Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects, Windows Diagnostics = (virus-alert-e1ed3.onlin)....


  • This topic is locked This topic is locked
25 replies to this topic

#1 Tiredmaiden

Tiredmaiden

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 16 September 2016 - 08:35 PM

Over past few weeks but more so today, have noticed a number of odd behaviors. First, at times very high CPU & memory usage.  Then one day my attention was brought back to the monitor when the tab I had opened went blank (white) and noticed address bar had changed to an odd address - has now happened three times and per browser history, ohhucuimdu.org, owohzsuperstroy.org, and on 9/15/16 right after logging in to yahoo mail, roohnanokarno.org.   Should note that when I first turned on PC today, homepage opened normal in tab, but when I went to open a second tab, opened with "This page cannot be displayed " I clicked on "Fix Connection Problems" with no result, and did so one more time.  The second time I found  "Windows Network Diagnostics" Problems Found:  Your computer appears to be correctly configured but the device or resource (virus-alert-e1ed3.online) is not responding."  All of this very strange as I do not click on ads, block pop-up's, links in emails, and scan sites that I have not visited before.   I tried running a MBAM scan last night, which after an hour or more "Not Responding."   In fact, there has been some hangs & IE is "Not Responding" lately.

 

I am the main user of the PA however, two others (whom generally don't have permission unless I say so) users had used PC within past few weeks.  The other problem encountered today, I went to photobucket.com site, and am not sure if I even got as far as logging in, when the page suddenly had the "scam-like" warnings, with a loud audible beeping, and there was mention of my IP address or PC potentially had a virus, and of course there was a telephone number it advised to call (which I knew was scam,) so I went to Task Manager to close everything.  When I opened IE to come to BleepingComputer, I looked at the browser history, and thought two entries were not sites visited today.  They were "security-e7n0i (security-e7n0i.pw) and zh1.india-zed(zh1.india-zed.com)  I am not sure if there is any relevance to what was in the history or not.  All of these mentioned just seemed out of place & suspicious...the three ".org's" and especially today's "security-e7n0i" because I have never seen anything with a ".pw) before.

 

Here are the results to the FRST scans:

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-09-2016
Ran by C (ATTENTION: The user is not administrator) on UPSTAIRS2015 (16-09-2016 20:09:34)
Running from C:\Users\C\Desktop
Loaded Profiles: C & maide_000 & vette_000 (Available Profiles: C & maide_000 & vette_000)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> igfxCUIService.exe
Failed to access process -> svchost.exe
Failed to access process -> RtkAudioService64.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> SASCore64.exe
Failed to access process -> AERTSr64.exe
Failed to access process -> AdminService.exe
Failed to access process -> svchost.exe
Failed to access process -> dasHost.exe
Failed to access process -> escsvc64.exe
Failed to access process -> E_S60RPB.EXE
Failed to access process -> HeciServer.exe
Failed to access process -> svchost.exe
Failed to access process -> MsMpEng.exe
Failed to access process -> PocketCloudService.exe
Failed to access process -> WyseRemoteAccess.exe
Failed to access process -> NisSrv.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> dllhost.exe
Failed to access process -> DCCService.exe
Failed to access process -> DeliveryService.exe
Failed to access process -> DellUpService.exe
Failed to access process -> IAStorDataMgrSvc.exe
Failed to access process -> jhi_service.exe
Failed to access process -> LMS.exe
Failed to access process -> RichVideo.exe
Failed to access process -> SftService.exe
Failed to access process -> SearchIndexer.exe
Failed to access process -> wmpnetwk.exe
Failed to access process -> PresentationFontCache.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> MpCmdRun.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> dwm.exe
Failed to access process -> RAVBg64.exe
Failed to access process -> RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(EnTech Taiwan) C:\Program Files (x86)\Dell\Dell Display Manager\ddm.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.Reader_6.4.9926.18471_x64__8wekyb3d8bbwe\glcnd.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
Failed to access process -> svchost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7666392 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1391472 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1391472 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [392592 2015-03-31] ()
HKLM\...\Run: [HotKeysCmds] => "C:\Windows\system32\hkcmd.exe"
HKLM\...\Run: [Persistence] => "C:\Windows\system32\igfxpers.exe"
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1064512 2013-11-08] (SEIKO EPSON CORPORATION)
HKLM-x32\...\RunOnce: [DeleteOnReboot] => C:\Users\MAIDE_~1\AppData\Local\Temp\DeleteOnReboot.bat <===== ATTENTION
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [132736 2013-09-05] (Qualcomm®Atheros®)
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATINOE.EXE [298560 2013-12-16] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-09-05] (SUPERAntiSpyware)
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {8ad259cb-e203-11e4-8264-90489a5b58fa} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {da155eb9-ec70-11e5-8282-f8bc129619e2} - "D:\imageviewer.exe"
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell Display Manager.lnk [2016-06-09]
ShortcutTarget: Dell Display Manager.lnk -> C:\Program Files (x86)\Dell\Dell Display Manager\ddm.exe (EnTech Taiwan)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ImageBrowser EX Agent.lnk [2015-06-09]
ShortcutTarget: ImageBrowser EX Agent.lnk -> C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1C5A01EE-7A62-40D4-A80B-8FBEE1AD47E8}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2BCE2F20-9ECB-42A2-87A9-1558679AF5D5}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{8C9ADFC0-0B48-483F-8E65-BC8763B6B8B0}: [DhcpNameServer] 192.168.44.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://msn.com/
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1003] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1003_classes] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1006] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1006_classes] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> DefaultScope {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> {551742F3-6A9B-481A-8713-310CF36899D5} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =

