Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Win32/Delalot/Win32/AdvancedCleaner/8wekyb3d8bbwe...


  • This topic is locked This topic is locked
21 replies to this topic

#1 PhoenixArjuna

PhoenixArjuna

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 12:33 PM

I have been warring with these bastard hackers for at least a month now. I hate losing that bad, But I love Learning just as bad. I 've had my fill of both. Every computer in my house hold is Infected...None of them knew unti my dumb ass stumbled across it, so I have no idea how long we've been infected...I must assume since these laptops were purchased. Here's what I ve done so far.Ive mostly been working with two laptops. This report below is the second one. I have reinstalled windows alots of times...probbaly around 20 in the last month. first first restores from partions, then from a recover disk I made from the same partions. infected, Then I Then I installed Windows 7....infedcted, then I downloaded an iso from microsoft for windows 8.1 Infected. At this point everyone thinks being paranoid. Im not. Finally I wiped the drive atleast 9 passes. At first I thought this was a success, alas I know is failure. EVerything Is peachy until I go on the internet ....then is all bad. Whatever is on that drive survived all those passes and immmediately starts tries to call a server even though I had disabled every networking service. I sat there and watched the ologs for a whole day.I was not able to delete anything associated with the culprits.I can claim ownership but cannot inherit permissions from another bleeps computer, but id love to learn how. They more i battle this the smarter they get and the worse i make it for myself. It/they write code so goddam fast I wasnt sure for awhile if i was against an actuall person. But everynow and then he moves my mouse for me and gives me a wink. I sorry this is so long I dont want to leave anything out that may help. So I switched laptops to this dell whith all the same infected bloatware. I immediately factory reset and ran can result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-09-2016
Ran by phoenix (administrator) on SERVERbleepED (29-09-2016 11:58:50)
Running from C:\Users\phoenix\Downloads
Loaded Profiles: phoenix (Available Profiles: phoenix)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\WINDOWS\System32\wlanext.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\System32\Taskmgr.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10}] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1610936 2016-09-14] (COMODO)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{52E70720-70E2-4704-BEAE-3B6AC89EEB43}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3779583528-1916877269-3399241691-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-09-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-09-29] (Google Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default [2016-09-29]
CHR Extension: (Google Slides) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-09-29]
CHR Extension: (Magic Actions for YouTube) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2016-09-29]
CHR Extension: (Google Docs) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-09-29]
CHR Extension: (Google Drive) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-09-29]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-09-29]
CHR Extension: (YouTube) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-09-29]
CHR Extension: (Adblock Plus) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-09-29]
CHR Extension: (Home - New Tab Page) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehhkfhegcenpfoanmgfpfhnmdmflkbgk [2016-09-29]
CHR Extension: (Google Sheets) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-09-29]
CHR Extension: (Hacker Vision) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\fommidcneendjonelhhhkmoekeicedej [2016-09-29]
CHR Extension: (Google Docs Offline) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-09-29]
CHR Extension: (Morpheon Dark) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafbdhjdkjnoafhfelkjpchpaepjknad [2016-09-29]
CHR Extension: (Video Converter) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcjjnhgakghmggnimjkldjmmpabhnhne [2016-09-29]
CHR Extension: (SmoothScroll) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbokbjkabcmbfdlbddjidfmibcpneigj [2016-09-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-29]
CHR Extension: (Click&Clean App) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp [2016-09-29]
CHR Extension: (Gmail) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-09-29]
CHR Extension: (Chrome Media Router) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-29]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [5817256 2016-09-15] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2271928 2016-09-14] (COMODO)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-06-24] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [32224 2016-08-31] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [853904 2016-08-31] (COMODO)
R1 cmdhlp; C:\Windows\system32\DRIVERS\cmdhlp.sys [45592 2016-08-31] (COMODO)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [219592 2014-08-13] (Intel Corporation)
R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [138560 2016-08-31] (COMODO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-29] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\Netwbw02.sys [3482600 2014-12-04] (Intel Corporation)
U3 TrueSight; C:\WINDOWS\System32\drivers\TrueSight.sys [28272 2016-09-29] ()
U3 McMPFSvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-29 11:58 - 2016-09-29 11:59 - 00008595 _____ C:\Users\phoenix\Downloads\FRST.txt
2016-09-29 11:57 - 2016-09-29 11:57 - 02404352 _____ (Farbar) C:\Users\phoenix\Downloads\FRST64.exe
2016-09-29 11:57 - 2016-09-29 11:57 - 00000000 __SHD C:\Users\phoenix\IntelGraphicsProfiles
2016-09-29 09:29 - 2016-09-29 09:29 - 00000000 _____ C:\Recovery.txt
2016-09-29 07:22 - 2016-09-29 07:22 - 00002293 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-29 07:22 - 2016-09-29 07:22 - 00002281 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-09-29 07:18 - 2016-09-29 11:23 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-29 07:18 - 2016-09-29 08:49 - 00000000 ____D C:\Users\phoenix\AppData\Local\Google
2016-09-29 07:18 - 2016-09-29 07:23 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-29 07:18 - 2016-09-29 07:22 - 00000000 ____D C:\Program Files (x86)\Google
2016-09-29 07:18 - 2016-09-29 07:18 - 00003898 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-09-29 07:18 - 2016-09-29 07:18 - 00003662 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-09-29 07:18 - 2016-09-29 07:18 - 00000000 ____D C:\Users\phoenix\AppData\Local\Deployment
2016-09-29 07:18 - 2016-09-29 07:18 - 00000000 ____D C:\Users\phoenix\AppData\Local\Apps\2.0
2016-09-29 07:17 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\LocalLow\EmieUserList
2016-09-29 07:17 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\LocalLow\EmieBrowserModeList
2016-09-29 07:01 - 2016-09-29 07:01 - 00000000 ____D C:\Users\phoenix\AppData\Local\VirtualStore
2016-09-29 06:59 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\LocalLow\EmieSiteList
2016-09-29 06:59 - 2016-09-29 06:59 - 00000000 ____D C:\Users\phoenix\AppData\Roaming\Adobe
2016-09-29 06:56 - 2016-09-29 06:56 - 00001886 _____ C:\Users\Public\Desktop\COMODO Firewall.lnk
2016-09-29 06:56 - 2016-09-29 06:56 - 00000000 ____D C:\Windows\System32\Tasks\COMODO
2016-09-29 06:55 - 2016-09-29 07:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2016-09-29 06:55 - 2016-09-29 07:02 - 00000000 ____D C:\Program Files\COMODO
2016-09-29 06:54 - 2016-09-29 07:01 - 00000000 ____D C:\Users\phoenix\AppData\Local\CrashDumps
2016-09-29 06:53 - 2016-09-29 06:55 - 00000000 ____D C:\ProgramData\Comodo
2016-09-29 06:53 - 2016-09-29 06:53 - 00000000 ____D C:\ProgramData\Shared Space
2016-09-29 06:43 - 2016-09-29 11:53 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-29 06:43 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\Local\EmieUserList
2016-09-29 06:43 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\Local\EmieSiteList
2016-09-29 06:43 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\Local\EmieBrowserModeList
2016-09-29 06:39 - 2016-09-29 06:40 - 00365344 _____ C:\Windows\system32\FNTCACHE.DAT
2016-09-29 04:58 - 2016-09-29 09:37 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3779583528-1916877269-3399241691-1001
2016-09-29 04:52 - 2016-09-29 04:52 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-29 04:52 - 2016-09-29 04:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-29 04:52 - 2016-09-29 04:52 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-09-29 04:52 - 2016-09-29 04:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-29 04:52 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-09-29 04:52 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-09-29 04:52 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-09-29 04:06 - 2016-09-29 04:06 - 00014870 _____ C:\Users\phoenix\Desktop\startup.txt
2016-09-29 03:43 - 2016-09-29 09:36 - 00000000 ____D C:\ProgramData\RogueKiller
2016-09-29 03:43 - 2016-09-29 09:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-09-29 03:43 - 2016-09-29 03:43 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-09-29 03:43 - 2016-09-29 03:43 - 00000872 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-09-29 03:34 - 2016-09-29 07:17 - 00000000 ____D C:\Windows\Inf
2016-09-29 01:55 - 2016-09-29 07:15 - 01163806 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-29 01:40 - 2016-09-29 09:33 - 00000000 ____D C:\RegBackup
2016-09-29 01:40 - 2016-09-29 01:40 - 00000207 _____ C:\Windows\tweaking.com-regbackup-SERVERbleepED-Windows-8.1-(64-bit).dat
2016-09-29 00:38 - 2016-09-29 00:38 - 00000000 ____D C:\Users\phoenix\AppData\Local\Packages
2016-09-29 00:37 - 2016-09-29 06:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-29 00:37 - 2016-09-29 00:37 - 00000020 ___SH C:\Users\phoenix\ntuser.ini
2016-09-29 00:37 - 2016-09-29 00:37 - 00000000 ____D C:\Users\phoenix\AppData\Roaming\Intel
2016-09-29 00:09 - 2016-09-29 00:09 - 00000000 ____D C:\ProgramData\Intel
2016-09-28 23:32 - 2016-09-28 23:32 - 00000000 ____D C:\Users\phoenix\Desktop\ESET NOD32 ANTIVIRUS 7 CRACK (32 64 BIT) THADOGG
2016-09-28 23:29 - 2016-09-29 11:58 - 00000000 ____D C:\FRST
2016-09-28 19:10 - 2016-09-28 19:10 - 00005832 _____ C:\Users\phoenix\Desktop\rk_8FF6.tmp.txt
2016-09-28 18:39 - 2016-09-28 18:41 - 00000000 ____D C:\AdwCleaner
2016-09-28 18:38 - 2016-09-28 18:38 - 00000000 ____D C:\ProgramData\HitmanPro
2016-09-28 18:37 - 2016-09-29 06:52 - 00000000 ____D C:\Users\phoenix\Desktop\Tools
2016-09-28 18:33 - 2016-09-28 23:21 - 00000000 ____D C:\Users\phoenix\Desktop\Virus Check
2016-09-28 18:12 - 2016-09-29 11:57 - 00000000 ____D C:\Users\phoenix
2016-09-15 00:07 - 2016-09-15 00:07 - 00813824 _____ (COMODO) C:\Windows\system32\guard64.dll
2016-09-15 00:07 - 2016-09-15 00:07 - 00642976 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2016-09-15 00:07 - 2016-09-15 00:07 - 00051800 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2016-09-15 00:05 - 2016-09-15 00:05 - 00365752 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2016-09-15 00:04 - 2016-09-15 00:04 - 00051896 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2016-09-15 00:02 - 2016-09-15 00:02 - 00296120 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2016-09-15 00:01 - 2016-09-15 00:01 - 00046776 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2016-08-31 12:50 - 2016-08-31 12:50 - 00853904 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2016-08-31 12:50 - 2016-08-31 12:50 - 00138560 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2016-08-31 12:50 - 2016-08-31 12:50 - 00045592 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2016-08-31 12:50 - 2016-08-31 12:50 - 00032224 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-29 09:36 - 2015-06-24 12:46 - 00000000 ___SD C:\Windows\system32\GWX
2016-09-29 09:36 - 2015-06-24 10:13 - 00000000 ____D C:\ProgramData\McAfee
2016-09-29 09:36 - 2015-06-24 10:06 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
2016-09-29 09:36 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender
2016-09-29 09:35 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\WindowsApps
2016-09-29 09:33 - 2015-06-24 10:13 - 00000000 ____D C:\Program Files\mcafee
2016-09-29 09:33 - 2015-06-24 10:13 - 00000000 ____D C:\Program Files\Common Files\McAfee
2016-09-29 09:33 - 2015-06-24 10:09 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2016-09-29 09:33 - 2015-06-24 10:04 - 00000000 ____D C:\Program Files\Dell
2016-09-29 09:33 - 2015-06-24 10:04 - 00000000 ____D C:\Program Files (x86)\Intel
2016-09-29 09:33 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\registration
2016-09-29 02:19 - 2013-08-22 08:25 - 00000128 _____ C:\Windows\win.ini
2016-09-29 02:15 - 2015-06-24 10:06 - 00865408 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-09-29 00:37 - 2013-08-22 08:25 - 00262144 _____ C:\Windows\system32\config\BBI

