.DLL
2016-07-20 18:47 - 2016-07-23 10:46 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-07-20 17:08 - 2016-07-20 17:09 - 06858912 _____ (ESET spol. s r.o.) C:\Users\Michael\Downloads\esetonlinescanner_enu.exe
2016-07-20 16:59 - 2016-07-21 11:14 - 00000000 ____D C:\ProgramData\HitmanPro
2016-07-20 16:57 - 2016-07-21 11:07 - 00000720 _____ C:\Users\Michael\Desktop\JRT.txt
2016-07-20 15:25 - 2016-07-21 16:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-07-20 15:25 - 2016-07-21 16:46 - 00000000 ____D C:\Program Files\RogueKiller
2016-07-20 15:25 - 2016-07-20 15:25 - 00000901 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-07-20 15:03 - 2016-07-21 16:47 - 00000000 ____D C:\Users\Michael\Desktop\mbar
2016-07-20 15:03 - 2016-07-20 17:00 - 11438608 _____ (SurfRight B.V.) C:\Users\Michael\Desktop\HitmanPro_x64.exe
2016-07-20 15:03 - 2016-07-20 15:03 - 00001253 _____ C:\Users\Michael\Desktop\Malware Recovery - 07-18-2016.lnk
2016-07-20 15:03 - 2016-07-19 14:43 - 01610560 _____ (Malwarebytes) C:\Users\Michael\Desktop\JRT.exe
2016-07-20 15:03 - 2016-07-19 14:41 - 03712064 _____ C:\Users\Michael\Desktop\AdwCleaner.exe
2016-07-20 15:03 - 2016-07-19 14:33 - 34626736 _____ (Adlice Software ) C:\Users\Michael\Desktop\Rogue-Killer-setup.exe
2016-07-20 15:03 - 2016-07-19 14:29 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Michael\Desktop\mbar-1.09.3.1001.exe
2016-07-20 15:03 - 2016-07-19 14:27 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Michael\Desktop\tdsskiller.exe
2016-07-20 15:03 - 2016-06-28 10:20 - 22851472 _____ (Malwarebytes ) C:\Users\Michael\Desktop\mbam-setup-bc.1878-2.2.1.1043.exe
2016-07-20 15:03 - 2016-06-20 10:34 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\Michael\Desktop\mbam-setup-1.75.0.1300.exe
2016-07-20 15:03 - 2016-05-04 20:32 - 00000084 _____ C:\Users\Michael\Desktop\ESET Services.txt
2016-07-20 15:03 - 2016-05-04 14:53 - 00000125 _____ C:\Users\Michael\Desktop\ESET.url
2016-07-20 15:00 - 2016-07-20 17:00 - 00290298 _____ C:\WINDOWS\ntbtlog.txt
2016-07-18 15:35 - 2016-07-21 16:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-18 15:35 - 2016-07-21 16:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-07-18 15:35 - 2016-07-20 20:49 - 00001169 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-18 15:35 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-07-18 15:35 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-07-18 15:35 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-07-18 15:29 - 2016-07-21 16:20 - 00001998 _____ C:\Users\Michael\Desktop\Rkill.txt
2016-07-18 15:28 - 2016-07-18 15:29 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Michael\Desktop\rkill.scr
2016-07-18 15:13 - 2016-07-18 15:13 - 00000097 _____ C:\Users\Michael\Desktop\test.nothing
2016-07-12 11:32 - 2016-07-12 11:32 - 01196752 _____ (Adobe Systems Incorporated) C:\Users\Michael\Downloads\flashplayer22_ka_install.exe
2016-07-02 11:52 - 2016-07-18 13:39 - 00000000 ____D C:\Users\Michael\Desktop\art two

