Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection- tricky


  • Please log in to reply
17 replies to this topic

#1 wingandaprayer

wingandaprayer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 23 September 2016 - 10:55 PM

Hello friends,

I got this infection from- I think- infected pdfs and using bad sharing settings on my document drive. 

I found out I had a problem from someone who sent me an automated email saying I had sent them a phishing email.

I already had Windows Defender.

With difficulty I was able to run Malwarebytes (using chameleon) and it disabled a malware.

I ran SuperAntiSpyware which took out a lot of cookies.

I tried online scanner ESET both in regular and safe modes, and the virus always prevented it from finishing although it did find a few infected files in safe mode, it just couldn't remove them.

I tried other antiviruses but they won't run.

I installed FRST in Safe Mode and took a log which I include below. When I tried to do a log outside of safe mode, the computer disc ran at 99% and FRST disappeared. I had to hunt down the application in file explorer. When I tried to run it, I got a strange message saying that this would restore registry for Windows 2000 that I had to say "yes" to, and I wasn't sure how to proceed, so I did not. If I need to run something in regular mode, can you tell me how to implement that?

I am enclosing the log taken in safe mode.

The infection I think originated and still exists in a flash drive containing all my documents and an external hard drive, both of which need to be cleaned too.

I bought this computer used and it had a lot of bloatware and who knows what else which I never removed.

i could just reinstall Windows 10 if that would do it, because I have no critical documents on the computer. There is still the matter of my flash drive and external hard drive needing to be disinfected.

Is there a need to change all my passwords and credit cards? I have google autofill and everything is supposedly encrypted. (?)

Also, suggestions to avoid future infection would be welcome.

Thank you.

Holly
 

 

 Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-09-2016

Ran by Holly (23-09-2016 22:44:22)
Running from C:\Users\Holly\Downloads
Windows 10 Home Version 1607 (X64) (2016-09-19 06:40:08)
Boot Mode: Safe Mode (with Networking)
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3422109349-2128020783-1673974931-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3422109349-2128020783-1673974931-503 - Limited - Disabled)
Guest (S-1-5-21-3422109349-2128020783-1673974931-501 - Limited - Disabled)
Holly (S-1-5-21-3422109349-2128020783-1673974931-1001 - Administrator - Enabled) => C:\Users\Holly
HomeGroupUser$ (S-1-5-21-3422109349-2128020783-1673974931-1003 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Bitdefender Antivirus Free Antimalware (Disabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antivirus Free Antimalware (Disabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.017.20053 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)
Airport Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Azkend 2: The World Beneath (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bitdefender 60-Second Virus Scanner (HKLM\...\{CCEA2053-D975-4E38-AC09-4D5E6DAC6B6F}) (Version: 1.0.3.76 - Bitdefender)
Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 1.0.1 - Bitdefender)
Bitdefender Antivirus Free (HKLM\...\{1FCCF41D-5F00-4FE2-9653-162D0486C8B4}) (Version: 1.0.2.21 - Bitdefender)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Build-a-lot (x32 Version: 2.2.0.98 - WildTangent) Hidden
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Curse at Twilight (x32 Version: 3.0.2.32 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.5.6902 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.9.4928 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.4.4824 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.10.5422 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.5.3304 - CyberLink Corp.)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.2.3418 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.2.3618 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Delicious: Emily's Childhood Memories Premium Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Epson Customer Research Participation (HKLM\...\{B26449A6-6007-4460-B4FE-C4776115BCEA}) (Version: 1.81.0000 - Seiko Epson Corporation)
Epson Event Manager (HKLM-x32\...\{4B22C430-7EA8-4534-8358-376FD900B953}) (Version: 3.10.0042 - Seiko Epson Corporation)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.53.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-3620 Series Printer Uninstall (HKLM\...\EPSON WF-3620 Series) (Version:  - SEIKO EPSON Corporation)
Epson WF-3620 User’s Guide version 1.0 (HKLM-x32\...\UsersGuideEpson WF-3620 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{15A0F113-BF2C-4C12-8AA8-42AE0D9AE1C9}) (Version: 3.1.2.0 - SEIKO EPSON Corporation)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Fishdom 3: Collector's Edition (x32 Version: 3.0.2.38 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 53.0.2785.116 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
House of 1000 Doors: Family Secrets (x32 Version: 2.2.0.98 - WildTangent) Hidden
HP 3D DriveGuard (HKLM-x32\...\{E8D0E2B8-B64B-44BC-8E01-00DDACBDF78A}) (Version: 6.0.28.1 - Hewlett-Packard Company)
HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: 1.0 - Meridian Audio Ltd)
HP CoolSense (HKLM-x32\...\{ADE2F6A7-E7BD-4955-BD66-30903B223DDF}) (Version: 2.20.41 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{73BC7E46-44A8-4CDE-B87E-42C6D949C2AE}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7372.4698 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.00.57 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.3.34.7 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{F6A11738-3EE4-4573-AEA5-6CD5D491C167}) (Version: 12.5.32.37 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{8B4EE87E-6D40-4C91-B5E8-0DC77DC412F1}) (Version: 1.4.1 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{891A1782-8B20-4403-8383-458962525926}) (Version: 2.3.4 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{EFA01423-3857-468C-B7B6-F30AA08E50BC}) (Version: 1.1.5.1 - Hewlett-Packard)
Inst5675 (Version: 8.00.57 - Softex Inc.) Hidden
Inst5676 (Version: 8.00.57 - Softex Inc.) Hidden
Intel® Chipset Device Software (x32 Version: 10.0.22 - Intel® Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4358 - Intel Corporation)
Intel® Sideband Fabric Device Driver (HKLM-x32\...\C5A8BC6E-723A-4C0F-96E1-C426D1A4BCA9) (Version: 1.70.305.16316 - Intel Corporation)
Intel® Smart Connect Technology (HKLM\...\{51AC86D3-C431-48AD-9195-0D6C930D07CD}) (Version: 4.2.41.2710 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1050 - Intel Corporation)
Intel® Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.0.0.17 - Intel Corporation)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
King Oddball (x32 Version: 3.0.2.48 - WildTangent) Hidden
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mahjongg Dimensions Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mediatek Bluetooth (HKLM\...\{904C579C-9366-D3B7-7F31-4879401DBD4A}) (Version: 11.0.756.0 - Mediatek)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4859.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50709.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
NirSoft ProduKey (HKLM-x32\...\NirSoft ProduKey) (Version:  - )
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4849.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4849.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4849.1003 - Microsoft Corporation) Hidden
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Pinger (HKLM-x32\...\Pinger 1.4.0.1) (Version: 1.4.0.1 - Pinger Inc.)