Some files in TEMP:
====================
C:\Users\phoenix\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-24 09:51

==================== End of FRST.txt ============================

BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 01 October 2016 - 12:40 PM

Hi PhoenixArjuna :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Your FRST.txt doesn't show any sign of infection, are you able to provide me the Addition.txt one? Run FRST again and make sure Addition.txt is checked at the bottom.

Whatever is on that drive survived all those passes and immmediately starts tries to call a server


Can you provide me logs, screenshots, pictures, etc. of that?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 12:43 PM

Premature post......here are attachments
..

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 01 October 2016 - 12:51 PM

There's still nothing wrong in these logs.

Can you provide me logs, screenshots, pictures, etc. of the weird network connections you mentionned?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 01:07 PM

Hi Yoan, sorry about the lag...Company just arrived. I can run FRST again... but it is now very corrupted. I several error messages and Comodo says it now starts to call a remote server using TCIp. and It didnt do that before.

#6 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 01:10 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-09-2016
Ran by phoenix (administrator) on SERVERbleepED (29-09-2016 11:58:50)
Running from C:\Users\phoenix\Downloads
Loaded Profiles: phoenix (Available Profiles: phoenix)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\WINDOWS\System32\wlanext.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\System32\Taskmgr.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10}] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1610936 2016-09-14] (COMODO)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{52E70720-70E2-4704-BEAE-3B6AC89EEB43}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3779583528-1916877269-3399241691-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-09-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-09-29] (Google Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default [2016-09-29]
CHR Extension: (Google Slides) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-09-29]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2016-09-29]
CHR Extension: (Google Docs) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-09-29]
CHR Extension: (Google Drive) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-09-29]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-09-29]
CHR Extension: (YouTube) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-09-29]
CHR Extension: (Adblock Plus) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-09-29]
CHR Extension: (Home - New Tab Page) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehhkfhegcenpfoanmgfpfhnmdmflkbgk [2016-09-29]
CHR Extension: (Google Sheets) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-09-29]
CHR Extension: (Hacker Vision) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\fommidcneendjonelhhhkmoekeicedej [2016-09-29]
CHR Extension: (Google Docs Offline) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-09-29]
CHR Extension: (Morpheon Dark) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafbdhjdkjnoafhfelkjpchpaepjknad [2016-09-29]
CHR Extension: (Video Converter) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcjjnhgakghmggnimjkldjmmpabhnhne [2016-09-29]
CHR Extension: (SmoothScroll) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbokbjkabcmbfdlbddjidfmibcpneigj [2016-09-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-29]
CHR Extension: (Click&Clean App) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdabfienifkbhoihedcgeogidfmibmhp [2016-09-29]
CHR Extension: (Gmail) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-09-29]
CHR Extension: (Chrome Media Router) - C:\Users\phoenix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-29]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [5817256 2016-09-15] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2271928 2016-09-14] (COMODO)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-06-24] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [32224 2016-08-31] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [853904 2016-08-31] (COMODO)
R1 cmdhlp; C:\Windows\system32\DRIVERS\cmdhlp.sys [45592 2016-08-31] (COMODO)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [219592 2014-08-13] (Intel Corporation)
R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [138560 2016-08-31] (COMODO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-29] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\Netwbw02.sys [3482600 2014-12-04] (Intel Corporation)
U3 TrueSight; C:\WINDOWS\System32\drivers\TrueSight.sys [28272 2016-09-29] ()
U3 McMPFSvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-29 11:58 - 2016-09-29 11:59 - 00008595 _____ C:\Users\phoenix\Downloads\FRST.txt
2016-09-29 11:57 - 2016-09-29 11:57 - 02404352 _____ (Farbar) C:\Users\phoenix\Downloads\FRST64.exe
2016-09-29 11:57 - 2016-09-29 11:57 - 00000000 __SHD C:\Users\phoenix\IntelGraphicsProfiles
2016-09-29 09:29 - 2016-09-29 09:29 - 00000000 _____ C:\Recovery.txt
2016-09-29 07:22 - 2016-09-29 07:22 - 00002293 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-29 07:22 - 2016-09-29 07:22 - 00002281 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-09-29 07:18 - 2016-09-29 11:23 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-29 07:18 - 2016-09-29 08:49 - 00000000 ____D C:\Users\phoenix\AppData\Local\Google
2016-09-29 07:18 - 2016-09-29 07:23 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-29 07:18 - 2016-09-29 07:22 - 00000000 ____D C:\Program Files (x86)\Google
2016-09-29 07:18 - 2016-09-29 07:18 - 00003898 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-09-29 07:18 - 2016-09-29 07:18 - 00003662 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-09-29 07:18 - 2016-09-29 07:18 - 00000000 ____D C:\Users\phoenix\AppData\Local\Deployment
2016-09-29 07:18 - 2016-09-29 07:18 - 00000000 ____D C:\Users\phoenix\AppData\Local\Apps\2.0
2016-09-29 07:17 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\LocalLow\EmieUserList
2016-09-29 07:17 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\LocalLow\EmieBrowserModeList
2016-09-29 07:01 - 2016-09-29 07:01 - 00000000 ____D C:\Users\phoenix\AppData\Local\VirtualStore
2016-09-29 06:59 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\LocalLow\EmieSiteList
2016-09-29 06:59 - 2016-09-29 06:59 - 00000000 ____D C:\Users\phoenix\AppData\Roaming\Adobe
2016-09-29 06:56 - 2016-09-29 06:56 - 00001886 _____ C:\Users\Public\Desktop\COMODO Firewall.lnk
2016-09-29 06:56 - 2016-09-29 06:56 - 00000000 ____D C:\Windows\System32\Tasks\COMODO
2016-09-29 06:55 - 2016-09-29 07:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2016-09-29 06:55 - 2016-09-29 07:02 - 00000000 ____D C:\Program Files\COMODO
2016-09-29 06:54 - 2016-09-29 07:01 - 00000000 ____D C:\Users\phoenix\AppData\Local\CrashDumps
2016-09-29 06:53 - 2016-09-29 06:55 - 00000000 ____D C:\ProgramData\Comodo
2016-09-29 06:53 - 2016-09-29 06:53 - 00000000 ____D C:\ProgramData\Shared Space
2016-09-29 06:43 - 2016-09-29 11:53 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-29 06:43 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\Local\EmieUserList
2016-09-29 06:43 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\Local\EmieSiteList
2016-09-29 06:43 - 2016-09-29 07:17 - 00000000 __SHD C:\Users\phoenix\AppData\Local\EmieBrowserModeList
2016-09-29 06:39 - 2016-09-29 06:40 - 00365344 _____ C:\Windows\system32\FNTCACHE.DAT
2016-09-29 04:58 - 2016-09-29 09:37 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3779583528-1916877269-3399241691-1001
2016-09-29 04:52 - 2016-09-29 04:52 - 00001120 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-29 04:52 - 2016-09-29 04:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-29 04:52 - 2016-09-29 04:52 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-09-29 04:52 - 2016-09-29 04:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-29 04:52 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-09-29 04:52 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-09-29 04:52 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-09-29 04:06 - 2016-09-29 04:06 - 00014870 _____ C:\Users\phoenix\Desktop\startup.txt
2016-09-29 03:43 - 2016-09-29 09:36 - 00000000 ____D C:\ProgramData\RogueKiller
2016-09-29 03:43 - 2016-09-29 09:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-09-29 03:43 - 2016-09-29 03:43 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-09-29 03:43 - 2016-09-29 03:43 - 00000872 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-09-29 03:34 - 2016-09-29 07:17 - 00000000 ____D C:\Windows\Inf
2016-09-29 01:55 - 2016-09-29 07:15 - 01163806 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-29 01:40 - 2016-09-29 09:33 - 00000000 ____D C:\RegBackup
2016-09-29 01:40 - 2016-09-29 01:40 - 00000207 _____ C:\Windows\tweaking.com-regbackup-SERVERbleepED-Windows-8.1-(64-bit).dat
2016-09-29 00:38 - 2016-09-29 00:38 - 00000000 ____D C:\Users\phoenix\AppData\Local\Packages
2016-09-29 00:37 - 2016-09-29 06:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-29 00:37 - 2016-09-29 00:37 - 00000020 ___SH C:\Users\phoenix\ntuser.ini
2016-09-29 00:37 - 2016-09-29 00:37 - 00000000 ____D C:\Users\phoenix\AppData\Roaming\Intel
2016-09-29 00:09 - 2016-09-29 00:09 - 00000000 ____D C:\ProgramData\Intel
2016-09-28 23:32 - 2016-09-28 23:32 - 00000000 ____D C:\Users\phoenix\Desktop\ESET NOD32 ANTIVIRUS 7 CRACK (32 64 BIT) THADOGG
2016-09-28 23:29 - 2016-09-29 11:58 - 00000000 ____D C:\FRST
2016-09-28 19:10 - 2016-09-28 19:10 - 00005832 _____ C:\Users\phoenix\Desktop\rk_8FF6.tmp.txt
2016-09-28 18:39 - 2016-09-28 18:41 - 00000000 ____D C:\AdwCleaner
2016-09-28 18:38 - 2016-09-28 18:38 - 00000000 ____D C:\ProgramData\HitmanPro
2016-09-28 18:37 - 2016-09-29 06:52 - 00000000 ____D C:\Users\phoenix\Desktop\Tools
2016-09-28 18:33 - 2016-09-28 23:21 - 00000000 ____D C:\Users\phoenix\Desktop\Virus Check
2016-09-28 18:12 - 2016-09-29 11:57 - 00000000 ____D C:\Users\phoenix
2016-09-15 00:07 - 2016-09-15 00:07 - 00813824 _____ (COMODO) C:\Windows\system32\guard64.dll
2016-09-15 00:07 - 2016-09-15 00:07 - 00642976 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2016-09-15 00:07 - 2016-09-15 00:07 - 00051800 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2016-09-15 00:05 - 2016-09-15 00:05 - 00365752 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2016-09-15 00:04 - 2016-09-15 00:04 - 00051896 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2016-09-15 00:02 - 2016-09-15 00:02 - 00296120 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2016-09-15 00:01 - 2016-09-15 00:01 - 00046776 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2016-08-31 12:50 - 2016-08-31 12:50 - 00853904 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2016-08-31 12:50 - 2016-08-31 12:50 - 00138560 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2016-08-31 12:50 - 2016-08-31 12:50 - 00045592 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2016-08-31 12:50 - 2016-08-31 12:50 - 00032224 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-29 09:36 - 2015-06-24 12:46 - 00000000 ___SD C:\Windows\system32\GWX
2016-09-29 09:36 - 2015-06-24 10:13 - 00000000 ____D C:\ProgramData\McAfee
2016-09-29 09:36 - 2015-06-24 10:06 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
2016-09-29 09:36 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender
2016-09-29 09:35 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\WindowsApps
2016-09-29 09:33 - 2015-06-24 10:13 - 00000000 ____D C:\Program Files\mcafee
2016-09-29 09:33 - 2015-06-24 10:13 - 00000000 ____D C:\Program Files\Common Files\McAfee
2016-09-29 09:33 - 2015-06-24 10:09 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2016-09-29 09:33 - 2015-06-24 10:04 - 00000000 ____D C:\Program Files\Dell
2016-09-29 09:33 - 2015-06-24 10:04 - 00000000 ____D C:\Program Files (x86)\Intel
2016-09-29 09:33 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\registration
2016-09-29 02:19 - 2013-08-22 08:25 - 00000128 _____ C:\Windows\win.ini
2016-09-29 02:15 - 2015-06-24 10:06 - 00865408 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-09-29 00:37 - 2013-08-22 08:25 - 00262144 _____ C:\Windows\system32\config\BBI