FireFox:
========
FF ProfilePath: C:\Users\C\AppData\Roaming\Mozilla\Firefox\Profiles\2y7vNO6B.default
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50709.0\npctrl.dll [2016-07-11] ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-09] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50709.0\npctrl.dll [2016-07-11] ( Microsoft Corporation)
FF Plugin HKU\S-1-5-21-3412248325-257921828-2620446140-1001: @emusic.com/eMusicPlugin DLM6 -> C:\Program Files (x86)\eMusic Download Manager 6\npEMusic604.dll [No File]
FF Extension: (Avira Browser Safety) - C:\Users\C\AppData\Roaming\Mozilla\Firefox\Profiles\2y7vNO6B.default\Extensions\abs@avira.com.xpi [2016-03-09]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [312448 2013-09-05] (Windows ® Win 7 DDK provider) [File not signed]
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation)
R2 EPSON_PM_RPCV4_06; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S60RPB.EXE [152640 2013-04-15] (SEIKO EPSON CORPORATION)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [344976 2015-03-31] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-09] (Intel Corporation)
R2 lmhosts; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-07-30] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-12-11] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-28] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WysePocketCloud; C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe [16176 2013-08-22] ()
R2 WyseRemoteAccess; C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe [1785344 2013-08-19] (DELL Inc.) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-16] (Qualcomm Atheros Communications, Inc.)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-09-05] (Qualcomm Atheros)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-26] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 cleanhlp; \??\C:\EEK\bin\cleanhlp64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-16 20:09 - 2016-09-16 20:09 - 00014858 _____ C:\Users\C\Desktop\FRST.txt
2016-09-16 20:08 - 2016-09-16 20:09 - 00000000 ____D C:\FRST
2016-09-16 20:07 - 2016-09-16 20:07 - 02399232 _____ (Farbar) C:\Users\C\Desktop\FRST64.exe
2016-09-16 13:26 - 2016-09-16 13:26 - 00000000 ___RD C:\Users\C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2016-09-16 11:21 - 2016-09-16 11:21 - 00000133 _____ C:\Users\C\Documents\virus.txt
2016-09-15 14:12 - 2016-09-15 14:12 - 00000235 _____ C:\Users\C\Desktop\Amazon to hire 500 for second Lehigh Valley warehouse - The Morning Call.url
2016-09-15 00:27 - 2016-09-15 00:27 - 00000404 _____ C:\Users\C\Desktop\10 Cheap, Effective Ways to Pest-Proof Your Home.url
2016-09-13 17:48 - 2016-08-20 19:45 - 07076864 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2016-09-13 17:48 - 2016-08-20 19:27 - 01445376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-09-13 17:48 - 2016-08-20 19:22 - 00435200 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-09-13 17:48 - 2016-08-20 19:05 - 05273600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2016-09-13 17:48 - 2016-08-20 18:50 - 00360448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-09-13 17:48 - 2016-08-20 18:42 - 07795712 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2016-09-13 17:48 - 2016-08-20 18:27 - 05268480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2016-09-13 17:48 - 2016-08-09 18:47 - 00803176 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-09-13 17:48 - 2016-08-09 18:47 - 00611576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2016-09-13 17:48 - 2016-08-04 10:17 - 00416768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-09-13 17:48 - 2016-08-03 14:06 - 00675328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-09-13 17:48 - 2016-08-03 14:05 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-09-13 17:48 - 2016-06-10 23:44 - 00107984 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2016-09-13 17:48 - 2016-06-10 23:44 - 00091416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2016-09-13 17:47 - 2016-09-08 17:51 - 00443224 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-09-13 17:47 - 2016-09-08 17:51 - 00332632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-09-13 17:47 - 2016-08-31 23:08 - 20312064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-09-13 17:47 - 2016-08-31 22:46 - 00498688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-09-13 17:47 - 2016-08-31 22:24 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-09-13 17:47 - 2016-08-31 21:39 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-09-13 17:47 - 2016-08-31 21:30 - 00692736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-09-13 17:47 - 2016-08-31 21:27 - 13808128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-09-13 17:47 - 2016-08-31 21:24 - 04607488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-09-13 17:47 - 2016-08-31 20:45 - 25770496 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-09-13 17:47 - 2016-08-31 20:43 - 02445824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-09-13 17:47 - 2016-08-31 20:42 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-09-13 17:47 - 2016-08-31 20:38 - 01316352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-09-13 17:47 - 2016-08-31 20:24 - 00576000 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-09-13 17:47 - 2016-08-31 20:10 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-09-13 17:47 - 2016-08-31 20:06 - 06047232 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-09-13 17:47 - 2016-08-31 19:38 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-09-13 17:47 - 2016-08-31 19:28 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-09-13 17:47 - 2016-08-31 19:15 - 15411712 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-09-13 17:47 - 2016-08-31 19:10 - 02921472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-09-13 17:47 - 2016-08-31 18:58 - 01550848 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-09-13 17:47 - 2016-08-31 18:47 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-09-13 17:47 - 2016-08-26 01:51 - 02894336 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-09-13 17:47 - 2016-08-26 00:44 - 02286592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-09-13 17:47 - 2016-08-26 00:41 - 02881536 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2016-09-13 17:47 - 2016-08-26 00:00 - 01049600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2016-09-13 17:47 - 2016-08-22 12:06 - 00179248 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-09-13 17:47 - 2016-08-22 12:06 - 00100184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-09-13 17:47 - 2016-08-20 21:03 - 00201728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-09-13 17:47 - 2016-08-20 21:01 - 00401408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-09-13 17:47 - 2016-08-20 21:01 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-09-13 17:47 - 2016-08-20 20:17 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-09-13 17:47 - 2016-08-20 19:26 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-09-13 17:47 - 2016-08-20 18:55 - 00104960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-09-13 17:47 - 2016-08-14 15:34 - 01541248 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2016-09-13 17:47 - 2016-08-14 14:25 - 04171264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-09-13 17:47 - 2016-08-14 12:14 - 01376768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2016-09-13 17:47 - 2016-08-13 03:41 - 07445848 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-09-13 17:47 - 2016-08-13 03:40 - 01737080 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-09-13 17:47 - 2016-08-13 03:40 - 01663184 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-09-13 17:47 - 2016-08-13 03:40 - 01523208 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2016-09-13 17:47 - 2016-08-13 03:40 - 01490120 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-09-13 17:47 - 2016-08-13 03:40 - 01358952 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2016-09-13 17:47 - 2016-08-12 20:04 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-09-13 17:47 - 2016-08-11 12:26 - 01156608 _____ (Microsoft Corporation) C:\Windows\system32\wwanmm.dll
2016-09-13 17:47 - 2016-08-11 12:17 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\pnidui.dll
2016-09-13 17:47 - 2016-08-11 12:16 - 00455680 _____ (Microsoft Corporation) C:\Windows\system32\wwanconn.dll
2016-09-11 21:31 - 2016-09-11 21:31 - 00094593 _____ C:\Users\C\Downloads\Document 2.pdf
2016-09-10 21:53 - 2016-09-10 22:01 - 00000000 ____D C:\AdwCleaner
2016-09-08 22:29 - 2016-09-08 22:29 - 00000222 _____ C:\Users\C\Desktop\NoiseQuest Noise Effects.url
2016-09-06 21:12 - 2016-09-06 21:12 - 00000199 _____ C:\Users\C\Desktop\Whitehall Township - Lehigh County, Pennsylvania.url
2016-09-05 19:59 - 2016-09-10 17:37 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2016-09-05 19:43 - 2016-09-05 19:43 - 00000000 ____D C:\Windows\Trend Micro
2016-09-05 19:43 - 2016-09-05 19:43 - 00000000 ____D C:\ProgramData\Trend Micro
2016-09-05 19:40 - 2015-12-24 09:03 - 00316168 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2016-08-23 12:50 - 2016-08-23 12:50 - 00000280 _____ C:\Users\C\Desktop\Amazon opening new Lehigh Valley facility, creating over 500 new jobs - Lehigh Valley, PA.url
2016-08-22 18:31 - 2016-08-22 18:32 - 156367864 _____ C:\Users\C\Downloads\MVI_1033.MOV
2016-08-22 14:21 - 2016-08-22 14:21 - 02698925 _____ C:\Users\C\Documents\Part-150-Community-Advisory-Committee-Mtg-1.28.15.pdf
2016-08-21 02:40 - 2016-08-21 02:40 - 00000284 _____ C:\Users\C\Desktop\How to clean the Windows 10 crapware off your Windows 7 or 8.1 PC  InfoWorld.url

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-16 19:14 - 2016-05-26 18:14 - 00000945 _____ C:\Windows\Tasks\EPSON XP-620 Series Update {F1AD9835-296F-4BFF-B861-A84484581C9F}.job
2016-09-16 17:47 - 2016-06-06 15:11 - 00042496 ___SH C:\Users\C\Downloads\Thumbs.db
2016-09-16 13:14 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\rescache
2016-09-16 11:39 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\system32\NDF
2016-09-16 11:15 - 2015-01-16 12:07 - 00000000 ___DO C:\Users\C\OneDrive
2016-09-16 11:14 - 2015-04-04 20:43 - 00000000 __SHD C:\Users\C\IntelGraphicsProfiles
2016-09-16 02:34 - 2015-04-08 17:34 - 00000000 ____D C:\Users\C\AppData\Local\CrashDumps
2016-09-16 01:55 - 2013-08-22 09:36 - 00000000 ____D C:\Windows\Inf
2016-09-15 13:17 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\AppReadiness
2016-09-14 13:50 - 2013-08-22 11:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-09-13 23:40 - 2014-06-25 13:57 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-09-13 23:37 - 2013-08-22 10:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-13 23:37 - 2013-08-22 10:44 - 00346744 _____ C:\Windows\system32\FNTCACHE.DAT
2016-09-13 23:35 - 2015-06-08 08:50 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-09-13 23:35 - 2015-06-08 08:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-09-13 18:32 - 2013-08-22 11:20 - 00000000 ____D C:\Windows\CbsTemp
2016-09-13 18:30 - 2016-07-19 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-09-13 18:28 - 2015-01-16 13:23 - 00000000 ____D C:\Windows\system32\MRT
2016-09-13 18:25 - 2015-01-16 13:23 - 144199024 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-09-10 22:00 - 2014-06-25 13:54 - 00000000 ____D C:\Program Files (x86)\Amazon
2016-09-10 20:38 - 2015-01-16 11:59 - 00000000 ____D C:\Users\C\AppData\Local\Packages
2016-09-10 17:37 - 2015-05-29 20:57 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-09-06 21:11 - 2015-01-16 14:29 - 00828408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-09-06 21:11 - 2015-01-16 14:29 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-09-05 18:58 - 2015-06-06 20:45 - 00000000 ___DO C:\Users\maide_000\OneDrive
2016-09-05 18:58 - 2015-06-06 20:42 - 00000000 __SHD C:\Users\maide_000\IntelGraphicsProfiles
2016-08-29 20:28 - 2015-06-12 20:10 - 00000000 __SHD C:\Users\vette_000\IntelGraphicsProfiles
2016-08-29 20:28 - 2015-02-01 17:03 - 00000000 ___RD C:\Users\vette_000\OneDrive
2016-08-29 18:57 - 2015-02-01 16:57 - 00000000 ____D C:\Users\vette_000
2016-08-26 18:18 - 2015-08-26 17:37 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-26 18:14 - 2015-08-26 17:36 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys

==================== Files in the root of some directories =======

2015-07-25 21:51 - 2015-12-11 19:28 - 0005632 _____ () C:\Users\C\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-09-17 21:35 - 2015-09-17 21:35 - 0000017 _____ () C:\Users\C\AppData\Local\resmon.resmoncfg
2014-06-25 13:52 - 2014-06-25 13:52 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-06-27 15:00 - 2016-06-27 15:00 - 0001100 _____ () C:\ProgramData\ResPntListUNI.txt
2014-06-25 13:46 - 2014-06-25 13:46 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-06-25 13:42 - 2014-06-25 13:43 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-06-25 13:43 - 2014-06-25 13:44 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-06-25 13:44 - 2014-06-25 13:46 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-06-25 13:42 - 2014-06-25 13:42 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

ATTENTION: ==> Could not access BCD. The user is not administrator

==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 17 September 2016 - 12:53 PM

In addition to the problems mentioned in my original post, I noticed & thought about something.  In the FRST.txt, could I have done something wrong to cause all of the "Failed to access process?"  I ask because I look at other posts with the logs and I haven't seen anyone's whose log begins like mine. Although I ran the FRST tool under my normal user (I am the Admin, but I had read for years better to use non-admin account for safety reasons.)  When I ran the tool, Windows did ask for 'permission' to make changes as Admin, to which I entered password, as is the case whenever there is a change or something I which the system will do so. 