Pinger (x32 Version: 1.4.0.1 - Pinger Inc.) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Ralink RT3290 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.50.0 - Mediatek)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.21262 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.35.716.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7564 - Realtek Semiconductor Corp.)
Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Skype™ 7.26 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.26.101 - Skype Technologies S.A.)
Software Updater (HKLM-x32\...\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}) (Version: 4.3.7 - SEIKO EPSON CORPORATION)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1224 - SUPERAntiSpyware.com)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.12.107 - Synaptics Incorporated)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 3.0.2.32 - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (HP Games) (x32 Version: 4.0.10.15 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)
Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3422109349-2128020783-1673974931-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Holly\AppData\Local\Microsoft\OneDrive\17.3.6517.0809_1\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3422109349-2128020783-1673974931-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {019A6A87-64DC-40FC-BFA2-D1AFEE19A63A} - System32\Tasks\EPSON WF-3620 Series Update {2B8DAD54-8A80-4C71-8C6E-C00DD2F1D762} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {037AF256-D7CF-47C9-8ACF-8CAC5C2EABCA} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {081B3BEE-9C00-4E58-8ED1-013B67C3D8E1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater - Resources => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.)
Task: {09F63722-E52D-4CEF-9F76-BFBB8B552619} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {0B03367E-E948-4FF3-AF78-E8FCD6453B6E} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-07-05] (Microsoft Corporation)
Task: {172A7DBA-8677-4A24-925A-B083F8766158} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-08-18] (HP Inc.)
Task: {2140D08B-11D0-445F-9C72-8C34CEA21485} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-08] (Adobe Systems Incorporated)
Task: {32CE13C5-CF6A-4AE4-8F87-6833C8C20638} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.)
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\Windows\System32\AutoWorkplace.exe
Task: {3C76CD56-6F97-4DFB-985F-E9A996DE7B54} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.)
Task: {4A768346-6916-4E4E-9A68-5A9B6F0EB117} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {5A625B98-699C-45A3-90E0-AD78A45F99F5} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {5F5D7CA3-38ED-460F-8298-AD3FFA1F7AD6} - System32\Tasks\EPSON WF-3620 Series Invitation {F0D5952B-D843-4226-9B8C-D45FDF072AB2} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {6D5B4573-F08A-4216-B704-73D9039BFE07} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6F02C206-52EA-48EF-B005-CF634F188E1C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {7764E4AF-104E-45FA-A232-C4870DC9A89A} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {77B6EE73-D522-4F90-B8B4-9783C9D0175E} - \WPD\SqmUpload_S-1-5-21-3422109349-2128020783-1673974931-1001 -> No File <==== ATTENTION
Task: {7866513C-D3C8-48EF-B230-7F50A2263C3A} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2013-12-17] (CyberLink Corp.)
Task: {792C02FC-F1E5-429B-8DD9-C4DE43A97E8A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {7A283D89-1C69-4AB7-8574-87B3FF029574} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe [2016-06-14] (Bitdefender)
Task: {7A298AFD-F003-479E-A59B-3C7EC8E36D64} - System32\Tasks\EPSON WF-3620 Series Invitation {2B8DAD54-8A80-4C71-8C6E-C00DD2F1D762} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {80490CD4-D89D-4B7F-BD02-9EB4F3D51E18} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\Program Files\Windows Defender\\MpCmdRun.exe [2016-07-16] (Microsoft Corporation)
Task: {8EE4D655-DA67-49B4-ACBD-A27EE9A5C5F6} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-09-01] (Microsoft Corporation)
Task: {992E8A2B-FB09-47F1-B7F3-E820E95A3A4F} - System32\Tasks\HPCeeScheduleForHolly => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {9B621878-6DFB-4C22-80CC-3BCA90369AEA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A58D48AD-3F22-4AA9-836A-CCFC0863CCF4} - System32\Tasks\OneDrive Standalone Update Task => C:\Users\Holly\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe [2016-08-31] (Microsoft Corporation)
Task: {A6F4A19C-4647-410D-A31C-68172B1FB141} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-08-26] (Google Inc.)
Task: {A7A6A018-2703-4B64-84A0-85E37C5A3C84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A7EA90E1-ED86-43FD-A426-5273B760ECE2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {AC195F14-3879-45CF-89B4-A388584D1D45} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {AD8A80BA-01C3-4D52-B00B-2472E02E89BD} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-08-26] (Google Inc.)
Task: {B749B156-19B5-420C-8519-26C3BD1DF8DB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {B970E594-97C6-45AB-AFFE-9697840D887C} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.)
Task: {BA534CAD-D0B6-4E50-8D5A-9CFD726313E6} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Opt-in For HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF_Utils.exe [2016-08-23] (HP Inc.)
Task: {C3CAE956-9004-4B0A-B85F-E7824F5A54F8} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {C5084E85-F31C-47F3-830F-52902FF1B905} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2016-05-27] (Synaptics Incorporated)
Task: {D8131A79-0B99-4140-B3E8-6FCFDA18ABCB} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-09-01] (Microsoft Corporation)