Some files in TEMP:
====================
C:\Users\phoenix\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-24 09:51

==================== End of FRST.txt ============================

#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 01 October 2016 - 01:12 PM

I don't need the FRST logs anymore, I need you to provide me the logs you say you checked where you could see suspicious connections being established.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 01:16 PM

Got it.....   heres the last one i had up

 

Log Name:      Microsoft-Windows-AppHost/Admin
Source:        Microsoft-Windows-AppHost
Date:          9/29/2016 7:01:16 AM
Event ID:      126
Task Category: (8)
Level:         Error
Keywords:      AppHost
User:          serverbleeped\phoenix
Computer:      serverbleeped
Description:
App <Microsoft.ZuneVideo> crashed with an unhandled Javascript exception. App details are as follows: Display Name:<Video>, AppUserModelId: <Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo> Package Identity:<Microsoft.ZuneVideo_2.6.432.0_x64__8wekyb3d8bbwe> PID:<4656>. The details of the JavaScript exception are as follows Exception Name:<WinRT error>, Description:<The configuration data for this product is corrupt. Contact your support personnel.
>, HTML Document Path:</main.html>, Source File Name:<ms-appx://microsoft.zunevideo/main_merged.js>, Source Line Number:<31460>, Source Column Number:<33>, and Stack Trace: ms-appx://microsoft.zunevideo/main_merged.js:31460:33           CoreApplication.prototype.activated(object)
.
Event Xml:
  <System>
    <Provider Name="Microsoft-Windows-AppHost" Guid="{98E0765D-8C42-44A3-A57B-760D7F93225A}" />
    <EventID>126</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>8</Task>
    <Opcode>12</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2016-09-29T12:01:16.575272600Z" />
    <EventRecordID>9</EventRecordID>
    <Correlation />
    <Execution ProcessID="4656" ThreadID="1808" />
    <Channel>Microsoft-Windows-AppHost/Admin</Channel>
    <Computer>serverbleeped</Computer>
    <Security UserID="S-1-5-21-3779583528-1916877269-3399241691-1001" />
  </System>
  <UserData>
    <WWAUnhandledApplicationException xmlns="http://manifests.microsoft.com/win/2005/08/windows/wwahost/events">
      <DisplayName>Video</DisplayName>
      <ApplicationName>Microsoft.ZuneVideo</ApplicationName>
      <AppUserModelId>Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo</AppUserModelId>
      <PackageFullName>Microsoft.ZuneVideo_2.6.432.0_x64__8wekyb3d8bbwe</PackageFullName>
      <ProcessId>4656</ProcessId>
      <ErrorType>WinRT error</ErrorType>
      <ErrorDescription>The configuration data for this product is corrupt. Contact your support personnel.
</ErrorDescription>
      <DocumentFile>/main.html</DocumentFile>
      <SourceFile>ms-appx://microsoft.zunevideo/main_merged.js</SourceFile>
      <SourceLine>31460</SourceLine>
      <SourceColumn>33</SourceColumn>
      <StackTrace>ms-appx://microsoft.zunevideo/main_merged.js:31460:33           CoreApplication.prototype.activated(object)
</StackTrace>
    </WWAUnhandledApplicationException>
  </UserData>
</Event>


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 01 October 2016 - 01:18 PM

This is a standard AppCrash from Microsoft Zune, I don't see anything wrong with it. No connection are shown in that entry.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 01:34 PM

This is the is the log after i reinstalled and ran roguekiller

 

RogueKiller V12.5.2.0 (x64) [Aug 29 2016] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : phoenix [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 09/28/2016 18:50:37 (Duration : 00:17:26)
 
¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] esif_assist.exe(2200) -- C:\WINDOWS\Temp\DPTF\esif_assist.exe[7] -> Found
 
¤¤¤ Registry : 6 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F22E4870-0C32-43B3-A270-480A8873F046} | DhcpNameServer : 172.6.1.171 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F22E4870-0C32-43B3-A270-480A8873F046} | DhcpNameServer : 172.6.1.171 ([X])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 2 ¤¤¤
[PUP][File] C:\Users\phoenix\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Amazon.lnk [LNK@] C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~1.EXE -> Found
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Amazon.lnk [LNK@] C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~1.EXE -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-75V0TT0 +++++
--- User ---
[MBR] c68b25f88221f3a5288755602d691c32
[BSP] ba5c824f0ef6fc781d477a169d24cd29 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1026048 | Size: 40 MB