 

I guess my question is, should I have switched users prior to running the tool, and logged in as the Admin?  If so, should I now start over and run the tool and get new logs while logged in to my Admin account.  This aspect is confusing to me.  I would have thought that there would have been some type of prompt.  It is highly likely that I may have misread the directions...I have ADD & tend to miss sentences, but I think I was distracted & worried about what (if anything) may be causing the 'odd' behaviours. I am using a different device to post this as I am clueless as to if it is safe to do anything on the PC without any guidance. 

 

Is someone could let me know if I need to run the tool over, and create a new post, I would be greatful for direction. TY



#3 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:17 PM

Posted 18 September 2016 - 07:37 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


I guess my question is, should I have switched users prior to running the tool, and logged in as the Admin? If so, should I now start over and run the tool and get new logs while logged in to my Admin account.


YES please log in as Admin and then:

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#4 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 18 September 2016 - 04:22 PM

Thank you Jo.

 

Here are the Scan logs you requested:

 

FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-09-2016
Ran by maide_000 (administrator) on UPSTAIRS2015 (18-09-2016 16:53:47)
Running from C:\Users\C\Desktop
Loaded Profiles: C & maide_000 & vette_000 (Available Profiles: C & maide_000 & vette_000)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S60RPB.EXE
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
() C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe
(DELL Inc.) C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATINOE.EXE
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(EnTech Taiwan) C:\Program Files (x86)\Dell\Dell Display Manager\ddm.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7666392 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1391472 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1391472 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [392592 2015-03-31] ()
HKLM\...\Run: [HotKeysCmds] => "C:\Windows\system32\hkcmd.exe"
HKLM\...\Run: [Persistence] => "C:\Windows\system32\igfxpers.exe"
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1064512 2013-11-08] (SEIKO EPSON CORPORATION)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [132736 2013-09-05] (Qualcomm®Atheros®)
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATINOE.EXE [298560 2013-12-16] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-09-05] (SUPERAntiSpyware)
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {8ad259cb-e203-11e4-8264-90489a5b58fa} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {da155eb9-ec70-11e5-8282-f8bc129619e2} - "D:\imageviewer.exe"
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATINOE.EXE [298560 2013-12-16] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2501368 2015-01-27] (Microsoft Corporation) <==== ATTENTION
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell Display Manager.lnk [2016-06-09]
ShortcutTarget: Dell Display Manager.lnk -> C:\Program Files (x86)\Dell\Dell Display Manager\ddm.exe (EnTech Taiwan)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ImageBrowser EX Agent.lnk [2015-06-09]
ShortcutTarget: ImageBrowser EX Agent.lnk -> C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1C5A01EE-7A62-40D4-A80B-8FBEE1AD47E8}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2BCE2F20-9ECB-42A2-87A9-1558679AF5D5}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{8C9ADFC0-0B48-483F-8E65-BC8763B6B8B0}: [DhcpNameServer] 192.168.44.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://msn.com/
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-3412248325-257921828-2620446140-1006\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-3412248325-257921828-2620446140-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1006_classes] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> DefaultScope {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> {551742F3-6A9B-481A-8713-310CF36899D5} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1003 -> DefaultScope {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1003 -> {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1006 -> DefaultScope {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1006 -> {61E6EFAD-C865-47BF-8B4D-C7589B127CDF} URL =

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50709.0\npctrl.dll [2016-07-11] ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-09] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50709.0\npctrl.dll [2016-07-11] ( Microsoft Corporation)
FF Plugin HKU\S-1-5-21-3412248325-257921828-2620446140-1001: @emusic.com/eMusicPlugin DLM6 -> C:\Program Files (x86)\eMusic Download Manager 6\npEMusic604.dll [No File]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [312448 2013-09-05] (Windows ® Win 7 DDK provider) [File not signed]
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [132472 2016-09-09] (Dell Inc.)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation)
R2 EPSON_PM_RPCV4_06; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S60RPB.EXE [152640 2013-04-15] (SEIKO EPSON CORPORATION)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [344976 2015-03-31] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-09] (Intel Corporation)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-07-30] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-12-11] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-28] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WysePocketCloud; C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe [16176 2013-08-22] ()
R2 WyseRemoteAccess; C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe [1785344 2013-08-19] (DELL Inc.) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-16] (Qualcomm Atheros Communications, Inc.)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-09-05] (Qualcomm Atheros)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-26] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 cleanhlp; \??\C:\EEK\bin\cleanhlp64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-18 16:42 - 2016-09-18 16:53 - 00000000 ____D C:\FRST
2016-09-18 16:42 - 2016-09-18 16:42 - 00000000 ____D C:\Users\C\Desktop\FRST-OlderVersion
2016-09-18 16:41 - 2016-09-18 16:41 - 00000000 ___RD C:\Users\C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2016-09-18 16:36 - 2016-09-18 16:36 - 00047104 ___SH C:\Users\maide_000\Desktop\Thumbs.db
2016-09-18 16:20 - 2016-09-18 16:20 - 00000000 ____D C:\Program Files (x86)\Dell Customer Connect
2016-09-17 00:40 - 2016-09-17 00:40 - 00000199 _____ C:\Users\C\Desktop\Bleeping Computer Technical Support Forums.url
2016-09-16 20:10 - 2016-09-16 20:10 - 00036417 _____ C:\Users\C\Desktop\Addition.txt
2016-09-16 20:09 - 2016-09-18 16:53 - 00015865 _____ C:\Users\C\Desktop\FRST.txt
2016-09-16 20:07 - 2016-09-18 16:42 - 02399232 _____ (Farbar) C:\Users\C\Desktop\FRST64.exe
2016-09-16 11:21 - 2016-09-16 11:21 - 00000133 _____ C:\Users\C\Documents\virus.txt
2016-09-15 22:15 - 2016-09-15 22:15 - 00002072 _____ C:\Users\maide_000\Desktop\Rkill.txt
2016-09-15 14:12 - 2016-09-15 14:12 - 00000235 _____ C:\Users\C\Desktop\Amazon to hire 500 for second Lehigh Valley warehouse - The Morning Call.url
2016-09-15 00:27 - 2016-09-15 00:27 - 00000404 _____ C:\Users\C\Desktop\10 Cheap, Effective Ways to Pest-Proof Your Home.url
2016-09-13 17:48 - 2016-08-20 19:45 - 07076864 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2016-09-13 17:48 - 2016-08-20 19:27 - 01445376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-09-13 17:48 - 2016-08-20 19:22 - 00435200 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-09-13 17:48 - 2016-08-20 19:05 - 05273600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2016-09-13 17:48 - 2016-08-20 18:50 - 00360448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-09-13 17:48 - 2016-08-20 18:42 - 07795712 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2016-09-13 17:48 - 2016-08-20 18:27 - 05268480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2016-09-13 17:48 - 2016-08-09 18:47 - 00803176 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-09-13 17:48 - 2016-08-09 18:47 - 00611576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2016-09-13 17:48 - 2016-08-04 10:17 - 00416768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-09-13 17:48 - 2016-08-03 14:06 - 00675328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-09-13 17:48 - 2016-08-03 14:05 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-09-13 17:48 - 2016-06-10 23:44 - 00107984 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2016-09-13 17:48 - 2016-06-10 23:44 - 00091416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2016-09-13 17:47 - 2016-09-08 17:51 - 00443224 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-09-13 17:47 - 2016-09-08 17:51 - 00332632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-09-13 17:47 - 2016-08-31 23:08 - 20312064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-09-13 17:47 - 2016-08-31 22:46 - 00498688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-09-13 17:47 - 2016-08-31 22:24 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-09-13 17:47 - 2016-08-31 21:39 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-09-13 17:47 - 2016-08-31 21:30 - 00692736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-09-13 17:47 - 2016-08-31 21:27 - 13808128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-09-13 17:47 - 2016-08-31 21:24 - 04607488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-09-13 17:47 - 2016-08-31 20:45 - 25770496 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-09-13 17:47 - 2016-08-31 20:43 - 02445824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-09-13 17:47 - 2016-08-31 20:42 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-09-13 17:47 - 2016-08-31 20:38 - 01316352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-09-13 17:47 - 2016-08-31 20:24 - 00576000 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-09-13 17:47 - 2016-08-31 20:10 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-09-13 17:47 - 2016-08-31 20:06 - 06047232 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-09-13 17:47 - 2016-08-31 19:38 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-09-13 17:47 - 2016-08-31 19:28 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-09-13 17:47 - 2016-08-31 19:15 - 15411712 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-09-13 17:47 - 2016-08-31 19:10 - 02921472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-09-13 17:47 - 2016-08-31 18:58 - 01550848 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-09-13 17:47 - 2016-08-31 18:47 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-09-13 17:47 - 2016-08-26 01:51 - 02894336 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-09-13 17:47 - 2016-08-26 00:44 - 02286592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-09-13 17:47 - 2016-08-26 00:41 - 02881536 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2016-09-13 17:47 - 2016-08-26 00:00 - 01049600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2016-09-13 17:47 - 2016-08-22 12:06 - 00179248 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-09-13 17:47 - 2016-08-22 12:06 - 00100184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-09-13 17:47 - 2016-08-20 21:03 - 00201728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-09-13 17:47 - 2016-08-20 21:01 - 00401408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-09-13 17:47 - 2016-08-20 21:01 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-09-13 17:47 - 2016-08-20 20:17 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-09-13 17:47 - 2016-08-20 19:26 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-09-13 17:47 - 2016-08-20 18:55 - 00104960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-09-13 17:47 - 2016-08-14 15:34 - 01541248 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2016-09-13 17:47 - 2016-08-14 14:25 - 04171264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-09-13 17:47 - 2016-08-14 12:14 - 01376768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2016-09-13 17:47 - 2016-08-13 03:41 - 07445848 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-09-13 17:47 - 2016-08-13 03:40 - 01737080 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-09-13 17:47 - 2016-08-13 03:40 - 01663184 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-09-13 17:47 - 2016-08-13 03:40 - 01523208 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2016-09-13 17:47 - 2016-08-13 03:40 - 01490120 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-09-13 17:47 - 2016-08-13 03:40 - 01358952 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2016-09-13 17:47 - 2016-08-12 20:04 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-09-13 17:47 - 2016-08-11 12:26 - 01156608 _____ (Microsoft Corporation) C:\Windows\system32\wwanmm.dll
2016-09-13 17:47 - 2016-08-11 12:17 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\pnidui.dll
2016-09-13 17:47 - 2016-08-11 12:16 - 00455680 _____ (Microsoft Corporation) C:\Windows\system32\wwanconn.dll
2016-09-11 21:31 - 2016-09-11 21:31 - 00094593 _____ C:\Users\C\Downloads\Document 2.pdf
2016-09-10 21:53 - 2016-09-10 22:01 - 00000000 ____D C:\AdwCleaner
2016-09-08 22:29 - 2016-09-08 22:29 - 00000222 _____ C:\Users\C\Desktop\NoiseQuest Noise Effects.url
2016-09-06 21:12 - 2016-09-06 21:12 - 00000199 _____ C:\Users\C\Desktop\Whitehall Township - Lehigh County, Pennsylvania.url
2016-09-05 19:59 - 2016-09-10 17:37 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2016-09-05 19:53 - 2016-09-05 19:53 - 00826369 _____ C:\Users\maide_000\AppData\Local\census.cache
2016-09-05 19:52 - 2016-09-05 19:52 - 01004968 _____ C:\Users\maide_000\AppData\Local\ars.cache
2016-09-05 19:50 - 2016-09-05 19:50 - 00000010 _____ C:\Users\maide_000\AppData\Local\sponge.last.runtime.cache
2016-09-05 19:43 - 2016-09-05 19:43 - 00000000 ____D C:\Windows\Trend Micro
2016-09-05 19:43 - 2016-09-05 19:43 - 00000000 ____D C:\ProgramData\Trend Micro
2016-09-05 19:40 - 2016-09-05 19:40 - 00000036 _____ C:\Users\maide_000\AppData\Local\housecall.guid.cache
2016-09-05 19:40 - 2015-12-24 09:03 - 00316168 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2016-08-29 20:28 - 2016-08-29 20:28 - 00000000 ___RD C:\Users\vette_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2016-08-29 19:46 - 2016-08-29 19:46 - 00000000 ____D C:\Users\vette_000\AppData\Local\CrashDumps
2016-08-23 12:50 - 2016-08-23 12:50 - 00000280 _____ C:\Users\C\Desktop\Amazon opening new Lehigh Valley facility, creating over 500 new jobs - Lehigh Valley, PA.url
2016-08-22 18:31 - 2016-08-22 18:32 - 156367864 _____ C:\Users\C\Downloads\MVI_1033.MOV
2016-08-22 14:21 - 2016-08-22 14:21 - 02698925 _____ C:\Users\C\Documents\Part-150-Community-Advisory-Committee-Mtg-1.28.15.pdf
2016-08-21 02:40 - 2016-08-21 02:40 - 00000284 _____ C:\Users\C\Desktop\How to clean the Windows 10 crapware off your Windows 7 or 8.1 PC  InfoWorld.url