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-23 10:50 - 2015-02-03 16:46 - 00000414 _____ C:\WINDOWS\Tasks\WpsUpdateTask_Michael.job
2016-07-23 10:10 - 2015-12-11 17:49 - 00000000 ____D C:\ProgramData\LogMeIn
2016-07-23 09:56 - 2015-02-03 16:46 - 00000414 _____ C:\WINDOWS\Tasks\WpsNotifyTask_Michael.job
2016-07-23 09:52 - 2015-02-03 16:08 - 00000924 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-23 09:52 - 2015-02-03 16:08 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-22 16:06 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-07-22 16:06 - 2014-03-14 10:58 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-07-22 16:01 - 2016-02-16 13:28 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-07-22 16:00 - 2015-12-11 17:50 - 00001063 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2016-07-22 16:00 - 2015-10-30 00:21 - 00000000 ____D C:\WINDOWS\INF
2016-07-22 12:07 - 2015-07-31 12:21 - 00881036 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-07-22 12:04 - 2015-07-31 12:32 - 00000000 __SHD C:\Users\Michael\IntelGraphicsProfiles
2016-07-22 12:03 - 2016-02-16 13:41 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-07-22 01:42 - 2015-10-29 23:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-07-21 22:10 - 2015-02-03 15:26 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-07-21 16:52 - 2016-02-16 13:31 - 00000000 ____D C:\Users\Michael
2016-07-21 16:48 - 2015-10-29 23:28 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2016-07-21 16:47 - 2016-06-20 13:06 - 00000000 ____D C:\WINDOWS\en
2016-07-21 16:47 - 2015-12-11 19:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-07-21 16:47 - 2015-12-11 11:43 - 00000000 ____D C:\ProgramData\RogueKiller
2016-07-21 16:47 - 2015-02-03 16:21 - 00000000 ____D C:\ProgramData\Oracle
2016-07-21 16:46 - 2016-04-13 15:45 - 00000000 ____D C:\Program Files\TrueKey
2016-07-21 16:46 - 2015-07-02 13:06 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-07-21 16:46 - 2014-03-14 10:55 - 00000000 ____D C:\Program Files (x86)\Windows Live
2016-07-21 16:45 - 2015-12-11 12:27 - 00000000 ____D C:\AdwCleaner
2016-07-21 16:45 - 2015-12-11 11:22 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Malwarebytes
2016-07-21 16:45 - 2014-03-14 10:54 - 00000000 ____D C:\Program Files (x86)\Amazon
2016-07-21 16:38 - 2015-10-30 00:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-07-21 16:32 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\registration
2016-07-21 16:26 - 2015-12-11 17:49 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2016-07-21 16:25 - 2015-12-11 18:58 - 00000000 ____D C:\Program Files (x86)\Java
2016-07-21 15:37 - 2016-04-13 15:55 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-07-21 13:37 - 2015-10-30 00:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-07-21 03:00 - 2016-04-13 15:56 - 00001241 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\True Key.lnk
2016-07-20 22:08 - 2015-12-11 11:43 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2016-07-20 20:43 - 2015-12-11 12:05 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-07-18 16:02 - 2015-12-11 11:35 - 00000000 ____D C:\Users\Michael\Documents\IT Files
2016-07-17 15:07 - 2015-02-06 15:14 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-07-17 15:03 - 2015-02-06 15:14 - 144749672 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-07-15 09:18 - 2015-12-22 17:28 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-07-15 09:18 - 2015-02-05 11:16 - 00004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2016-07-14 12:19 - 2015-12-11 19:04 - 00097344 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-07-14 12:19 - 2015-12-11 18:11 - 00000000 ____D C:\Users\Michael\.oracle_jre_usage
2016-07-13 11:43 - 2015-02-03 16:46 - 00001613 _____ C:\Users\Michael\Desktop\WPS Writer.lnk
2016-07-06 17:39 - 2015-10-22 14:31 - 00485032 _____ (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-07-05 11:58 - 2015-02-03 16:46 - 00001611 _____ C:\Users\Michael\Desktop\WPS Presentation.lnk
2016-07-05 11:58 - 2015-02-03 16:46 - 00001592 _____ C:\Users\Michael\Desktop\WPS Spreadsheets.lnk
2016-07-03 12:48 - 2015-12-11 17:50 - 00122400 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2016-07-03 12:48 - 2015-12-11 17:49 - 00107520 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2016-06-26 10:18 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\system32\NDF