Task: {DE377F7D-FE4C-4F78-9900-D985054B2D90} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2014-05-19] (Hewlett-Packard Development Company, L.P.)
Task: {E0EA8614-DF07-4964-91E0-B260C30D73E3} - System32\Tasks\EPSON WF-3620 Series Update {F0D5952B-D843-4226-9B8C-D45FDF072AB2} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {F0D3178D-F255-4831-87BB-EC7C82145036} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-05-09] (Hewlett-Packard)
Task: {F2B5FD74-5F62-4FF3-8894-83DFF335A336} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-07-05] (Microsoft Corporation)
Task: {FA357B2F-E5F9-4507-BFE6-8651230150A0} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {FC719950-5241-480F-980E-C1588105919C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\ Invitation {871A0272-DEE8-4022-BFAF-DABE0AC712F4}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\EPSON WF-3620 Series Invitation {2B8DAD54-8A80-4C71-8C6E-C00DD2F1D762}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE
Task: C:\WINDOWS\Tasks\EPSON WF-3620 Series Invitation {F0D5952B-D843-4226-9B8C-D45FDF072AB2}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE
Task: C:\WINDOWS\Tasks\EPSON WF-3620 Series Update {2B8DAD54-8A80-4C71-8C6E-C00DD2F1D762}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE:/EXE:{2B8DAD54-8A80-4C71-8C6E-C00DD2F1D762} /F:Update WORKGROUP\LAPTOP$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-3620 Series Update {F0D5952B-D843-4226-9B8C-D45FDF072AB2}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSKEE.EXE:/EXE:{F0D5952B-D843-4226-9B8C-D45FDF072AB2} /F:Update WORKGROUP\LAPTOP$
Searches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForHolly.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 07:42 - 2016-07-16 07:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-01 15:06 - 2016-09-01 15:06 - 08909504 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 02438144 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-09-19 05:38 - 2016-09-19 05:38 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-09-17 13:42 - 2016-09-12 17:48 - 30996160 _____ () C:\Users\Holly\AppData\Local\Google\Chrome\User Data\PepperFlash\23.0.0.166\pepflashplayer.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iaioi2ce.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 09:25 - 2013-08-22 09:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3422109349-2128020783-1673974931-1001\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKU\S-1-5-21-3422109349-2128020783-1673974931-1001\...\StartupApproved\Run: => "OneDrive"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{3C761556-903F-4825-B9BA-6AF7B32B6899}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [UDP Query User{86365AE9-DF90-4B5C-8C9A-E505B154029E}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{23B79DC3-8FE4-4979-8B12-3A5422DD0DDC}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{EFE0452F-892C-4BA0-B862-FA46323337BC}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{12843F09-ECD8-46C0-986A-116C1A18DCB1}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{2C885D8A-8676-4F9D-A873-F471AC51DDDC}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{B7B8BB03-1294-430B-B89D-368349462146}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{BFF4C943-D2E3-4CEA-B099-3CF23D9566C0}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{A812172E-84CD-471A-B4C9-618C68B0C3F4}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{4A8F6013-5D8C-4E4E-9CF1-A1055F223AA0}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{E1E437B0-808E-4FB9-ACDB-AD5F86343214}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{C059D9AF-0193-4AE3-8EAE-4EF492247359}] => (Allow) LPort=2869
FirewallRules: [{8AACE8FD-B9A7-49F0-A0DF-77994D235A69}] => (Allow) LPort=1900
FirewallRules: [{7722C4B1-2D4D-4FF2-8FA6-AF269BCA8B0E}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
FirewallRules: [{E4D3CA39-F112-4486-BEE7-9BA8DF25F7A4}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
FirewallRules: [{387C579B-0A68-4092-9231-2E66E1E106C2}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
FirewallRules: [{6904023C-F82F-4A47-AA74-4E90127107F4}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
FirewallRules: [{DBFE8F1C-0C4E-40AC-871E-A0E8957E41B9}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
FirewallRules: [{10669D98-CCF3-46D6-9535-07ED136843F6}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
FirewallRules: [{0770A7A3-BA34-4A35-854B-6A0A8B58323A}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{81E312C4-4F54-4475-9609-96D920E35246}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7D43D86F-3AF5-4968-A67C-A1754C68E91C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{F0F15407-05AD-4AC7-B98A-7AEF00AC8363}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{B2CA7CB6-5C1F-4D08-B35A-D65DAAB8933C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{349AF2DB-70AC-4AE4-9E21-1EB2010AE097}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{5447BCC8-1A1F-4DA2-8B13-B28580DFA76C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{6AC8CAF0-8ECE-4899-B5FC-8E9FD4A47AB3}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{5D083ABC-3EA5-4356-AD18-C3C543CB4B7C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{8E5CA42B-5332-4113-88D7-1232B62E5512}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{2AF10D10-9E88-48D2-90F8-A0C490564C16}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{5EA5706C-CF4E-4F47-922C-C470A076D6EE}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [TCP Query User{C47A0A74-3A5A-46FE-9C3C-1BE48E868A45}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{8FD29DC0-5E3A-4CC2-88E9-40B283059F1E}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
 