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-18 16:46 - 2015-06-06 20:48 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3412248325-257921828-2620446140-1003
2016-09-18 16:46 - 2015-01-16 12:05 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3412248325-257921828-2620446140-1001
2016-09-18 16:41 - 2015-04-04 20:43 - 00000000 __SHD C:\Users\C\IntelGraphicsProfiles
2016-09-18 16:41 - 2015-02-03 00:48 - 00000000 ____D C:\Users\maide_000\Documents\Bluetooth Folder
2016-09-18 16:41 - 2015-01-16 12:07 - 00000000 ___DO C:\Users\C\OneDrive
2016-09-18 16:34 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\AppReadiness
2016-09-18 16:24 - 2015-06-06 20:45 - 00000000 ___DO C:\Users\maide_000\OneDrive
2016-09-18 16:24 - 2015-06-06 20:42 - 00000000 __SHD C:\Users\maide_000\IntelGraphicsProfiles
2016-09-18 16:24 - 2015-01-22 06:59 - 00000000 ____D C:\Users\maide_000
2016-09-18 16:20 - 2014-06-25 13:54 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2016-09-18 16:14 - 2016-05-26 18:14 - 00000945 _____ C:\Windows\Tasks\EPSON XP-620 Series Update {F1AD9835-296F-4BFF-B861-A84484581C9F}.job
2016-09-16 17:47 - 2016-06-06 15:11 - 00042496 ___SH C:\Users\C\Downloads\Thumbs.db
2016-09-16 13:14 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\rescache
2016-09-16 11:39 - 2013-08-22 11:36 - 00000000 ____D C:\Windows\system32\NDF
2016-09-16 02:34 - 2015-04-08 17:34 - 00000000 ____D C:\Users\C\AppData\Local\CrashDumps
2016-09-16 01:55 - 2013-08-22 09:36 - 00000000 ____D C:\Windows\Inf
2016-09-14 13:50 - 2013-08-22 11:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-09-13 23:40 - 2014-06-25 13:57 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-09-13 23:37 - 2013-08-22 10:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-13 23:37 - 2013-08-22 10:44 - 00346744 _____ C:\Windows\system32\FNTCACHE.DAT
2016-09-13 23:35 - 2015-06-08 08:50 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-09-13 23:35 - 2015-06-08 08:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-09-13 23:35 - 2013-08-22 09:25 - 00524288 ___SH C:\Windows\system32\config\BBI
2016-09-13 18:32 - 2013-08-22 11:20 - 00000000 ____D C:\Windows\CbsTemp
2016-09-13 18:30 - 2016-07-19 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-09-13 18:28 - 2015-01-16 13:23 - 00000000 ____D C:\Windows\system32\MRT
2016-09-13 18:25 - 2015-01-16 13:23 - 144199024 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-09-10 22:00 - 2014-06-25 13:54 - 00000000 ____D C:\Program Files (x86)\Amazon
2016-09-10 20:38 - 2015-01-16 11:59 - 00000000 ____D C:\Users\C\AppData\Local\Packages
2016-09-10 17:37 - 2015-05-29 20:57 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-09-06 21:11 - 2015-01-16 14:29 - 00828408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-09-06 21:11 - 2015-01-16 14:29 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-08-29 20:58 - 2015-02-01 17:07 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3412248325-257921828-2620446140-1006
2016-08-29 20:28 - 2015-06-12 20:10 - 00000000 __SHD C:\Users\vette_000\IntelGraphicsProfiles
2016-08-29 20:28 - 2015-02-01 17:03 - 00000000 ___RD C:\Users\vette_000\OneDrive
2016-08-29 18:57 - 2015-02-01 16:57 - 00000000 ____D C:\Users\vette_000
2016-08-26 18:18 - 2015-08-26 17:37 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-26 18:14 - 2015-08-26 17:36 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys

==================== Files in the root of some directories =======

2016-09-05 19:52 - 2016-09-05 19:52 - 1004968 _____ () C:\Users\maide_000\AppData\Local\ars.cache
2016-09-05 19:53 - 2016-09-05 19:53 - 0826369 _____ () C:\Users\maide_000\AppData\Local\census.cache
2016-09-05 19:40 - 2016-09-05 19:40 - 0000036 _____ () C:\Users\maide_000\AppData\Local\housecall.guid.cache
2016-02-22 15:22 - 2016-06-19 17:17 - 0007601 _____ () C:\Users\maide_000\AppData\Local\Resmon.ResmonCfg
2016-09-05 19:50 - 2016-09-05 19:50 - 0000010 _____ () C:\Users\maide_000\AppData\Local\sponge.last.runtime.cache
2014-06-25 13:52 - 2014-06-25 13:52 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-06-27 15:00 - 2016-06-27 15:00 - 0001100 _____ () C:\ProgramData\ResPntListUNI.txt
2014-06-25 13:46 - 2014-06-25 13:46 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-06-25 13:42 - 2014-06-25 13:43 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-06-25 13:43 - 2014-06-25 13:44 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-06-25 13:44 - 2014-06-25 13:46 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-06-25 13:42 - 2014-06-25 13:42 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