#11 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 03:42 PM

I dont recall where I got this

 

Copyright © Microsoft Corporation. All rights reserved.
'
' Abstract:
' prnport.vbs - Port script for WMI on Windows 
'     used to add, delete and list ports
'     also for getting and setting the port configuration
'
' Usage:
' prnport [-adlgt?] [-r port] [-s server] [-u user name] [-w password]
'                   [-o raw|lpr] [-h host address] [-q queue] [-n number]
'                   [-me | -md ] [-i SNMP index] [-y community] [-2e | -2d]"
'
' Examples
' prnport -a -s server -r IP_1.2.3.4 -e 1.2.3.4 -o raw -n 9100
' prnport -d -s server -r c:\temp\foo.prn
' prnport -l -s server
' prnport -g -s server -r IP_1.2.3.4
' prnport -t -s server -r IP_1.2.3.4 -me -y public -i 1 -n 9100
'
'----------------------------------------------------------------------
 
option explicit
 
'
' Debugging trace flags, to enable debug output trace message
' change gDebugFlag to true.
'
dim   gDebugFlag
const kDebugTrace = 1
const kDebugError = 2
 
gDebugFlag = false
 
'
' Operation action values.
'
const kActionAdd          = 0
const kActionDelete       = 1
const kActionList         = 2
const kActionUnknown      = 3
const kActionGet          = 4
const kActionSet          = 5
 
const kErrorSuccess       = 0
const KErrorFailure       = 1
 
const kFlagCreateOrUpdate = 0
 
const kNameSpace          = "root\cimv2"
 
 
'
' Constants for the parameter dictionary
'
const kServerName      = 1
const kPortName        = 2
const kDoubleSpool     = 3
const kPortNumber      = 4
const kPortType        = 5
const kHostAddress     = 6
const kSNMPDeviceIndex = 7
const kCommunityName   = 8
const kSNMP            = 9
const kQueueName       = 10
const kUserName        = 11
const kPassword        = 12
 
'
' Generic strings
'
const L_Empty_Text                 = ""
const L_Space_Text                 = " "
const L_Colon_Text                 = ":"
const L_LPR_Queue                  = "LPR"
const L_Error_Text                 = "Error"
const L_Success_Text               = "Success"
const L_Failed_Text                = "Failed"
const L_Hex_Text                   = "0x"
const L_Printer_Text               = "Printer"
const L_Operation_Text             = "Operation"
const L_Provider_Text              = "Provider"
const L_Description_Text           = "Description"
const L_Debug_Text                 = "Debug:"
 
'
' General usage messages
'
const L_Help_Help_General01_Text   = "Usage: prnport [-adlgt?] [-r port][-s server][-u user name][-w password]"
const L_Help_Help_General02_Text   = "               [-o raw|lpr][-h host address][-q queue][-n number]"
const L_Help_Help_General03_Text   = "               [-me | -md ][-i SNMP index][-y community][-2e | -2d]"
const L_Help_Help_General04_Text   = "Arguments:"
const L_Help_Help_General05_Text   = "-a     - add a port"
const L_Help_Help_General06_Text   = "-d     - delete the specified port"
const L_Help_Help_General07_Text   = "-g     - get configuration for a TCP port"
const L_Help_Help_General08_Text   = "-h     - IP address of the device"
const L_Help_Help_General09_Text   = "-i     - SNMP index, if SNMP is enabled"
const L_Help_Help_General10_Text   = "-l     - list all TCP ports"
const L_Help_Help_General11_Text   = "-m     - SNMP type. [e] enable, [d] disable"
const L_Help_Help_General12_Text   = "-n     - port number, applies to TCP RAW ports"
const L_Help_Help_General13_Text   = "-o     - port type, raw or lpr"
const L_Help_Help_General14_Text   = "-q     - queue name, applies to TCP LPR ports only"
const L_Help_Help_General15_Text   = "-r     - port name"
const L_Help_Help_General16_Text   = "-s     - server name"
const L_Help_Help_General17_Text   = "-t     - set configuration for a TCP port"
const L_Help_Help_General18_Text   = "-u     - user name"
const L_Help_Help_General19_Text   = "-w     - password"
const L_Help_Help_General20_Text   = "-y     - community name, if SNMP is enabled"
const L_Help_Help_General21_Text   = "-2     - double spool, applies to TCP LPR ports. [e] enable, [d] disable"
const L_Help_Help_General22_Text   = "-?     - display command usage"
const L_Help_Help_General23_Text   = "Examples:"
const L_Help_Help_General24_Text   = "prnport -l -s server"
const L_Help_Help_General25_Text   = "prnport -d -s server -r IP_1.2.3.4"
const L_Help_Help_General26_Text   = "prnport -a -s server -r IP_1.2.3.4 -h 1.2.3.4 -o raw -n 9100"
const L_Help_Help_General27_Text   = "prnport -t -s server -r IP_1.2.3.4 -me -y public -i 1 -n 9100"
const L_Help_Help_General28_Text   = "prnport -g -s server -r IP_1.2.3.4"
const L_Help_Help_General29_Text   = "prnport -a -r IP_1.2.3.4 -h 1.2.3.4"
const L_Help_Help_General30_Text   = "Remark:"
const L_Help_Help_General31_Text   = "The last example will try to get the device settings at the specified IP address."
const L_Help_Help_General32_Text   = "If a device is detected, then a TCP port is added with the preferred settings for that device."
 
'
' Messages to be displayed if the scripting host is not cscript
'
const L_Help_Help_Host01_Text      = "This script should be executed from the Command Prompt using CScript.exe."
const L_Help_Help_Host02_Text      = "For example: CScript script.vbs arguments"
const L_Help_Help_Host03_Text      = ""
const L_Help_Help_Host04_Text      = "To set CScript as the default application to run .VBS files run the following:"
const L_Help_Help_Host05_Text      = "     CScript //H:CScript //S"
const L_Help_Help_Host06_Text      = "You can then run ""script.vbs arguments"" without preceding the script with CScript."
 
'
' General error messages
'
const L_Text_Error_General01_Text  = "The scripting host could not be determined."
const L_Text_Error_General02_Text  = "Unable to parse command line."
const L_Text_Error_General03_Text  = "Win32 error code"
 
'
' Miscellaneous messages
'
const L_Text_Msg_General01_Text    = "Added port"
const L_Text_Msg_General02_Text    = "Unable to delete port"
const L_Text_Msg_General03_Text    = "Unable to get port"
const L_Text_Msg_General04_Text    = "Created/updated port"
const L_Text_Msg_General05_Text    = "Unable to create/update port"
const L_Text_Msg_General06_Text    = "Unable to enumerate ports"
const L_Text_Msg_General07_Text    = "Number of ports enumerated"
const L_Text_Msg_General08_Text    = "Deleted port"
const L_Text_Msg_General09_Text    = "Unable to get SWbemLocator object"
const L_Text_Msg_General10_Text    = "Unable to connect to WMI service"
 
 
'
' Port properties
'
const L_Text_Msg_Port01_Text       = "Server name"
const L_Text_Msg_Port02_Text       = "Port name"
const L_Text_Msg_Port03_Text       = "Host address"
const L_Text_Msg_Port04_Text       = "Protocol RAW"
const L_Text_Msg_Port05_Text       = "Protocol LPR"
const L_Text_Msg_Port06_Text       = "Port number"
const L_Text_Msg_Port07_Text       = "Queue"
const L_Text_Msg_Port08_Text       = "Byte Count Enabled"
const L_Text_Msg_Port09_Text       = "Byte Count Disabled"
const L_Text_Msg_Port10_Text       = "SNMP Enabled"
const L_Text_Msg_Port11_Text       = "SNMP Disabled"
const L_Text_Msg_Port12_Text       = "Community"
const L_Text_Msg_Port13_Text       = "Device index"
 
'
' Debug messages
'
const L_Text_Dbg_Msg01_Text        = "In function DelPort"
const L_Text_Dbg_Msg02_Text        = "In function CreateOrSetPort"
const L_Text_Dbg_Msg03_Text        = "In function ListPorts"
const L_Text_Dbg_Msg04_Text        = "In function GetPort"
const L_Text_Dbg_Msg05_Text        = "In function ParseCommandLine"
 
main
 
'
' Main execution starts here
'
sub main
 
    on error resume next
 
    dim iAction
    dim iRetval
    dim oParamDict
 
    '
    ' Abort if the host is not cscript
    '
    if not IsHostCscript() then
 
        call wscript.echo(L_Help_Help_Host01_Text & vbCRLF & L_Help_Help_Host02_Text & vbCRLF & _
                          L_Help_Help_Host03_Text & vbCRLF & L_Help_Help_Host04_Text & vbCRLF & _
                          L_Help_Help_Host05_Text & vbCRLF & L_Help_Help_Host06_Text & vbCRLF)
 
        wscript.quit
 
    end if
 
    set oParamDict = CreateObject("Scripting.Dictionary")
 
    iRetval = ParseCommandLine(iAction, oParamDict)
 
    if iRetval = 0 then
 
        select case iAction
 
            case kActionAdd
                iRetval = CreateOrSetPort(oParamDict)
 
            case kActionDelete
                iRetval = DelPort(oParamDict)
 
            case kActionList
                iRetval = ListPorts(oParamDict)
 
            case kActionGet
                iRetVal = GetPort(oParamDict)
 
            case kActionSet
                iRetVal = CreateOrSetPort(oParamDict)
 