==================== Restore Points =========================
 
19-09-2016 13:05:56 Removed EMET 5.51
19-09-2016 22:42:41 Windows Backup
20-09-2016 23:48:49 Removed Epson Customer Research Participation
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/23/2016 08:58:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: esetonlinescanner_enu.exe, version: 2.0.12.0, time stamp: 0x57ac3e59
Faulting module name: esetonlinescanner_enu.exe, version: 2.0.12.0, time stamp: 0x57ac3e59
Exception code: 0xc0000005
Fault offset: 0x000361d1
Faulting process id: 0x498
Faulting application start time: 0x01d215da0c1d3f76
Faulting application path: C:\Users\Holly\Downloads\esetonlinescanner_enu.exe
Faulting module path: C:\Users\Holly\Downloads\esetonlinescanner_enu.exe
Report Id: 8bf74e5d-6713-402e-adb7-fb4e6bf5ac30
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (09/23/2016 06:09:00 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LAPTOP)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (09/23/2016 04:35:06 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LAPTOP)
Description: Activation of app Microsoft.Getstarted_4.0.12.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (09/23/2016 04:28:03 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program esetonlinescanner_enu.exe version 2.0.12.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 2f34
 
Start Time: 01d215cbf73041a6
 
Termination Time: 4294967295
 
Application Path: C:\Users\Holly\Downloads\esetonlinescanner_enu.exe
 
Report Id: 38cdc051-81cc-11e6-8280-a0cec8030c31
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (09/23/2016 03:50:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: downloader.exe, version: 3.0.3.829, time stamp: 0x56f287f2
Faulting module name: wslib.dll, version: 4.1.0.144, time stamp: 0x577cb99b
Exception code: 0xc0000005
Fault offset: 0x0000000000092957
Faulting process id: 0x2904
Faulting application start time: 0x01d215d3b0af1c33
Faulting application path: C:\Program Files\Bitdefender Antivirus Free\downloader.exe
Faulting module path: C:\Program Files\Bitdefender Antivirus Free\wslib.dll
Report Id: c0e7828e-9eb0-494b-84b4-973be0a00505
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (09/23/2016 02:50:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: downloader.exe, version: 3.0.3.829, time stamp: 0x56f287f2
Faulting module name: wslib.dll, version: 4.1.0.144, time stamp: 0x577cb99b
Exception code: 0xc0000005
Fault offset: 0x0000000000092957
Faulting process id: 0x2964
Faulting application start time: 0x01d215cb4ebdf8c3
Faulting application path: C:\Program Files\Bitdefender Antivirus Free\downloader.exe
Faulting module path: C:\Program Files\Bitdefender Antivirus Free\wslib.dll
Report Id: fc6967dd-fd51-43ec-a7ea-a286a03b10c1
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (09/23/2016 02:27:46 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files\Microsoft Office 15\root\office15\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files\Microsoft Office 15\root\office15\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (09/22/2016 09:45:11 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LAPTOP)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (09/22/2016 08:41:18 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LAPTOP)
Description: Activation of app windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (09/22/2016 08:41:18 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LAPTOP)
Description: Activation of app windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
 
System errors:
=============
Error: (09/23/2016 10:45:46 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (09/23/2016 10:45:43 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service lfsvc with arguments "Unavailable" in order to run the server:
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD}
 
Error: (09/23/2016 10:45:43 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service lfsvc with arguments "Unavailable" in order to run the server:
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD}
 
Error: (09/23/2016 10:45:04 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (09/23/2016 10:44:58 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (09/23/2016 10:44:55 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service lfsvc with arguments "Unavailable" in order to run the server:
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD}
 
Error: (09/23/2016 10:44:55 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service lfsvc with arguments "Unavailable" in order to run the server:
{08D9DFDF-C6F7-404A-A20F-66EEC0A609CD}
 
Error: (09/23/2016 10:41:16 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service UsoSvc with arguments "Unavailable" in order to run the server:
{B91D5831-B1BD-4608-8198-D72E155020F7}
 
Error: (09/23/2016 10:40:57 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (09/23/2016 10:40:49 PM) (Source: DCOM) (EventID: 10005) (User: LAPTOP)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
 
CodeIntegrity:
===================================
  Date: 2016-09-23 22:41:18.010
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 22:41:18.006
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.604
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.598
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.559
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.552
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.489
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.459
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.410
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-09-23 15:32:05.402
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® CPU N3520 @ 2.16GHz
Percentage of memory in use: 71%
Total physical RAM: 8079.27 MB
Available physical RAM: 2307.73 MB
Total Virtual: 9359.27 MB
Available Virtual: 2593.54 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:442.48 GB) (Free:269.1 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:21.53 GB) (Free:2.12 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 7FE6773C)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 24 September 2016 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 25 September 2016 - 03:34 PM

Hi nasdaq,

I did what you suggested and I am including the log below. I did it in safe mode because I couldn't do it outside safe mode. The computer seems normal again ! I then ran a scan with Eset online scanner which took 5 hours scanning 345,000 files, and did not detect anything.