Some files in TEMP:
====================
C:\Users\maide_000\AppData\Local\Temp\DefaultPack.EXE
C:\Users\maide_000\AppData\Local\Temp\libeay32.dll
C:\Users\maide_000\AppData\Local\Temp\msvcr120.dll
C:\Users\maide_000\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-09-13 18:20

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-09-2016
Ran by maide_000 (18-09-2016 16:54:04)
Running from C:\Users\C\Desktop
Windows 8.1 (Update) (X64) (2015-01-16 15:59:38)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3412248325-257921828-2620446140-500 - Administrator - Disabled)
C (S-1-5-21-3412248325-257921828-2620446140-1001 - Limited - Enabled) => C:\Users\C
Guest (S-1-5-21-3412248325-257921828-2620446140-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3412248325-257921828-2620446140-1005 - Limited - Enabled)
maide_000 (S-1-5-21-3412248325-257921828-2620446140-1003 - Administrator - Enabled) => C:\Users\maide_000
vette_000 (S-1-5-21-3412248325-257921828-2620446140-1006 - Limited - Enabled) => C:\Users\vette_000

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Canon PowerShot SX50 HS Camera User Guide (HKLM-x32\...\CameraUserGuide-PSSX50HS) (Version: 1.0.0.1 - Canon Inc.)
Canon Utilities CameraWindow DC 8 (HKLM-x32\...\CameraWindowDC) (Version: 8.9.0.4 - Canon Inc.)
Canon Utilities Digital Photo Professional (HKLM-x32\...\Digital Photo Professional) (Version: 3.14.48.1 - Canon Inc.)
Canon Utilities ImageBrowser EX (HKLM-x32\...\ImageBrowser EX) (Version: 1.5.2.8 - Canon Inc.)
Canon Utilities PhotoStitch (HKLM-x32\...\PhotoStitch) (Version: 3.1.23.47 - Canon Inc.)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.7.1.2 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.7.1.2 - Dell Inc.)
Dell Customer Connect (HKLM-x32\...\{35BEC446-269E-42E4-8EED-191A38CCFF3D}) (Version: 1.4.10.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{693A23FB-F28B-4F7A-A720-4C1263F97F43}) (Version: 3.1.1002.0 - Dell Products, LP)
Dell Display Manager (HKLM-x32\...\{AC50C05D-9D57-40F5-B2EF-AC402F14312B}_is1) (Version:  - EnTech Taiwan)
Dell Product Registration (HKLM-x32\...\{17FFE63C-6734-4950-B488-134B5A2505F7}) (Version: 2.04.0280 - Aviata Inc.)
Dell System Detect (HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\58d94f3ce2c27db0) (Version: 7.6.0.17 - Dell)
Dell Update (HKLM-x32\...\{DB82968B-57A4-4397-81A5-ECAB21B5DFCD}) (Version: 1.7.1015.0 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
Epson Event Manager (HKLM-x32\...\{86B4A6B9-07FD-48EC-8730-1EC82E80C3D7}) (Version: 3.10.0030 - Seiko Epson Corporation)
Epson Print CD (HKLM-x32\...\{D16A31F9-276D-4968-A753-FFEAC56995D0}) (Version: 2.31.00 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON XP-620 Series Printer Uninstall (HKLM\...\EPSON XP-620 Series) (Version:  - SEIKO EPSON Corporation)
Epson XP-620 User’s Guide version 1.0 (HKLM-x32\...\UsersGuideEpson XP-620 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{F983229B-587E-4322-BCB9-D7A49734E5CD}) (Version: 3.0.0.0 - SEIKO EPSON CORPORATION)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4156 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50709.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
PocketCloud (HKLM-x32\...\{D9752C7D-A595-4687-A0D5-362E9C311C55}) (Version: 2.7.14 - Wyse Technology)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.304 - Qualcomm Atheros Communications)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7404 - Realtek Semiconductor Corp.)
Software Updater (HKLM-x32\...\{E07D7C7B-F424-4EEF-BA17-B2C32BD1C107}) (Version: 4.3.0 - SEIKO EPSON CORPORATION)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.3 - Sophos Limited)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1194 - SUPERAntiSpyware.com)
System Checkup 3.5 (HKLM-x32\...\{4AC7B4E7-59B7-4E48-A60D-263C486FC33A}_is1) (Version: 3.5.0.23 - iolo technologies, LLC)
System Requirements Lab Detection (HKLM-x32\...\{C2977600-0EBB-48EF-9EBB-65308E296944}) (Version: 6.1.6.0 - Husdawg, LLC)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3412248325-257921828-2620446140-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {04F74683-DE3C-463A-BD30-11029DD7EF9B} - System32\Tasks\PocketCloudVirtualChannel => C:\Program Files (x86)\Wyse\PocketCloud\WPCRDPVirtualChannelServer.exe [2013-08-22] ()
Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {4088E77A-478D-4A81-B5A9-A25DB4635800} - System32\Tasks\PocketCloud => C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudDesktopApp.exe [2013-08-22] ()
Task: {442416BE-DC7F-49A7-91C2-E8DB9E475824} - System32\Tasks\PocketCloudUpdater => C:\Program [Argument = Files (x86)\Wyse\PocketCloud\Updater.exe]
Task: {4DDF46AA-53A0-44AE-BF4B-2C2CC04276AE} - System32\Tasks\EPSON XP-620 Series Update {F1AD9835-296F-4BFF-B861-A84484581C9F} => C:\Windows\system32\spool\DRIVERS\x64\3\E_YTSNOE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {570CFF6F-E568-4965-8A6C-A2671B268184} - System32\Tasks\RtHDVBg_PushButton => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2014-12-11] (Realtek Semiconductor)
Task: {77C75934-8A83-4FB3-B033-78A721DC4456} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2013-03-04] (CyberLink)
Task: {8B9F0B26-1AD9-440E-B423-E0C086C64C6E} - System32\Tasks\Dell\Dell Product Registration Update => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {8F3B11A2-E833-4805-B99E-75D4D3E0008C} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2016-09-13] (Microsoft Corporation)
Task: {CE1B5D02-5FFE-4134-8A1B-442C7998A5D3} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2013-03-22] (CyberLink Corp.)
Task: {F5D21D43-580F-4E3B-BBD6-CFC4D061FF63} - System32\Tasks\Dell\Dell Product Registration => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {FE43F60C-2FFE-4CAB-9072-19D5700FBC22} - System32\Tasks\iolo System Checkup => C:\ProgramData\iolo\scustask.lnk [Argument = /toaster]