            case else
                Usage(true)
                exit sub
 
        end select
 
    end if
 
end sub
 
'
' Delete a port
'
function DelPort(oParamDict)
 
    on error resume next
 
    DebugPrint kDebugTrace, L_Text_Dbg_Msg01_Text
    DebugPrint kDebugTrace, L_Text_Msg_Port01_Text & L_Space_Text & oParamDict(kServerName)
    DebugPrint kDebugTrace, L_Text_Msg_Port02_Text & L_Space_Text & oParamDict(kPortName)
 
    dim oService
    dim oPort
    dim iResult
    dim strServer
    dim strPort
    dim strUser
    dim strPassword
 
    iResult = kErrorFailure
 
    strServer   = oParamDict(kServerName)
    strPort     = oParamDict(kPortName)
    strUser     = oParamDict(kUserName)
    strPassword = oParamDict(kPassword)
 
    if WmiConnect(strServer, kNameSpace, strUser, strPassword, oService) then
 
        set oPort = oService.Get("Win32_TCPIPPrinterPort='" & strPort & "'")
 
    else
 
        DelPort = kErrorFailure
 
        exit function
 
    end if
 
    '
    ' Check if Get succeeded
    '
    if Err.Number = kErrorSuccess then
 
        '
        ' Try deleting the instance
        '
        oPort.Delete_
 
        if Err.Number = kErrorSuccess then
 
            wscript.echo L_Text_Msg_General08_Text & L_Space_Text & strPort
 
        else
 
            wscript.echo L_Text_Msg_General02_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                         & L_Hex_Text & hex(Err.Number) & L_Space_Text & Err.Description
 
            '
            ' Try getting extended error information
            '
            call LastError()
 
        end if
 
    else
 
        wscript.echo L_Text_Msg_General02_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                     & L_Hex_Text & hex(Err.Number) & L_Space_Text & Err.Description
 
        '
        ' Try getting extended error information
        '
        call LastError()
 
    end if
 
    DelPort = iResult
 
end function
 
'
' Add or update a port
'
function CreateOrSetPort(oParamDict)
 
    on error resume next
 
    dim oPort
    dim oService
    dim iResult
    dim PortType
    dim strServer
    dim strPort
    dim strUser
    dim strPassword
 
    DebugPrint kDebugTrace, L_Text_Dbg_Msg02_Text
    DebugPrint kDebugTrace, L_Text_Msg_Port01_Text & L_Space_Text & oParamDict.Item(kServerName)
    DebugPrint kDebugTrace, L_Text_Msg_Port02_Text & L_Space_Text & oParamDict.Item(kPortName)
    DebugPrint kDebugTrace, L_Text_Msg_Port06_Text & L_Space_Text & oParamDict.Item(kPortNumber)
    DebugPrint kDebugTrace, L_Text_Msg_Port07_Text & L_Space_Text & oParamDict.Item(kQueueName)
    DebugPrint kDebugTrace, L_Text_Msg_Port13_Text & L_Space_Text & oParamDict.Item(kSNMPDeviceIndex)
    DebugPrint kDebugTrace, L_Text_Msg_Port12_Text & L_Space_Text & oParamDict.Item(kCommunityName)
    DebugPrint kDebugTrace, L_Text_Msg_Port03_Text & L_Space_Text & oParamDict.Item(kHostAddress)
 
    strServer   = oParamDict(kServerName)
    strPort     = oParamDict(kPortName)
    strUser     = oParamDict(kUserName)
    strPassword = oParamDict(kPassword)
 
    '
    ' If the port exists, then get the settings. Later PutInstance will do an update
    '
    if WmiConnect(strServer, kNameSpace, strUser, strPassword, oService) then
 
        set oPort = oService.Get("Win32_TCPIPPrinterPort.Name='" & strPort & "'")
 
        '
        ' If get was unsuccessful then spawn a new port instance. Later PutInstance will do a create
        '
        if Err.Number <> kErrorSuccess then
 
            '
            ' Clear the previous error
            '
            Err.Clear
 
            set oPort = oService.Get("Win32_TCPIPPrinterPort").SpawnInstance_
 
        end if
 
    else
 
        CreateOrSetPort = kErrorFailure
 
        exit function
 
    end if
 
    if Err.Number <> kErrorSuccess then
 
        wscript.echo L_Text_Msg_General03_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                     & L_Hex_Text & hex(Err.Number) & L_Space_Text & Err.Description
 
        CreateOrSetPort = kErrorFailure
 
        exit function
 
    end if
 
    oPort.Name          = oParamDict.Item(kPortName)
    oPort.HostAddress   = oParamDict.Item(kHostAddress)
    oPort.PortNumber    = oParamDict.Item(kPortNumber)
    oPort.SNMPEnabled   = oParamDict.Item(kSNMP)
    oPort.SNMPDevIndex  = oParamDict.Item(kSNMPDeviceIndex)
    oPort.SNMPCommunity = oParamDict.Item(kCommunityName)
    oPort.Queue         = oParamDict.Item(kQueueName)
    oPort.ByteCount     = oParamDict.Item(kDoubleSpool)
 
    PortType     = oParamDict.Item(kPortType)
 
    '
    ' Update the port object with the settings corresponding
    ' to the port type of the port to be added
    '
    select case lcase(PortType)
 
            case "raw"
 
                 oPort.Protocol      = 1
 
                 if Not IsNull(oPort.Queue) then
 
                     wscript.echo L_Error_Text & L_Colon_Text & L_Space_Text _
                     & L_Help_Help_General14_Text
 
                     CreateOrSetPort = kErrorFailure
 
                     exit function
 
                 end if
 
            case "lpr"
 
                 oPort.Protocol      = 2
 
                 if IsNull(oPort.Queue) then
 
                     oPort.Queue = L_LPR_Queue
 
                 end if
 
            case else
 
                 '
                 ' PutInstance will attempt to get the configuration of
                 ' the device based on its IP address. Those settings
                 ' will be used to add a new port
                 '
    end select
 
    '
    ' Try creating or updating the port
    '
    oPort.Put_(kFlagCreateOrUpdate)
 
    if Err.Number = kErrorSuccess then
 
        wscript.echo L_Text_Msg_General04_Text & L_Space_Text & oPort.Name
 
        iResult = kErrorSuccess
 
    else
 
        wscript.echo L_Text_Msg_General05_Text & L_Space_Text & oPort.Name & L_Space_Text _
                     & L_Error_Text & L_Space_Text & L_Hex_Text & hex(Err.Number) _
                     & L_Space_Text & Err.Description
 
        '
        ' Try getting extended error information
        '
        call LastError()
 
        iResult = kErrorFailure
 
    end if
 
    CreateOrSetPort = iResult
 
end function
 
'
' List ports on a machine.
'
function ListPorts(oParamDict)
 
    on error resume next
 
    DebugPrint kDebugTrace, L_Text_Dbg_Msg03_Text
 
    dim Ports
    dim oPort
    dim oService
    dim iRetval
    dim iTotal
    dim strServer
    dim strUser
    dim strPassword
 
    iResult = kErrorFailure
 
    strServer   = oParamDict(kServerName)
    strUser     = oParamDict(kUserName)
    strPassword = oParamDict(kPassword)
 
    if WmiConnect(strServer, kNameSpace, strUser, strPassword, oService) then
 
        set Ports = oService.InstancesOf("Win32_TCPIPPrinterPort")
 
    else
 
        ListPorts = kErrorFailure
 
        exit function
 
    end if
 
    if Err.Number <> kErrorSuccess then
 
        wscript.echo L_Text_Msg_General06_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                     & L_Hex_Text & hex(Err.Number) & L_Space_Text & Err.Description
 
        ListPrinters = kErrorFailure
 
        exit function
 
    end if
 
    iTotal = 0
 
    for each oPort in Ports
 
        iTotal = iTotal + 1
 
        wscript.echo L_Empty_Text
        wscript.echo L_Text_Msg_Port01_Text & L_Space_Text & strServer
        wscript.echo L_Text_Msg_Port02_Text & L_Space_Text & oPort.Name
        wscript.echo L_Text_Msg_Port03_Text & L_Space_Text & oPort.HostAddress
 
        if oPort.Protocol = 1 then
 
            wscript.echo L_Text_Msg_Port04_Text
            wscript.echo L_Text_Msg_Port06_Text & L_Space_Text & oPort.PortNumber
 
        else
 
            wscript.echo L_Text_Msg_Port05_Text
            wscript.echo L_Text_Msg_Port07_Text & L_Space_Text & oPort.Queue
 
            if oPort.ByteCount then
 
                wscript.echo L_Text_Msg_Port08_Text
 
            else
 
                wscript.echo L_Text_Msg_Port09_Text
 
            end if
 
        end if
 
        if oPort.SNMPEnabled then
 
            wscript.echo L_Text_Msg_Port10_Text
            wscript.echo L_Text_Msg_Port12_Text & L_Space_Text & oPort.SNMPCommunity
            wscript.echo L_Text_Msg_Port13_Text & L_Space_Text & oPort.SNMPDevIndex
 
        else
 
            wscript.echo L_Text_Msg_Port11_Text
 
        end if
 
        Err.Clear
 
    next
 
    wscript.echo L_Empty_Text
    wscript.echo L_Text_Msg_General07_Text & L_Space_Text & iTotal
 