==================== Files in the root of some directories =======

2015-07-02 12:47 - 2015-04-20 10:49 - 0000267 _____ () C:\Program Files\fix.vbs
2016-02-16 13:28 - 2016-02-16 13:28 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-07-21 15:41

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:15 PM

Posted 24 July 2016 - 08:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-3168003271-666603217-98645872-1004] ATTENTION => Default URLSearchHook is missing
Toolbar: HKU\S-1-5-21-3168003271-666603217-98645872-1001 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File
S2 InstallerService; "C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe" [X]
S4 LMIRfsClientNP; no ImagePath
Task: {061BCB7A-73C8-43F9-B73E-8EA168E22D66} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {30399B06-2E3A-4DAB-BBB8-2A39AD323626} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {389285FE-07DF-490C-B1C9-5A459C1984B8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6F593DBA-4A0F-4908-8F7E-2C86B7E5E385} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {6FD237A0-65B5-41AE-8F39-9A247D5EEF0B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {7CC51368-3714-4911-9C39-4A55232D43D2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B17DC0BA-3C67-4D61-BDA6-E068A537DCA5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D574DF43-6541-4FF8-AA26-8E9FC08C9608} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {DFB13FF2-49C1-414F-AF91-A82D9A0C7B4C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {EFD0D507-C57D-48C7-81BE-A4CA8123B747} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {FE0A7812-1DC8-4F4C-9B58-C4ACF369869A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
==

This task is unknown and possibly the culprit.
Task: {73D9854B-4C80-416D-ACCE-C8511D2CDD8D} - System32\Tasks\renew1 => C:\Program Files\fix.vbs [2015-04-20] ()

Rename the file in bold C:\Program Files\fix.vbs to Fix.vbs.old and restart the computer normally.

Is the issue solved or do you have an error message the the .vbs file is missing?

#3 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 27 July 2016 - 08:04 PM

First off, let me apologize for being so slow to respond - Outlook had moved your email into the Clutter folder and I just discovered it there.  DOH!

 

I really appreciate how fast you responded to my request for help!!

 

I ran the FRST Fixlog you posted, rebooted the system and renamed that fix.vbs file to fix.vbs.old.

 

The system has been running for about an hour following the fix and I have yet to see the Pick an app window pop up and I haven't seen any error messages regarding that .vbs file.  I also created a couple of files with unknown extensions and the Pick an app window pops up and operates like it should.

 

YAY!  I think we have this one licked!! 

 

Thank you SO much for your help with this!

 

Here's the Fixlog:

--------------------------

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Michael Wecksler (2016-07-27 17:21:01) Run:1
Running from C:\Users\Michael Wecksler\Desktop
Loaded Profiles: Michael & Michael Wecksler (Available Profiles: Michael & Michael Wecksler)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No
File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-3168003271-666603217-98645872-1004] ATTENTION => Default URLSearchHook is missing
Toolbar: HKU\S-1-5-21-3168003271-666603217-98645872-1001 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} -  No File
S2 InstallerService; "C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe" [X]
S4 LMIRfsClientNP; no ImagePath
Task: {061BCB7A-73C8-43F9-B73E-8EA168E22D66} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {30399B06-2E3A-4DAB-BBB8-2A39AD323626} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File
<==== ATTENTION
Task: {389285FE-07DF-490C-B1C9-5A459C1984B8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6F593DBA-4A0F-4908-8F7E-2C86B7E5E385} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {6FD237A0-65B5-41AE-8F39-9A247D5EEF0B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {7CC51368-3714-4911-9C39-4A55232D43D2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {B17DC0BA-3C67-4D61-BDA6-E068A537DCA5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D574DF43-6541-4FF8-AA26-8E9FC08C9608} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {DFB13FF2-49C1-414F-AF91-A82D9A0C7B4C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {EFD0D507-C57D-48C7-81BE-A4CA8123B747} -
\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {FE0A7812-1DC8-4F4C-9B58-C4ACF369869A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