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\EPSON XP-620 Series Update {F1AD9835-296F-4BFF-B861-A84484581C9F}.job => C:\Windows\system32\spool\DRIVERS\x64\3\E_YTSNOE.EXE:/EXE:{F1AD9835-296F-4BFF-B861-A84484581C9F} /F:Update WORKGROUP\UPSTAIRS2015$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2013-08-22 14:40 - 2013-08-22 14:40 - 00016176 _____ () C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe
2013-08-22 14:40 - 2013-08-22 14:40 - 00040240 _____ () C:\Program Files (x86)\Wyse\PocketCloud\AetherServiceLib.dll
2013-08-22 14:40 - 2013-08-22 14:40 - 00046384 _____ () C:\Program Files (x86)\Wyse\PocketCloud\AetherHelperLib.dll
2014-06-25 13:59 - 2014-03-12 15:22 - 00020256 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIcon.dll
2014-06-25 13:59 - 2014-03-12 15:22 - 00019232 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayNotBackuped.dll
2014-06-25 13:59 - 2014-03-12 15:22 - 00035104 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRShellExtension.dll
2014-06-25 14:15 - 2015-03-31 19:02 - 00392592 _____ () C:\Windows\system32\igfxTray.exe
2013-09-05 02:20 - 2013-09-05 02:20 - 00011264 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-09-05 02:17 - 2013-09-05 02:17 - 00086016 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\Map\MAP.dll
2013-09-05 02:24 - 2013-09-05 02:24 - 00012928 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
2015-03-16 11:28 - 2015-03-16 11:28 - 00155528 _____ () C:\Program Files (x86)\Dell Digital Delivery\ServiceTagPlusPlus.dll
2014-06-25 13:46 - 2013-12-09 18:27 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2016-09-09 08:32 - 2016-09-09 08:32 - 00134008 _____ () C:\Program Files (x86)\Dell Customer Connect\ServiceTagPlusPlus.dll
2014-06-25 13:43 - 2013-03-04 23:40 - 00626240 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2013-03-05 14:41 - 2013-03-05 14:41 - 00015424 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix => "DisplayName"="Dell"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix => "ErrorControl"="1"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix => "ImagePath"="C:\Program Files\Dell\Click 2 Fix\srvc.exe"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix => "ObjectName"="LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix => "Start"="2"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix => "Type"="272"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix\Parameters => "Application"="C:\Program Files\Dell\Click 2 Fix\srvc.exe"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix\Parameters => "AppParameters"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\dell.com -> dell.com
IE trusted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\microsoft.com -> hxxps://support.microsoft.com
IE trusted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\msn.com -> hxxps://msn.com
IE trusted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\nbc.com -> hxxps://www.nbc.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\amazon.com -> www.amazon.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\facebook.com -> hxxp://www.facebook.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\google.com -> hxxp://www.google.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\pcregistryfix.com -> pcregistryfix.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\peemoteenfidelity.net -> www.peemoteenfidelity.net
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\twitter.com -> www.twitter.com
IE trusted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\dell.com -> dell.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\facebook.com -> hxxp://www.facebook.com
IE restricted site: HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\twitter.com -> hxxp://twitter.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 09:25 - 2015-06-17 12:06 - 00000732 ____N C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3412248325-257921828-2620446140-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Dell\Win LTBLUE 1920x1200.jpg
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Dell\Win LTBLUE 1920x1200.jpg
HKU\S-1-5-21-3412248325-257921828-2620446140-1006\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Dell\Win LTBLUE 1920x1200.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\StartupFolder: => "ImageBrowser EX Agent.lnk"
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\StartupApproved\Run: => "EPLTarget\P0000000000000000"
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\StartupApproved\Run: => "SansaDispatch"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{21D70745-015E-4CBF-87AF-ED0EBFBABD27}] => (Allow) C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudDesktopApp.exe
FirewallRules: [{E33E6978-85D7-4F16-AEF8-6DE66F4CD30C}] => (Allow) C:\Program Files (x86)\Wyse\PocketCloud\AetherWindowsService.exe
FirewallRules: [{7EFC642B-F78B-469C-A6E0-473FCF363C4D}] => (Allow) C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe
FirewallRules: [{22BAF40F-0C4E-4BBE-96D9-5C3CC60D4686}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{76877A72-75AC-4951-AABA-4ABF1293B569}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD Cinema\PowerDVDCinema12.exe
FirewallRules: [{8C5585CB-01E9-4468-9014-BC89F2368029}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{B02BB66A-96C0-47D3-AD07-2DD29DEAACD8}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{B4F7662A-C2D4-4382-9603-65A6BAD00739}] => (Allow) E:\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{3FA380BB-A4CC-4A3D-9F91-466C321B514C}] => (Allow) E:\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [TCP Query User{65C5FDB3-25BA-4AF3-9084-C8933770E1AD}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{63F6F9DD-8DB4-4FCA-AA49-963FD3E4B9DF}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{A4E62220-12A2-485D-A523-6613EB449745}] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{230BD2A6-F8ED-4D91-9B99-565DBDE57491}] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{970B510D-1A98-4585-B876-16CCEEBF6970}] => (Allow) C:\Program Files (x86)\Epson Software\ECPrinterSetup\ENPApp.exe
FirewallRules: [{B5C0E6AF-3C29-44E3-9702-F94A89A846F6}] => (Allow) C:\Program Files (x86)\Epson Software\ECPrinterSetup\ENPApp.exe
FirewallRules: [TCP Query User{0D191D62-93C0-455A-93E3-8A77C54D258C}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{C5F01356-141A-48D1-BAE3-FC26E9AED4BD}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [TCP Query User{4C07CDE3-9200-413C-B262-0F79499E7D8B}C:\users\c\appdata\local\skypeplugin\7.15.0.49\pluginhost.exe] => (Allow) C:\users\c\appdata\local\skypeplugin\7.15.0.49\pluginhost.exe
FirewallRules: [UDP Query User{95063FE2-A81C-4E8C-B442-B51F803C26C6}C:\users\c\appdata\local\skypeplugin\7.15.0.49\pluginhost.exe] => (Allow) C:\users\c\appdata\local\skypeplugin\7.15.0.49\pluginhost.exe
FirewallRules: [{23C855D1-74FF-4C86-A7A3-ADE6D5878E89}] => (Allow) C:\Program Files (x86)\Epson Software\ECPrinterSetup\ENPApp.exe
FirewallRules: [{53527621-E1FE-4A0C-AEB9-697FEA41DBB9}] => (Allow) C:\Program Files (x86)\Epson Software\ECPrinterSetup\ENPApp.exe
FirewallRules: [{7F8AD49C-7541-4A22-AE18-26E5C0A4E195}] => (Allow) E:\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{1484983F-CF14-45B8-A0F8-10EEA5391C88}] => (Allow) E:\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [TCP Query User{BF4E8329-83E9-4C32-8465-291F1906789C}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [UDP Query User{B424F884-E7E3-44AB-B526-52D2A0FAC49F}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe
FirewallRules: [TCP Query User{BF871CC6-0156-425F-8C49-51863B1FFDF6}C:\users\maide_000\appdata\local\temp\housecall\tmase\nmap\nmap.exe] => (Allow) C:\users\maide_000\appdata\local\temp\housecall\tmase\nmap\nmap.exe
FirewallRules: [UDP Query User{5C2CA3E9-5147-4593-BA05-C384A1F409AB}C:\users\maide_000\appdata\local\temp\housecall\tmase\nmap\nmap.exe] => (Allow) C:\users\maide_000\appdata\local\temp\housecall\tmase\nmap\nmap.exe

==================== Restore Points =========================

26-08-2016 13:56:11 Windows Update
05-09-2016 19:35:54 Scheduled Checkpoint
13-09-2016 18:20:19 Windows Update
18-09-2016 16:19:28 Dell Update: Dell Customer Connect

==================== Faulty Device Manager Devices =============

Name: Bluetooth Device (Personal Area Network)
Description: Bluetooth Device (Personal Area Network)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: BthPan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (09/18/2016 04:41:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: BtvStack.exe, version: 8.0.1.304, time stamp: 0x52282199
Faulting module name: audio.dll, version: 8.0.1.304, time stamp: 0x5228226e
Exception code: 0xc0000005
Fault offset: 0x000000000001b748
Faulting process id: 0x17f0
Faulting application start time: 0x01d211ed06fe548c
Faulting application path: C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
Faulting module path: C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\Audio\audio.dll
Report Id: 57a0f8d2-7de0-11e6-8295-f8bc129619e2
Faulting package full name:
Faulting package-relative application ID:

Error: (09/18/2016 04:13:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: BtvStack.exe, version: 8.0.1.304, time stamp: 0x52282199
Faulting module name: audio.dll, version: 8.0.1.304, time stamp: 0x5228226e
Exception code: 0xc0000005
Fault offset: 0x000000000001b748
Faulting process id: 0x1040
Faulting application start time: 0x01d211e9207288dd
Faulting application path: C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
Faulting module path: C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\Audio\audio.dll
Report Id: 6e055e8f-7ddc-11e6-8295-f8bc129619e2
Faulting package full name:
Faulting package-relative application ID:

Error: (09/16/2016 05:53:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3002) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is 敧氺湩慥⵲牧摡敩瑮琨潢瑴浯⌬㐰挹扤⌬㐰㐵扤㬩慢正牧畯摮爭灥慥㩴敲数瑡砭戻牯敤⵲潣潬㩲〣㔴搴⁢〣㔴搴⁢〣㌳㤷㬰潢摲牥挭汯牯爺执⡡ⰰⰰⰰㄮ
杲慢〨〬〬⸬⤱爠执⡡ⰰⰰⰰ㈮⤵昻汩整㩲牰杯摩䐺䥘慭敧牔湡晳牯⹭楍牣獯景⹴牧摡敩瑮攨慮汢摥昽污敳㬩潣潬㩲昣晦琻硥⵴桳摡睯〺ⴠ瀱⁸‰杲慢〨〬〬⸬㔲紩搮瑡灥捩敫⁲摴猠慰⹮捡楴敶愮瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬Ɽ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬⹤捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥搮獩扡敬Ɽ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥愮瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶⹲楤慳汢摥⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥愺瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶㩲潨敶Ⱳ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶孲楤慳汢摥ⱝ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬孤楤慳汢摥ⱝ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶愺瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶栺癯牥⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶⹲捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶⹲楤慳汢摥⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶㩲捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶㩲潨敶Ⱳ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶栺癯牥摛獩扡敬嵤⸬慤整楰正牥琠⁤灳湡愮瑣癩孥楤慳汢摥筝潣潬㩲昣晦戻捡杫潲湵ⵤ潣潬㩲〣㔴搴絢搮瑡灥捩敫⁲摴猠慰⹮汯筤潣潬㩲㤣㤹⹽慤整楰正牥琠⹨睳瑩档睻摩桴ㄺ㔴硰⹽慤整楰正牥琠敨摡琠㩲楦獲⵴档汩⁤桴捻牵潳㩲潰湩整絲搮瑡灥捩敫⁲桴慥⁤牴昺物瑳挭楨摬琠㩨潨敶筲慢正牧畯摮⌺敥絥椮灮瑵愭灰湥⹤慤整⸠摡ⵤ湯椠⸬湩異⵴牰灥湥⹤慤整⸠摡ⵤ湯椠摻獩汰祡戺潬正挻牵潳㩲潰湩整㭲楷瑤㩨㘱硰栻楥桧㩴㘱硰}. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (09/16/2016 02:28:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: skydrive.exe, version: 6.3.9600.17416, time stamp: 0x5452fd72
Faulting module name: RPCRT4.dll, version: 6.3.9600.18292, time stamp: 0x56fca3f6
Exception code: 0xc0000005
Fault offset: 0x00000000000025ff
Faulting process id: 0x19a8
Faulting application start time: 0x01d20f74eedf359d
Faulting application path: C:\Windows\System32\skydrive.exe
Faulting module path: C:\Windows\system32\RPCRT4.dll
Report Id: c1774ca0-7bd6-11e6-8295-f8bc129619e2
Faulting package full name:
Faulting package-relative application ID:

Error: (09/16/2016 01:48:13 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: skydrive.exe, version: 6.3.9600.17416, time stamp: 0x5452fd72
Faulting module name: RPCRT4.dll, version: 6.3.9600.18292, time stamp: 0x56fca3f6
Exception code: 0xc00000fd
Fault offset: 0x0000000000113cf3
Faulting process id: 0x19a8
Faulting application start time: 0x01d20f74eedf359d
Faulting application path: C:\Windows\System32\skydrive.exe
Faulting module path: C:\Windows\system32\RPCRT4.dll
Report Id: 27b45df5-7bd1-11e6-8295-f8bc129619e2
Faulting package full name:
Faulting package-relative application ID:

Error: (09/14/2016 03:00:00 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18124 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1f4

Start Time: 01d20eb0feecd4c9

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 5fddaea7-7aad-11e6-8295-f8bc129619e2

Faulting package full name:

Faulting package-relative application ID:

Error: (09/13/2016 06:28:44 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3002) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is 敧氺湩慥⵲牧摡敩瑮琨潢瑴浯⌬㐰挹扤⌬㐰㐵扤㬩慢正牧畯摮爭灥慥㩴敲数瑡砭戻牯敤⵲潣潬㩲〣㔴搴⁢〣㔴搴⁢〣㌳㤷㬰潢摲牥挭汯牯爺执⡡ⰰⰰⰰㄮ
杲慢〨〬〬⸬⤱爠执⡡ⰰⰰⰰ㈮⤵昻汩整㩲牰杯摩䐺䥘慭敧牔湡晳牯⹭楍牣獯景⹴牧摡敩瑮攨慮汢摥昽污敳㬩潣潬㩲昣晦琻硥⵴桳摡睯〺ⴠ瀱⁸‰杲慢〨〬〬⸬㔲紩搮瑡灥捩敫⁲摴猠慰⹮捡楴敶愮瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬Ɽ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬⹤捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥搮獩扡敬Ɽ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥愮瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶⹲楤慳汢摥⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥愺瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶㩲潨敶Ⱳ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶孲楤慳汢摥ⱝ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬孤楤慳汢摥ⱝ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶愺瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶栺癯牥⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶⹲捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶⹲楤慳汢摥⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶㩲捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶㩲潨敶Ⱳ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶栺癯牥摛獩扡敬嵤⸬慤整楰正牥琠⁤灳湡愮瑣癩孥楤慳汢摥筝潣潬㩲昣晦戻捡杫潲湵ⵤ潣潬㩲〣㔴搴絢搮瑡灥捩敫⁲摴猠慰⹮汯筤潣潬㩲㤣㤹⹽慤整楰正牥琠⹨睳瑩档睻摩桴ㄺ㔴硰⹽慤整楰正牥琠敨摡琠㩲楦獲⵴档汩⁤桴捻牵潳㩲潰湩整絲搮瑡灥捩敫⁲桴慥⁤牴昺物瑳挭楨摬琠㩨潨敶筲慢正牧畯摮⌺敥絥椮灮瑵愭灰湥⹤慤整⸠摡ⵤ湯椠⸬湩異⵴牰灥湥⹤慤整⸠摡ⵤ湯椠摻獩汰祡戺潬正挻牵潳㩲潰湩整㭲楷瑤㩨㘱硰栻楥桧㩴㘱硰}. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (09/12/2016 09:05:20 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3002) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is 敧氺湩慥⵲牧摡敩瑮琨潢瑴浯⌬㐰挹扤⌬㐰㐵扤㬩慢正牧畯摮爭灥慥㩴敲数瑡砭戻牯敤⵲潣潬㩲〣㔴搴⁢〣㔴搴⁢〣㌳㤷㬰潢摲牥挭汯牯爺执⡡ⰰⰰⰰㄮ
杲慢〨〬〬⸬⤱爠执⡡ⰰⰰⰰ㈮⤵昻汩整㩲牰杯摩䐺䥘慭敧牔湡晳牯⹭楍牣獯景⹴牧摡敩瑮攨慮汢摥昽污敳㬩潣潬㩲昣晦琻硥⵴桳摡睯〺ⴠ瀱⁸‰杲慢〨〬〬⸬㔲紩搮瑡灥捩敫⁲摴猠慰⹮捡楴敶愮瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬Ɽ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬⹤捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥搮獩扡敬Ɽ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥愮瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶⹲楤慳汢摥⸬慤整楰正牥琠⁤灳湡愮瑣癩⹥楤慳汢摥栺癯牥愺瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶㩲潨敶Ⱳ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬㩤潨敶孲楤慳汢摥ⱝ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶搮獩扡敬孤楤慳汢摥ⱝ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶愺瑣癩ⱥ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶栺癯牥⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶⹲捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶⹲楤慳汢摥⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶㩲捡楴敶⸬慤整楰正牥琠⁤灳湡愮瑣癩㩥潨敶㩲潨敶Ⱳ搮瑡灥捩敫⁲摴猠慰⹮捡楴敶栺癯牥摛獩扡敬嵤⸬慤整楰正牥琠⁤灳湡愮瑣癩孥楤慳汢摥筝潣潬㩲昣晦戻捡杫潲湵ⵤ潣潬㩲〣㔴搴絢搮瑡灥捩敫⁲摴猠慰⹮汯筤潣潬㩲㤣㤹⹽慤整楰正牥琠⹨睳瑩档睻摩桴ㄺ㔴硰⹽慤整楰正牥琠敨摡琠㩲楦獲⵴档汩⁤桴捻牵潳㩲潰湩整絲搮瑡灥捩敫⁲桴慥⁤牴昺物瑳挭楨摬琠㩨潨敶筲慢正牧畯摮⌺敥絥椮灮瑵愭灰湥⹤慤整⸠摡ⵤ湯椠⸬湩異⵴牰灥湥⹤慤整⸠摡ⵤ湯椠摻獩汰祡戺潬正挻牵潳㩲潰湩整㭲楷瑤㩨㘱硰栻楥桧㩴㘱硰}. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (09/09/2016 10:02:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.18124 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 11a8

Start Time: 01d20ab0347ca0b2

Termination Time: 1051

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 93ba2bb9-76fa-11e6-8292-f8bc129619e2

Faulting package full name:

Faulting package-relative application ID:

Error: (09/07/2016 02:34:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18124, time stamp: 0x5641278d
Faulting module name: MSHTML.dll, version: 11.0.9600.18427, time stamp: 0x57a0353c
Exception code: 0xc0000005
Fault offset: 0x0037d14d
Faulting process id: 0x1838
Faulting application start time: 0x01d2091a562925e7
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\Windows\SYSTEM32\MSHTML.dll
Report Id: b0b3efed-7529-11e6-8292-f8bc129619e2
Faulting package full name:
Faulting package-relative application ID:

System errors:
=============
Error: (09/16/2016 02:13:23 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (09/16/2016 01:26:31 PM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/16/2016 01:27:08 AM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/15/2016 09:10:11 PM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/15/2016 04:26:32 PM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/15/2016 03:46:06 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (09/15/2016 12:28:09 AM) (Source: DCOM) (EventID: 10010) (User: upstairs2015)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.

Error: (09/15/2016 12:28:09 AM) (Source: DCOM) (EventID: 10010) (User: upstairs2015)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.

Error: (09/14/2016 10:17:25 PM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (09/14/2016 04:36:05 PM) (Source: BTHUSB) (EventID: 17) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

CodeIntegrity:
===================================
  Date: 2016-09-16 20:09:21.221
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 20:09:21.018
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 20:09:20.674
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 13:06:58.011
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 13:06:57.812
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 13:06:57.512
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 11:30:25.582
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 11:30:25.300
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 11:30:25.035
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-09-16 11:30:24.519
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

==================== Memory info ===========================

Processor: Intel® Pentium® CPU G3240 @ 3.10GHz
Percentage of memory in use: 54%
Total physical RAM: 4012.95 MB
Available physical RAM: 1834.18 MB
Total Virtual: 5100.95 MB
Available Virtual: 2319.62 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:919.56 GB) (Free:866.25 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 87756EF3)

Partition: GPT.