 

Is there a tool that I can use to do a final scan "just to be sure" that you would recommend? I am already using Malwarebytes free edition. I also did a rootkit detection from Kapersky's online tools which did not find anything. I could still reimage the computer to be more comprehensive.

 

Finally, I still have 2 infected usb's and one infected external hard drive (which represent all my documents). I thought a file had to be opened to infect (since I believe the problem is pdfs), but when I put one usb in an uninfected computer to load something else, the second computer immediately became infected. Is there a way to disinfect the USBs and external drive? Especially since they are so contagious. I was looking at Bitdefender's USB immunizer, but it freaks me out that it makes a permanent change to the registry. It also concerns me that it seems especially difficult to scan pdfs for threats, if I am interpreting what I read on the internet correctly. I had removed all the suspicious pdfs to the second USB in hopes of fixing the problem, but it just created a second infected USB!

 

Thanks so much for your help!

 

 

Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Holly on Sat 09/24/2016 at 22:50:16.72.
Microsoft Windows 10 Home 10.0.14393  x64
Running in: Safe Mode NETWORK Internet Access Detected
Launched: C:\Users\Holly\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
==== Empty Folders Check ======================
 
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\Holly\AppData\Local\ActiveSync deleted successfully
C:\Users\Holly\AppData\Local\EmieSiteList deleted successfully
C:\Users\Holly\AppData\Local\EmieUserList deleted successfully
C:\Users\Holly\AppData\Local\NetworkTiles deleted successfully
C:\Users\Holly\AppData\Local\Skype deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-3422109349-2128020783-1673974931-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0FF3715E-DBF0-4AD9-B6CA-F505D1C3E82B} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0FF3715E-DBF0-4AD9-B6CA-F505D1C3E82B} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0FF3715E-DBF0-4AD9-B6CA-F505D1C3E82B} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE} deleted
C:\PROGRA~3\{C6FA530F-BB98-4D9F-BA00-45FD0698077C} deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted
"C:\WINDOWS\Installer\67a41ea1.msi" deleted
"C:\Windows\Installer\18f7b0.msi" deleted
 
==== Chromium Look ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
jkfpchpiljkaemlpmpebnglgkomamfeo - No path found[]
 
Plugins - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\chemohaemmfhjpmlgkmkanfpfbkaihop
OneTab - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall
Bookmark - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\naghkjogakhpimmejjmakpmnbdeccinm
Tom's Hardware - My Threads - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nddbmgcnelmmhlfibkmfnhnfeccaliip
Print Friendly & PDF - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohlencieiipommannpdfcmfdpjjmeolj
The Tracktor - Price History Tracker - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\onajjgekdldckfgodnmoallcmdmfcfom
Chrome Media Router - Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_adobe-acrobat-x-pro-update.en.softonic.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_adobe-acrobat-x-pro-update.en.softonic.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_ads.proboards.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_ads.proboards.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_ads.spotible.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_ads.spotible.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_deals.ebay.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_deals.ebay.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.softonic.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.softonic.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.consumersearch.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.consumersearch.com_0.localstorage-journal deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.goodsearch.com_0.localstorage deleted successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.goodsearch.com_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
HKLM\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} - http://rover.ebay.com/rover/1/711-154371-11896-2/4
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
HKLM\Wow6432Node\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} - http://rover.ebay.com/rover/1/711-154371-11896-2/4
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
HKCU\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} - http://rover.ebay.com/rover/1/711-154371-11896-2/4
 
==== Reset Google Chrome ======================
 
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A0A5CBD84C137C642B25B695E31AA178 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7A6F2EDADB7E5594DB660309B322D3FD deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ADE2F6A7-E7BD-4955-BD66-30903B223DDF} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A0A5CBD84C137C642B25B695E31AA178 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7A6F2EDADB7E5594DB660309B322D3FD deleted successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Holly\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Holly\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=55 folders=27 125918132 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Holly\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Sat 09/24/2016 at 23:13:23.96 ======================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 26 September 2016 - 08:16 AM


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs for my review.

===

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

#5 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 26 September 2016 - 09:14 PM

I am having trouble posting the FRST inside the message so I am attaching it with the addition file. 

The website- or my computer- is stuttering.

 

I can't load the Flash DIsinfecter. There may be a compatibility problem. I tried repeatedly. It will not open and the Windows compatibility troubleshooter opens, changes the setting to Windows XP, but nothing changes about how the problem occurs.