    ListPorts = kErrorSuccess
 
end function
 
'
' Gets the configuration of a port
'
function GetPort(oParamDict)
 
    on error resume next
 
    DebugPrint kDebugTrace, L_Text_Dbg_Msg04_Text
    DebugPrint kDebugTrace, L_Text_Msg_Port01_Text & L_Space_Text & oParamDict(kServerName)
    DebugPrint kDebugTrace, L_Text_Msg_Port02_Text & L_Space_Text & oParamDict(kPortName)
 
    dim oService
    dim oPort
    dim iResult
    dim strServer
    dim strPort
    dim strUser
    dim strPassword
 
    iResult = kErrorFailure
 
    strServer   = oParamDict(kServerName)
    strPort     = oParamDict(kPortName)
    strUser     = oParamDict(kUserName)
    strPassword = oParamDict(kPassword)
 
    if WmiConnect(strServer, kNameSpace, strUser, strPassword, oService) then
 
        set oPort = oService.Get("Win32_TCPIPPrinterPort.Name='" & strPort & "'")
 
    else
 
        GetPort = kErrorFailure
 
        exit function
 
    end if
 
    if Err.Number = kErrorSuccess then
 
        wscript.echo L_Empty_Text
        wscript.echo L_Text_Msg_Port01_Text & L_Space_Text & strServer
        wscript.echo L_Text_Msg_Port02_Text & L_Space_Text & oPort.Name
        wscript.echo L_Text_Msg_Port03_Text & L_Space_Text & oPort.HostAddress
 
        if oPort.Protocol = 1 then
 
            wscript.echo L_Text_Msg_Port04_Text
            wscript.echo L_Text_Msg_Port06_Text & L_Space_Text & oPort.PortNumber
 
        else
 
            wscript.echo L_Text_Msg_Port05_Text
            wscript.echo L_Text_Msg_Port07_Text & L_Space_Text & oPort.Queue
 
            if oPort.ByteCount then
 
                wscript.echo L_Text_Msg_Port08_Text
 
            else
 
                wscript.echo L_Text_Msg_Port09_Text
 
            end if
 
        end if
 
        if oPort.SNMPEnabled then
 
            wscript.echo L_Text_Msg_Port10_Text
            wscript.echo L_Text_Msg_Port12_Text & L_Space_Text & oPort.SNMPCommunity
            wscript.echo L_Text_Msg_Port13_Text & L_Space_Text & oPort.SNMPDevIndex
 
        else
 
            wscript.echo L_Text_Msg_Port11_Text
 
        end if
 
        iResult = kErrorSuccess
 
    else
 
        wscript.echo L_Text_Msg_General03_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                     & L_Hex_Text & hex(Err.Number) & L_Space_Text & Err.Description
 
        '
        ' Try getting extended error information
        '
        call LastError()
 
    end if
 
    GetPort = iResult
 
end function
 
'
' Debug display helper function
'
sub DebugPrint(uFlags, strString)
 
    if gDebugFlag = true then
 
        if uFlags = kDebugTrace then
 
            wscript.echo L_Debug_Text & L_Space_Text & strString
 
        end if
 
        if uFlags = kDebugError then
 
            if Err <> 0 then
 
                wscript.echo L_Debug_Text & L_Space_Text & strString & L_Space_Text _
                             & L_Error_Text & L_Space_Text & L_Hex_Text & hex(Err.Number) _
                             & L_Space_Text & Err.Description
 
            end if
 
        end if
 
    end if
 
end sub
 
'
' Parse the command line into its components
'
function ParseCommandLine(iAction, oParamDict)
 
    on error resume next
 
    DebugPrint kDebugTrace, L_Text_Dbg_Msg05_Text
 
    dim oArgs
    dim iIndex
 
    iAction = kActionUnknown
 
    set oArgs = Wscript.Arguments
 
    while iIndex < oArgs.Count
 
        select case oArgs(iIndex)
 
            case "-g"
                iAction = kActionGet
 
            case "-t"
                iAction = kActionSet
 
            case "-a"
                iAction = kActionAdd
 
            case "-d"
                iAction = kActionDelete
 
            case "-l"
                iAction = kActionList
 
            case "-2e"
                oParamDict.Add kDoubleSpool, true
 
            case "-2d"
                oParamDict.Add kDoubleSpool, false
 
            case "-s"
                iIndex = iIndex + 1
                oParamDict.Add kServerName, RemoveBackslashes(oArgs(iIndex))
 
            case "-u"
                iIndex = iIndex + 1
                oParamDict.Add kUserName, oArgs(iIndex)
 
            case "-w"
                iIndex = iIndex + 1
                oParamDict.Add kPassword, oArgs(iIndex)
 
            case "-n"
                iIndex = iIndex + 1
                oParamDict.Add kPortNumber, oArgs(iIndex)
 
            case "-r"
                iIndex = iIndex + 1
                oParamDict.Add kPortName, oArgs(iIndex)
 
            case "-o"
                iIndex = iIndex + 1
                oParamDict.Add kPortType, oArgs(iIndex)
 
            case "-h"
                iIndex = iIndex + 1
                oParamDict.Add kHostAddress, oArgs(iIndex)
 
            case "-q"
                iIndex = iIndex + 1
                oParamDict.Add kQueueName, oArgs(iIndex)
 
            case "-i"
                iIndex = iIndex + 1
                oParamDict.Add kSNMPDeviceIndex, oArgs(iIndex)
 
            case "-y"
                iIndex = iIndex + 1
                oParamDict.Add kCommunityName, oArgs(iIndex)
 
            case "-me"
                oParamDict.Add kSNMP, true
 
            case "-md"
                oParamDict.Add kSNMP, false
 
            case "-?"
                Usage(True)
                exit function
 
            case else
                Usage(True)
                exit function
 
        end select
 
        iIndex = iIndex + 1
 
    wend
 
    if Err = kErrorSuccess then
 
        ParseCommandLine = kErrorSuccess
 
    else
 
        wscript.echo L_Text_Error_General02_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                     & L_Hex_Text & hex(Err.Number) & L_Space_text & Err.Description
 
 
        ParseCommandLine = kErrorFailure
 
    end if
 
end  function
 
'
' Display command usage.
'
sub Usage(bExit)
 
    wscript.echo L_Help_Help_General01_Text
    wscript.echo L_Help_Help_General02_Text
    wscript.echo L_Help_Help_General03_Text
    wscript.echo L_Help_Help_General04_Text
    wscript.echo L_Help_Help_General05_Text
    wscript.echo L_Help_Help_General06_Text
    wscript.echo L_Help_Help_General07_Text
    wscript.echo L_Help_Help_General08_Text
    wscript.echo L_Help_Help_General09_Text
    wscript.echo L_Help_Help_General10_Text
    wscript.echo L_Help_Help_General11_Text
    wscript.echo L_Help_Help_General12_Text
    wscript.echo L_Help_Help_General13_Text
    wscript.echo L_Help_Help_General14_Text
    wscript.echo L_Help_Help_General15_Text
    wscript.echo L_Help_Help_General16_Text
    wscript.echo L_Help_Help_General17_Text
    wscript.echo L_Help_Help_General18_Text
    wscript.echo L_Help_Help_General19_Text
    wscript.echo L_Help_Help_General20_Text
    wscript.echo L_Help_Help_General21_Text
    wscript.echo L_Help_Help_General22_Text
    wscript.echo L_Empty_Text
    wscript.echo L_Help_Help_General23_Text
    wscript.echo L_Help_Help_General24_Text
    wscript.echo L_Help_Help_General25_Text
    wscript.echo L_Help_Help_General26_Text
    wscript.echo L_Help_Help_General27_Text
    wscript.echo L_Help_Help_General28_Text
    wscript.echo L_Help_Help_General29_Text
    wscript.echo L_Empty_Text
    wscript.echo L_Help_Help_General30_Text
    wscript.echo L_Help_Help_General31_Text
    wscript.echo L_Help_Help_General32_Text
 
    if bExit then
 
        wscript.quit(1)
 
    end if
 
end sub
 
'
' Determines which program is being used to run this script.
' Returns true if the script host is cscript.exe
'
function IsHostCscript()
 
    on error resume next
 
    dim strFullName
    dim strCommand
    dim i, j
    dim bReturn
 
    bReturn = false
 
    strFullName = WScript.FullName
 
    i = InStr(1, strFullName, ".exe", 1)
 
    if i <> 0 then
 
        j = InStrRev(strFullName, "\", i, 1)
 
        if j <> 0 then
 
            strCommand = Mid(strFullName, j+1, i-j-1)
 
            if LCase(strCommand) = "cscript" then
 
                bReturn = true
 
            end if
 
        end if
 
    end if
 
    if Err <> 0 then
 
        wscript.echo L_Text_Error_General01_Text & L_Space_Text & L_Error_Text & L_Space_Text _
                     & L_Hex_Text & hex(Err.Number) & L_Space_Text & Err.Description
 
    end if
 
    IsHostCscript = bReturn
 
end function
 
'
' Retrieves extended information about the last error that occurred
' during a WBEM operation. The methods that set an SWbemLastError
' object are GetObject, PutInstance, DeleteInstance
'
sub LastError()
 
    on error resume next
 
    dim oError
 
    set oError = CreateObject("WbemScripting.SWbemLastError")
 
    if Err = kErrorSuccess then
 
        wscript.echo L_Operation_Text            & L_Space_Text & oError.Operation
        wscript.echo L_Provider_Text             & L_Space_Text & oError.ProviderName
        wscript.echo L_Description_Text          & L_Space_Text & oError.Description
        wscript.echo L_Text_Error_General04_Text & L_Space_Text & oError.StatusCode
 
    end if
 
end sub
 
'
' Connects to the WMI service on a server. oService is returned as a service
' object (SWbemServices)
'
function WmiConnect(strServer, strNameSpace, strUser, strPassword, oService)
 
   on error resume next
 
   dim oLocator
   dim bResult
 
   oService = null
 
   bResult  = false
 
   set oLocator = CreateObject("WbemScripting.SWbemLocator")
 
   if Err = kErrorSuccess then
 
      set oService = oLocator.ConnectServer(strServer, strNameSpace, strUser, strPassword)
 
      if Err = kErrorSuccess then
 
          bResult = true
 
          oService.Security_.impersonationlevel = 3
 
          '
          ' Required to perform administrative tasks on the spooler service
          '
          oService.Security_.Privileges.AddAsString "SeLoadDriverPrivilege"
 