==================== End of Addition.txt ============================

 

 

 



#5 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 18 September 2016 - 05:36 PM

I downloaded and ran Security Check, and pasted the results in this new post.  

 

 I then ran MBAR and type in this post that "No malware was found." 

 

The same with AdwCleaner, ran the scan and results where "No malware found." 

 

When I went to post the logfiles  for AdwCleaner , I noticed that the "checkup.txt"  was gone from the post box, and I am now having a problem pasting and posting the logfiles from AdwCleaner.  I don't understand what happened to the "Checkup.txt.  Is it possible to run the tool again or would that not be advised at this point?

 

 

 

I just tried again to copy and paste the results to AdwCleaner, and no matter what I try, I can't get the logfiles pasted here.  I've never had this problem before and nothing I have tried will work.  I am sorry about this.  Please instruct what you think I should do next.


Edited by Tiredmaiden, 18 September 2016 - 06:02 PM.


#6 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:17 PM

Posted 18 September 2016 - 06:02 PM

Hello,

please run the Security Check tool again, then go on with:


:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 18 September 2016 - 06:29 PM

I just ran Security Check Tool and am posting it now...just in case it disappears again.


Results of screen317's Security Check version 1.014 --- 12/23/15
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Defender
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Windows Defender MpCmdRun.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

#8 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 18 September 2016 - 06:59 PM

MBAR Scan result: "No malware found."

And here is the log created by JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 8.1 x64
Ran by maide_000 (Administrator) on Sun 09/18/2016 at 19:53:42.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{61E6EFAD-C865-47BF-8B4D-C7589B127CDF} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 09/18/2016 at 19:54:29.24
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I just have to say what I am thinking, I want to throw my PC out the window. I really appreciate what you and others like you do!

#9 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:17 PM

Posted 19 September 2016 - 03:10 AM


Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {8ad259cb-e203-11e4-8264-90489a5b58fa} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {da155eb9-ec70-11e5-8282-f8bc129619e2} - "D:\imageviewer.exe"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1006_classes] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> {551742F3-6A9B-481A-8713-310CF36899D5} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
FF Plugin HKU\S-1-5-21-3412248325-257921828-2620446140-1001: @emusic.com/eMusicPlugin DLM6 -> C:\Program Files\eMusic Download Manager 6\npEMusic604.dll [No File]
S3 cleanhlp; \??\C:\EEK\bin\cleanhlp64.sys [X]
2014-06-25 13:46 - 2014-06-25 13:46 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-06-25 13:42 - 2014-06-25 13:43 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-06-25 13:43 - 2014-06-25 13:44 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-06-25 13:44 - 2014-06-25 13:46 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-06-25 13:42 - 2014-06-25 13:42 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2501368 2015-01-27] (Microsoft Corporation) <==== ATTENTION
EmptyTemp:
RemoveProxy:
Hosts:
End
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.


---

How the computer is running now?

---

Edited by Jo*, 19 September 2016 - 03:10 AM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 19 September 2016 - 12:19 PM

Hi Jo.

 

I just logged in here from a different device to see if you had more guidance for me.  Before I move back the effected PC, I have a few questions.  Keep in mind that I have no talent & this situation is new to me.

 

I did shut down the PC last night, as I did not know if it was a good idea to leave it on.  Will this have any effect since your first instruction says "Log on to all your user accounts now - without restarting !?"

 

​Also, I will log into all three accounts I have on the PC.  I was confusing myself yesterday because I had originally downloaded the FRST tool to my user desktop, and not to the Admin desktop.  All of the other scans, I had downloaded to the Admin account.  I am confused now on two things, should I download the FRST (again) tool to the Admin desktop, and should I be under the Admin account when I post the script in the box above ?  Again, as of right now, the only place I have the FRST tool located is on the desktop of my 'main' user account, and this is also where the FRST  & Addition TXT documents are.



#11 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:17 PM

Posted 19 September 2016 - 12:32 PM

The logs where ok, because all user profiles where loaded:
 

Running from C:\Users\C\Desktop
Loaded Profiles: C & maide_000 & vette_000 (Available Profiles: C & maide_000 & vette_000

 
1. Start the infected pc, log on to all your 3 user profiles
2. Do not restart the pc 
3. Copy the fixlist file to your user Desktop
4. Right-click FRST then click "Run as Administrator
5. this time press the Fix button just once and wait. The tool will make a log (Fixlog.txt) please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 19 September 2016 - 01:59 PM

I can't believe this happened. I did everything as you instructed. I had the I logged on to the three user accounts, copied the Fixlist file to desktop, ran FRST as Admin, then clicked on the Fix button. It did create the Fixlog.txt which I then went to post. I was able to type into the reply box "here is the Fixlog.txt," and then nothing appeared to paste, and then the window seemed to become unresponsive, with the message box about "clicking OK to restart the computer." I waited a few minutes, tried to see if I could type anything into the Reply field, and nothing! I then thought if I closed the dialogue box about the log being created and clicking "OK" with the corner red "X", it would then let me post the results....it didn't. even though I did not press "ok" the PC restarted anyway.

I don't know why there have been so many problems just trying to copy & paste in the "Reply to this topic" section. Even now, all of the features & tools in the "Reply" section are faded out and I can not even change the font, color, anything.

So sorry. Where do I start again?

#13 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:17 PM

Posted 19 September 2016 - 02:08 PM

Copy and paste only works when features & tools in the "Reply" section are faded out.
Turn on button > hit on the button on the left top Position...

 
Most likely the fix already ran.

When finished FRST will generate a log on the Desktop (Fixlog.txt).
Perhaps the file is on the admin user Desktop?

You can hit Start Button and type Fixlog.txt into the search box

Please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 Tiredmaiden

Tiredmaiden
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Eastern USA
  • Local time:09:17 AM

Posted 19 September 2016 - 02:16 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-09-2016
Ran by maide_000 (19-09-2016 14:38:06) Run:1
Running from C:\Users\C\Desktop
Loaded Profiles: C & maide_000 & vette_000 (Available Profiles: C & maide_000 & vette_000)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {8ad259cb-e203-11e4-8264-90489a5b58fa} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\...\MountPoints2: {da155eb9-ec70-11e5-8282-f8bc129619e2} - "D:\imageviewer.exe"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-3412248325-257921828-2620446140-1006_classes] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKU\S-1-5-21-3412248325-257921828-2620446140-1001 -> {551742F3-6A9B-481A-8713-310CF36899D5} URL = hxxps://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
FF Plugin HKU\S-1-5-21-3412248325-257921828-2620446140-1001: @emusic.com/eMusicPlugin DLM6 -> C:\Program Files\eMusic Download Manager 6\npEMusic604.dll [No File]
S3 cleanhlp; \??\C:\EEK\bin\cleanhlp64.sys [X]
2014-06-25 13:46 - 2014-06-25 13:46 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-06-25 13:42 - 2014-06-25 13:43 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-06-25 13:43 - 2014-06-25 13:44 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-06-25 13:44 - 2014-06-25 13:46 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-06-25 13:42 - 2014-06-25 13:42 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2501368 2015-01-27] (Microsoft Corporation) <==== ATTENTION
EmptyTemp:
RemoveProxy:
Hosts:
End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
"HKU\S-1-5-21-3412248325-257921828-2620446140-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ad259cb-e203-11e4-8264-90489a5b58fa}" => key removed successfully
HKCR\CLSID\{8ad259cb-e203-11e4-8264-90489a5b58fa} => key not found.
"HKU\S-1-5-21-3412248325-257921828-2620446140-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da155eb9-ec70-11e5-8282-f8bc129619e2}" => key removed successfully
HKCR\CLSID\{da155eb9-ec70-11e5-8282-f8bc129619e2} => key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
Could not restore Default URLSearchHook.
"HKU\S-1-5-21-3412248325-257921828-2620446140-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{551742F3-6A9B-481A-8713-310CF36899D5}" => key removed successfully
HKCR\CLSID\{551742F3-6A9B-481A-8713-310CF36899D5} => key not found.
"HKU\S-1-5-21-3412248325-257921828-2620446140-1001\Software\MozillaPlugins\@emusic.com/eMusicPlugin DLM6" => key removed successfully
C:\Program Files\eMusic Download Manager 6\npEMusic604.dll => not found.
cleanhlp => service removed successfully
C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log => moved successfully
C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log => moved successfully
C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log => moved successfully
C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log => moved successfully
C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log => moved successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3412248325-257921828-2620446140-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17654635 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 1528678845 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 492790 B
systemprofile32 => 128 B
LocalService => 47910 B
NetworkService => 2156986 B
C => 88403695 B
maide_000 => 306120411 B
vette_000 => 96639521 B

RecycleBin => 38158 B
EmptyTemp: => 1.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:39:25 ====

#15 Jo*

Jo*

  • Malware Response Team
  • 3,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:17 PM

Posted 19 September 2016 - 02:57 PM

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: How the computer is running now?


---


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users