End

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => key removed successfully
HKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => key removed successfully
HKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => key removed successfully
HKCR\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
File => Error: No automatic fix found for this entry.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => key removed successfully
HKCR\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
Could not restore Default URLSearchHook.
HKU\S-1-5-21-3168003271-666603217-98645872-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => value removed successfully
HKCR\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => key not found.
InstallerService => service removed successfully
LMIRfsClientNP => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{061BCB7A-73C8-43F9-B73E-8EA168E22D66}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{061BCB7A-73C8-43F9-B73E-8EA168E22D66}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{30399B06-2E3A-4DAB-BBB8-2A39AD323626}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30399B06-2E3A-4DAB-BBB8-2A39AD323626}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
<==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{389285FE-07DF-490C-B1C9-5A459C1984B8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{389285FE-07DF-490C-B1C9-5A459C1984B8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F593DBA-4A0F-4908-8F7E-2C86B7E5E385}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F593DBA-4A0F-4908-8F7E-2C86B7E5E385}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6FD237A0-65B5-41AE-8F39-9A247D5EEF0B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6FD237A0-65B5-41AE-8F39-9A247D5EEF0B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7CC51368-3714-4911-9C39-4A55232D43D2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7CC51368-3714-4911-9C39-4A55232D43D2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B17DC0BA-3C67-4D61-BDA6-E068A537DCA5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B17DC0BA-3C67-4D61-BDA6-E068A537DCA5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D574DF43-6541-4FF8-AA26-8E9FC08C9608}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D574DF43-6541-4FF8-AA26-8E9FC08C9608}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DFB13FF2-49C1-414F-AF91-A82D9A0C7B4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DFB13FF2-49C1-414F-AF91-A82D9A0C7B4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\Task: {EFD0D507-C57D-48C7-81BE-A4CA8123B747} - => key not found.
\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FE0A7812-1DC8-4F4C-9B58-C4ACF369869A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FE0A7812-1DC8-4F4C-9B58-C4ACF369869A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 354040 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4497951 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 264734822 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
Michael => 958015 B
Michael Wecksler => 21756 B

RecycleBin => 0 B
EmptyTemp: => 258 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 17:21:25 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:15 PM

Posted 28 July 2016 - 07:45 AM

Rename the fix.vbs.old back to Fix.vbs.

Run this fix to stop the task and delete the file.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

Task: {73D9854B-4C80-416D-ACCE-C8511D2CDD8D} - System32\Tasks\renew1 => C:\Program Files\fix.vbs [2015-04-20] ()
C:\Program Files\fix.vbs

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 9001M

9001M
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 28 July 2016 - 12:30 PM

Done!

 

The system continues to run trouble-free - no more random Pick an app pop-ups.

 

Here's the Fixlog:

-----------------------

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Michael (2016-07-28 10:20:56) Run:2
Running from C:\Users\Michael\Desktop
Loaded Profiles: Michael (Available Profiles: Michael & Michael Wecksler)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:

Task: {73D9854B-4C80-416D-ACCE-C8511D2CDD8D} - System32\Tasks\renew1 => C:\Program Files\fix.vbs [2015-04-20] ()
C:\Program Files\fix.vbs

End

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{73D9854B-4C80-416D-ACCE-C8511D2CDD8D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73D9854B-4C80-416D-ACCE-C8511D2CDD8D}" => key removed successfully
C:\WINDOWS\System32\Tasks\renew1 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\renew1" => key removed successfully
C:\Program Files\fix.vbs => moved successfully

The system needed a reboot.

==== End of Fixlog 10:20:58 ====



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:15 PM

Posted 29 July 2016 - 07:20 AM

Glad we could help.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:15 PM

Posted 04 August 2016 - 10:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users