          Err.Clear
 
      else
 
          wscript.echo L_Text_Msg_General10_Text & L_Space_Text & L_Error_Text _
                       & L_Space_Text & L_Hex_Text & hex(Err.Number) & L_Space_Text _
                       & Err.Description
 
      end if
 
   else
 
       wscript.echo L_Text_Msg_General09_Text & L_Space_Text & L_Error_Text _
                    & L_Space_Text & L_Hex_Text & hex(Err.Number) & L_Space_Text _
                    & Err.Description
 
   end if
 
   WmiConnect = bResult
 
end function
 
'
' Remove leading "\\" from server name
'
function RemoveBackslashes(strServer)
 
    dim strRet
 
    strRet = strServer
 
    if Left(strServer, 2) = "\\" and Len(strServer) > 2 then
 
        strRet = Mid(strServer, 3)
 
    end if
 
    RemoveBackslashes = strRet
 
end function


#12 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 03:44 PM

>>> 6/24/2015 10:09:26:942

[Install Configuration]
  Installer Version: 1.3.14.0
  Compile date = Fri Mar 21 10:40:32 2014
  OS command line = c:\dell\14K2P\Setup.exe -s
  Effective command line = -s
  Windows Version = Windows 8
  Platform = 64 bit
  Core Version = 3.0.1 (IIF2++)
  System up time = 436 sec
  Source: c:\dell\14K2P
[Languages]
  0401 - c:\dell\14K2P\Lang\ar-SA\setup.exe.dll
  0405 - c:\dell\14K2P\Lang\cs-CZ\setup.exe.dll
  0406 - c:\dell\14K2P\Lang\da-DK\setup.exe.dll
  0407 - c:\dell\14K2P\Lang\de-DE\setup.exe.dll
  0408 - c:\dell\14K2P\Lang\el-GR\setup.exe.dll
  0409 - c:\dell\14K2P\Lang\en-US\setup.exe.dll
  0C0A - c:\dell\14K2P\Lang\es-ES\setup.exe.dll
  040B - c:\dell\14K2P\Lang\fi-FI\setup.exe.dll
  040C - c:\dell\14K2P\Lang\fr-FR\setup.exe.dll
  040D - c:\dell\14K2P\Lang\he-IL\setup.exe.dll
  041A - c:\dell\14K2P\Lang\hr-HR\setup.exe.dll
  040E - c:\dell\14K2P\Lang\hu-HU\setup.exe.dll
  0410 - c:\dell\14K2P\Lang\it-IT\setup.exe.dll
  0411 - c:\dell\14K2P\Lang\ja-JP\setup.exe.dll
  0412 - c:\dell\14K2P\Lang\ko-KR\setup.exe.dll
  0414 - c:\dell\14K2P\Lang\nb-NO\setup.exe.dll
  0413 - c:\dell\14K2P\Lang\nl-NL\setup.exe.dll
  0415 - c:\dell\14K2P\Lang\pl-PL\setup.exe.dll
  0416 - c:\dell\14K2P\Lang\pt-BR\setup.exe.dll
  0816 - c:\dell\14K2P\Lang\pt-PT\setup.exe.dll
  0418 - c:\dell\14K2P\Lang\ro-RO\setup.exe.dll
  0419 - c:\dell\14K2P\Lang\ru-RU\setup.exe.dll
  041B - c:\dell\14K2P\Lang\sk-SK\setup.exe.dll
  0424 - c:\dell\14K2P\Lang\sl-SI\setup.exe.dll
  041D - c:\dell\14K2P\Lang\sv-SE\setup.exe.dll
  041E - c:\dell\14K2P\Lang\th-TH\setup.exe.dll
  041F - c:\dell\14K2P\Lang\tr-TR\setup.exe.dll
  0804 - c:\dell\14K2P\Lang\zh-CN\setup.exe.dll
  0404 - c:\dell\14K2P\Lang\zh-TW\setup.exe.dll
  User default LangID: 0x409
  User default UI language: 0x409
  Loaded language 0409
[Checking requirements]
  Checking for admin rights
  Admin rights OK
  Checking OS
  OS check OK
[Scanning drivers]
  Scanning drivers
  Found INF = c:\dell\14K2P\Bin\VirtualButtons.inf
  [INF Info]
    INF = c:\dell\14K2P\Bin\VirtualButtons.inf
*   Section <PackageInfo> Key <Name> not found in INF
*   Section <PackageInfo> Key <Sequence> not found in INF
    Date = 07/15/2014
    Version = 1.0.0.17
    ClassGUID = {4D36E97D-E325-11CE-BFC1-08002BE10318}
    PackageInfo.Name = 
    PackageInfo.Sequence = 0
    Manufacturer = Vendor,NTx86.6.1,NTamd64.6.1
    Resolved Manufacturer = Vendor.NTamd64.6.1
    Inf supports 64 bit.
    Description: Intel® Virtual Buttons
    HardwareID = VirtualButtons,ACPI\INT33D6
    Matched HardwareID = ACPI\INT33D6
    Installed Driver = {4d36e97d-e325-11ce-bfc1-08002be10318}\0046
*   Section <PackageInfo> Key <Name> not found in INF
    Found current package 1.0.0.17
    Found current package INF: C:\Windows\inf\oem7.inf
    Found current package Installed INF: oem7.inf
  Adding INF to install queue. INF=c:\dell\14K2P\Bin\VirtualButtons.inf Sequence=0
  Checking for downgrading
  [Checking INF versions]
    c:\dell\14K2P\Bin\VirtualButtons.inf
      Intel® Virtual Buttons
        Installed version: 1.0.0.17
        Version in package: 1.0.0.17
        Installed INF info: Name=, Provider=Intel® Corporation, Section=VirtualButtons.NTamd64
[Install]
Reading action list from resource: DEFAULT
Groups: ARP=1
Reading action file c:\dell\14K2P\setup.if2
Groups: ARP=1
[Filtering components per group]
[Filter conditions]
  'File' at line 31. Condition = NOT Is64 AND IsVar(HASDRIVER,1)
Sorting action list for installation
[INF - 0]
  Installing c:\dell\14K2P\Bin\VirtualButtons.inf
  INF = c:\dell\14K2P\Bin\VirtualButtons.inf
  Execute command: c:\dell\14K2P\x64\Drv64.exe -driverinf "c:\dell\14K2P\Bin\VirtualButtons.inf" -flags 20 -keypath "Software\Intel\Difx64"
  Installation source = c:\dell\14K2P\Bin\VirtualButtons.inf
  DriverStore location = C:\Windows\System32\DriverStore\FileRepository\virtualbuttons.inf_amd64_a247c9e4e2c517bb\virtualbuttons.inf
  Package Requires Reboot = no
* The version of the driver just installed is the same as the one that was previously installed. Skipping uninstall of previous driver
[Folder - 0]
  Marking folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\x64 for delete on uninstall
[File - 0]
  Marking C:\Windows\system32\drivers\VirtualButtons.sys for delete during uninstallation
[File - 500]
  Operation = copy
  Destination = C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\Setup.exe
    Copying file c:\dell\14K2P\Setup.exe
[Folder - 505]
  Source = c:\dell\14K2P\Lang
  Destination = C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall
    Copying file c:\dell\14K2P\Lang\ar-SA\License.txt
    Copying file c:\dell\14K2P\Lang\ar-SA\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\cs-CZ\License.txt
    Copying file c:\dell\14K2P\Lang\cs-CZ\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\da-DK\License.txt
    Copying file c:\dell\14K2P\Lang\da-DK\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\de-DE\License.txt
    Copying file c:\dell\14K2P\Lang\de-DE\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\el-GR\License.txt
    Copying file c:\dell\14K2P\Lang\el-GR\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\en-US\License.txt
    Copying file c:\dell\14K2P\Lang\en-US\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\es-ES\License.txt
    Copying file c:\dell\14K2P\Lang\es-ES\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\fi-FI\License.txt
    Copying file c:\dell\14K2P\Lang\fi-FI\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\fr-FR\License.txt
    Copying file c:\dell\14K2P\Lang\fr-FR\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\he-IL\License.txt
    Copying file c:\dell\14K2P\Lang\he-IL\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\hr-HR\License.txt
    Copying file c:\dell\14K2P\Lang\hr-HR\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\hu-HU\License.txt
    Copying file c:\dell\14K2P\Lang\hu-HU\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\it-IT\License.txt
    Copying file c:\dell\14K2P\Lang\it-IT\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\ja-JP\License.txt
    Copying file c:\dell\14K2P\Lang\ja-JP\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\ko-KR\License.txt
    Copying file c:\dell\14K2P\Lang\ko-KR\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\nb-NO\License.txt
    Copying file c:\dell\14K2P\Lang\nb-NO\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\nl-NL\License.txt
    Copying file c:\dell\14K2P\Lang\nl-NL\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\pl-PL\License.txt
    Copying file c:\dell\14K2P\Lang\pl-PL\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\pt-BR\License.txt
    Copying file c:\dell\14K2P\Lang\pt-BR\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\pt-PT\License.txt
    Copying file c:\dell\14K2P\Lang\pt-PT\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\ro-RO\License.txt
    Copying file c:\dell\14K2P\Lang\ro-RO\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\ru-RU\License.txt
    Copying file c:\dell\14K2P\Lang\ru-RU\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\sk-SK\License.txt
    Copying file c:\dell\14K2P\Lang\sk-SK\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\sl-SI\License.txt
    Copying file c:\dell\14K2P\Lang\sl-SI\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\sv-SE\License.txt
    Copying file c:\dell\14K2P\Lang\sv-SE\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\th-TH\License.txt
    Copying file c:\dell\14K2P\Lang\th-TH\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\tr-TR\License.txt
    Copying file c:\dell\14K2P\Lang\tr-TR\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\zh-CN\License.txt
    Copying file c:\dell\14K2P\Lang\zh-CN\setup.exe.dll
    Copying file c:\dell\14K2P\Lang\zh-TW\License.txt
    Copying file c:\dell\14K2P\Lang\zh-TW\setup.exe.dll
[File - 510]
  Operation = copy
  Destination = C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\Setup.cfg
    Copying file c:\dell\14K2P\setup.cfg
[File - 510]
  Operation = copy
  Destination = C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\x64\Drv64.exe
    Copying file c:\dell\14K2P\x64\Drv64.exe
[File - 515]
  Operation = copyonly
  Destination = C:\Windows\system32\difxapi.dll
    Copying file c:\dell\14K2P\x64\difxapi.dll
    Source version: 2.1.0.0
    Dest version: 2.1.0.0
    File skipped, destination file is same or newer
[Configuring uninstallation - 520]
  Uninstall key: Software\Microsoft\Windows\CurrentVersion\Uninstall\1992736F-C90A-481C-B21B-EE34CAD07387
IIF will NOT initiate reboot
Exit code = 0x0
ResultCode = 0
<<< 6/24/2015 10:09:28:426
 