Attached Files



#6 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 26 September 2016 - 10:13 PM

If the Flash Disinfecter can't work with Windows 10, is this a comparable alternative?

Bitdefender USB Immunizer

https://labs.bitdefender.com/projects/usb-immunizer/overview/ 

This changes a registry key which freaked me out.

 

Or, whatever program you recommend for Windows 10.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 27 September 2016 - 09:31 AM

What you need to do is stop any autorun function to start when you insert a USB.
Then you can scan your Flash drives with your virus protections program.

https://sourceforge.net/projects/noautorun/
===

Nothing suspicious was found on your logs.
This is just a cleanup.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\igfxcui: igfxdev.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-24]
Task: {09F63722-E52D-4CEF-9F76-BFBB8B552619} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {4A768346-6916-4E4E-9A68-5A9B6F0EB117} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {6D5B4573-F08A-4216-B704-73D9039BFE07} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6F02C206-52EA-48EF-B005-CF634F188E1C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {77B6EE73-D522-4F90-B8B4-9783C9D0175E} - \WPD\SqmUpload_S-1-5-21-3422109349-2128020783-1673974931-1001 -> No File <==== ATTENTION
Task: {792C02FC-F1E5-429B-8DD9-C4DE43A97E8A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9B621878-6DFB-4C22-80CC-3BCA90369AEA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A7A6A018-2703-4B64-84A0-85E37C5A3C84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A7EA90E1-ED86-43FD-A426-5273B760ECE2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {AC195F14-3879-45CF-89B4-A388584D1D45} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B749B156-19B5-420C-8519-26C3BD1DF8DB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C3CAE956-9004-4B0A-B85F-E7824F5A54F8} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {FA357B2F-E5F9-4507-BFE6-8651230150A0} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {FC719950-5241-480F-980E-C1588105919C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Shockwave is out-or-date and vulnerable.

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

Go to Start > Control Panel > Programs and Features and uninstall the old version(s) if present.
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)

Let me know what problem persists.

#8 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 28 September 2016 - 12:08 AM

My computer appears to be acting up again. The disc is running at 100% in the task manager and there is no process that explains this. 

Fixlog.txt is below:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-09-2016

Ran by Holly (28-09-2016 00:19:11) Run:1
Running from C:\Users\Holly\Downloads
Loaded Profiles: Holly (Available Profiles: Holly)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\igfxcui: igfxdev.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-24]
Task: {09F63722-E52D-4CEF-9F76-BFBB8B552619} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {4A768346-6916-4E4E-9A68-5A9B6F0EB117} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {6D5B4573-F08A-4216-B704-73D9039BFE07} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6F02C206-52EA-48EF-B005-CF634F188E1C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File
<==== ATTENTION
Task: {77B6EE73-D522-4F90-B8B4-9783C9D0175E} - \WPD\SqmUpload_S-1-5-21-3422109349-2128020783-1673974931-1001 -> No File <==== ATTENTION
Task: {792C02FC-F1E5-429B-8DD9-C4DE43A97E8A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9B621878-6DFB-4C22-80CC-3BCA90369AEA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A7A6A018-2703-4B64-84A0-85E37C5A3C84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A7EA90E1-ED86-43FD-A426-5273B760ECE2} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {AC195F14-3879-45CF-89B4-A388584D1D45} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B749B156-19B5-420C-8519-26C3BD1DF8DB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C3CAE956-9004-4B0A-B85F-E7824F5A54F8} -
\Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {FA357B2F-E5F9-4507-BFE6-8651230150A0} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {FC719950-5241-480F-980E-C1588105919C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => key removed successfully
C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09F63722-E52D-4CEF-9F76-BFBB8B552619}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09F63722-E52D-4CEF-9F76-BFBB8B552619}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4A768346-6916-4E4E-9A68-5A9B6F0EB117}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A768346-6916-4E4E-9A68-5A9B6F0EB117}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6D5B4573-F08A-4216-B704-73D9039BFE07}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6D5B4573-F08A-4216-B704-73D9039BFE07}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F02C206-52EA-48EF-B005-CF634F188E1C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F02C206-52EA-48EF-B005-CF634F188E1C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d" => key removed successfully
<==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{77B6EE73-D522-4F90-B8B4-9783C9D0175E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77B6EE73-D522-4F90-B8B4-9783C9D0175E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-3422109349-2128020783-1673974931-1001" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{792C02FC-F1E5-429B-8DD9-C4DE43A97E8A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{792C02FC-F1E5-429B-8DD9-C4DE43A97E8A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9B621878-6DFB-4C22-80CC-3BCA90369AEA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9B621878-6DFB-4C22-80CC-3BCA90369AEA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A7A6A018-2703-4B64-84A0-85E37C5A3C84}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7A6A018-2703-4B64-84A0-85E37C5A3C84}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A7EA90E1-ED86-43FD-A426-5273B760ECE2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7EA90E1-ED86-43FD-A426-5273B760ECE2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC195F14-3879-45CF-89B4-A388584D1D45}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC195F14-3879-45CF-89B4-A388584D1D45}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B749B156-19B5-420C-8519-26C3BD1DF8DB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B749B156-19B5-420C-8519-26C3BD1DF8DB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\Task: {C3CAE956-9004-4B0A-B85F-E7824F5A54F8} - => key not found. 
\Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA357B2F-E5F9-4507-BFE6-8651230150A0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA357B2F-E5F9-4507-BFE6-8651230150A0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FC719950-5241-480F-980E-C1588105919C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC719950-5241-480F-980E-C1588105919C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 33919959 B
Java, Flash, Steam htmlcache => 2469 B
Windows/system/drivers => 11303918 B
Edge => 1703619 B
Chrome => 285952914 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 58452 B
Holly => 1236744 B
 