>>> 9/29/2016 01:21:07:841
[Install Configuration]
  Installer Version: 1.3.14.0
  Compile date = Fri Mar 21 10:40:32 2014
  OS command line = "C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\setup.exe" -uninstall
  Effective command line = -uninstall
  Windows Version = Windows 8
  Platform = 64 bit
  Core Version = 3.0.1 (IIF2++)
  System up time = 276 sec
  Source: C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall
[Languages]
  0401 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ar-SA\setup.exe.dll
  0405 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\cs-CZ\setup.exe.dll
  0406 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\da-DK\setup.exe.dll
  0407 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\de-DE\setup.exe.dll
  0408 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\el-GR\setup.exe.dll
  0409 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\en-US\setup.exe.dll
  0C0A - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\es-ES\setup.exe.dll
  040B - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fi-FI\setup.exe.dll
  040C - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fr-FR\setup.exe.dll
  040D - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\he-IL\setup.exe.dll
  041A - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hr-HR\setup.exe.dll
  040E - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hu-HU\setup.exe.dll
  0410 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\it-IT\setup.exe.dll
  0411 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ja-JP\setup.exe.dll
  0412 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ko-KR\setup.exe.dll
  0414 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nb-NO\setup.exe.dll
  0413 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nl-NL\setup.exe.dll
  0415 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pl-PL\setup.exe.dll
  0416 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-BR\setup.exe.dll
  0816 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-PT\setup.exe.dll
  0418 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ro-RO\setup.exe.dll
  0419 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ru-RU\setup.exe.dll
  0409 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\Setup.exe
  041B - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sk-SK\setup.exe.dll
  0424 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sl-SI\setup.exe.dll
  041D - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sv-SE\setup.exe.dll
  041E - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\th-TH\setup.exe.dll
  041F - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\tr-TR\setup.exe.dll
  0804 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-CN\setup.exe.dll
  0404 - C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-TW\setup.exe.dll
  User default LangID: 0x409
  User default UI language: 0x409
  Loaded language 0409
[Uninstall]
  Checking for admin rights
  Admin rights OK
  Showing uninstall wizard
  [INF - 0]
    Execute command: C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\x64\Drv64.exe -driverinf "C:\Windows\System32\DriverStore\FileRepository\virtualbuttons.inf_amd64_a247c9e4e2c517bb\virtualbuttons.inf" -flags 32 -keypath "Software\Intel\Difx64" -uninstall
!   Driver uninstall error 0x2
  [File - 0]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\Setup.exe
    Delete error 0x5. Trying move locked file method
  [File - 0]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\Setup.cfg
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ar-SA\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ar-SA\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\cs-CZ\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\cs-CZ\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\da-DK\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\da-DK\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\de-DE\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\de-DE\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\el-GR\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\el-GR\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\en-US\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\en-US\setup.exe.dll
    Delete error 0x5. Trying move locked file method
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\es-ES\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\es-ES\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fi-FI\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fi-FI\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fr-FR\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fr-FR\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\he-IL\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\he-IL\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hr-HR\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hr-HR\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hu-HU\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hu-HU\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\it-IT\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\it-IT\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ja-JP\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ja-JP\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ko-KR\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ko-KR\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nb-NO\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nb-NO\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nl-NL\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nl-NL\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pl-PL\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pl-PL\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-BR\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-BR\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-PT\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-PT\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ro-RO\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ro-RO\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ru-RU\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ru-RU\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sk-SK\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sk-SK\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sl-SI\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sl-SI\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sv-SE\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sv-SE\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\th-TH\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\th-TH\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\tr-TR\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\tr-TR\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-CN\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-CN\setup.exe.dll
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-TW\License.txt
  [File - 505]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-TW\setup.exe.dll
  [Folder - 505]
    Recursively deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ar-SA
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\cs-CZ
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\da-DK
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\de-DE
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\el-GR
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\en-US
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\es-ES
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fi-FI
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\fr-FR
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\he-IL
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hr-HR
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\hu-HU
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\it-IT
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ja-JP
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ko-KR
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nb-NO
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\nl-NL
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pl-PL
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-BR
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\pt-PT
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ro-RO
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\ru-RU
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sk-SK
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sl-SI
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\sv-SE
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\th-TH
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\tr-TR
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\x64
    Directory is not empty, stopping removal.  
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-CN
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\zh-TW
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall
    Directory is not empty, stopping removal.  
  [File - 5000]
    Deleting C:\Windows\system32\drivers\VirtualButtons.sys
  [File - 20010]
    Deleting C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\x64\Drv64.exe
  [Folder - 20015]
    Recursively deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\x64
    Deleting folder C:\Program Files (x86)\Intel\Intel® Virtual Buttons\uninstall\x64
  [Registry - 20025]
    Deleting [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\1992736F-C90A-481C-B21B-EE34CAD07387\]
  [Cleanup]
    Deleting 'C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall\Setup.exe'
    System folder or Root?: false.
    Deleting 'C:\Program Files (x86)\Intel\Intel® Virtual Buttons\Uninstall'
    System folder or Root?: false.
    Deleting 'C:\Program Files (x86)\Intel\Intel® Virtual Buttons'
    System folder or Root?: false.
    Intel root found and not empty
IIF will NOT initiate reboot
Exit code = 0x0
ResultCode = 0
<<< 9/29/2016 01:21:20:333


#13 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 03:49 PM

All of these devices have corrupted drivers that where fine upon reinstall

 



#14 PhoenixArjuna

PhoenixArjuna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2016 - 03:53 PM

many  off these devices in these screenshots have corrupted driver that were good upon reinstallation



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,474 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:05:51 PM

Posted 01 October 2016 - 04:46 PM

[Suspicious.Path] esif_assist.exe(2200) -- C:\WINDOWS\Temp\DPTF\esif_assist.exe[7] -> Found


Legitimate executable and process. Belongs to Intel® Dynamic Platform and Thermal Framework Utility Application.

http://www.file.net/process/esif_assist.exe.html
https://www.reasoncoresecurity.com/esif_assist.exe-81a73c040fa9bfa27395fed2143528e116345b53.aspx

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3779583528-1916877269-3399241691-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
Custom Internet Explorer homepage set by your laptop's manufacturer, in that case, Dell. Nothing to worry about.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F22E4870-0C32-43B3-A270-480A8873F046} | DhcpNameServer : 172.6.1.171 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F22E4870-0C32-43B3-A270-480A8873F046} | DhcpNameServer : 172.6.1.171 ([X])  -> Found
Custom set DHCP server. RogueKiller will always flag them. Even my 8.8.8.8 and 8.8.4.4 (Google's DNS) were flagged last time I ran it.

[PUP][File] C:\Users\phoenix\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Amazon.lnk [LNK@] C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~1.EXE -> Found
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Amazon.lnk [LNK@] C:\PROGRA~2\Amazon\AMAZON~1\AMAZON~1.EXE -> Found
Simple PUP from Amazon, bundled with pretty much every manufacturer Windows image.

About the prnport.vbs file, it's a legitimate script from Microsoft.

https://technet.microsoft.com/en-us/library/cc754352(v=ws.11).aspx

The second log is a simple installer log for Virtual Buttons (so called hotkeys) on your laptop. Nothing wrong with it.

If you right-click on one of these devices with the yellow triangle warning and select Properties, what's the error code and error message displayed?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users