RecycleBin => 94 B
EmptyTemp: => 318.7 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 00:20:48 ====


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 28 September 2016 - 10:46 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#10 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 28 September 2016 - 11:05 AM

So I ran these processes before and I don't know why they will work now when they didn't before.

 

One problem might be that I haven't been running antivirus (bitdefender free) because it requires me to create a login which I don't want to do on an infected computer. Is that the problem- that I haven't run the antivirus? If so It's just going to happen again. 

 

Is the problem that I ran zoek in safe mode (because I had to)? If so it's just going to happen again.

 

This brings up a question I was postponing. I wanted to know if there was a recommended free antivirus and anti exploit. I chose Bitdefender from this chart. https://www.av-test.org/en/antivirus/home-windows/windows-10/    Bitdefender seemed to be the one that had the least invasive profile on my computer, except for the login thing.

 

I have an image and I can reimage the computer. Do you think that that would solve the problem?

 

I tried to look at the forum here but the pinned discussion didn't seem very conclusive.  http://www.bleepingcomputer.com/forums/t/405/antivirus-antimalware-and-antispyware-resources/page-9 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 28 September 2016 - 12:36 PM

If you have a good re-image file then yes and will take it from there.

I have an image and I can reimage the computer. Do you think that that would solve the problem?



#12 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 30 September 2016 - 12:49 AM

It seems that I can't even use a bootable USB to reimage it. The system won't let me boot from the removable drive, even when I change to boot order in the BIOS. I also tried pressing f12 upon start to boot from removable media.

Now, when the computer is started, it takes a very long time and the screen is grey for a long time.

Under normal login, the computer is bogged down and won't do anything.

I can't even get into safe mode- it is obstructed now too.

This virus is crazy! 

It sounds like the computer has been affected beyond the OS at this point. Is it even salvageable?

Any ideas how to move forward?



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 30 September 2016 - 08:37 AM



Reset your PC

Navigate to this Microsoft Page.

https://support.microsoft.com/en-ca/help/12415/windows-10-recovery-options

Read carefully.

I suggest you use this option. [b]Reset your PC]/b]

p.s.
Make sure you have a good backup of all your important files, photos etc...


IF YOU NEED ADDITIONAL HELP.
Ask in the Windows 10 forum
http://www.bleepingcomputer.com/forums/f/229/windows-10-support/

#14 wingandaprayer

wingandaprayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 02 October 2016 - 01:18 PM

With difficulty, I did a factory reset and now I am back to Windows 8. Before I upgrade to windows 10, I would like to find out if the HP laptop is still infected.

How would you recommend I do this?

 

Also, before the rest and after the virus took over (I couldn't do anything with the computer anymore due to the disc running at 100% and my inability to get to safe mode) I also started getting hard disc error messages. This makes me wonder if the hard disc error is a phenomenon of an infection and how would I test for that too? I ignore them and move on. Other than being slow the computer seems to work.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:52 PM

Posted 02 October 2016 - 01:34 PM

Run the Farbar tool and post the FRST and Addition.txt files.

Will take it from there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users