Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Formatted HD and did fresh install.......still have a virus it appears


  • This topic is locked This topic is locked
83 replies to this topic

#1 trauts14

trauts14

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 01 January 2017 - 07:32 AM

Even with fresh install, Malwarebytes by default has protection turned off and I cannot find Chameleon folder with Malwarebytes. Also under processes "csrss.exe" will not allow me to open location and does not say Microsoft under "Description."  below are logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-12-2016
Ran by couperdecale (administrator) on COUPERDECALE-PC (01-01-2017 07:25:23)
Running from C:\Users\couperdecale\Desktop
Loaded Profiles: couperdecale (Available Profiles: couperdecale)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{6FE242CF-F283-412F-A621-6429597735A3}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3260005810-1226773330-521797367-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3260005810-1226773330-521797367-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-31] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-31] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default [2017-01-01]
CHR Extension: (Google Slides) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-12-31]
CHR Extension: (Google Docs) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-12-31]
CHR Extension: (Google Drive) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-12-31]
CHR Extension: (YouTube) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-12-31]
CHR Extension: (Adblock Plus) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-12-31]
CHR Extension: (Google Sheets) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-12-31]
CHR Extension: (Google Docs Offline) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-12-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-12-31]
CHR Extension: (Gmail) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-12-31]
CHR Extension: (Chrome Media Router) - C:\Users\couperdecale\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-31]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2016-12-14] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2016-12-31] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2016-12-31] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2016-12-31] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [250816 2016-12-31] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2016-12-31] (Malwarebytes)
R3 RTWlanE; C:\Windows\System32\DRIVERS\rtwlane.sys [3402968 2014-04-11] (Realtek Semiconductor Corporation                           )
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-01 07:25 - 2017-01-01 07:25 - 00006846 _____ C:\Users\couperdecale\Desktop\FRST.txt
2016-12-31 20:01 - 2016-12-31 20:01 - 00001355 _____ C:\Windows\TSSysprep.log
2016-12-31 20:01 - 2016-12-31 20:01 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-12-31 20:01 - 2016-12-31 20:01 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-12-31 20:00 - 2017-01-01 07:22 - 00022932 _____ C:\Windows\WindowsUpdate.log
2016-12-31 20:00 - 2016-12-31 20:00 - 00000000 ____D C:\Windows\SoftwareDistribution
2016-12-31 19:57 - 2017-01-01 07:25 - 00000000 ____D C:\Windows\Prefetch
2016-12-31 19:57 - 2016-12-31 18:40 - 4160864256 ___SH C:\pagefile.sys
2016-12-31 19:56 - 2016-12-31 19:56 - 00000000 ____D C:\Windows\system32\OEM
2016-12-31 19:56 - 2016-12-31 19:16 - 00000000 __SHD C:\System Volume Information
2016-12-31 19:56 - 2016-12-31 18:40 - 2046906368 ___SH C:\hiberfil.sys
2016-12-31 19:56 - 2016-12-31 17:04 - 00000000 ____D C:\Windows\Panther
2016-12-31 18:51 - 2016-12-31 18:52 - 00000000 ____D C:\AdwCleaner
2016-12-31 18:51 - 2016-12-31 18:51 - 03977168 _____ C:\Users\couperdecale\Desktop\AdwCleaner.exe
2016-12-31 18:39 - 2016-12-31 18:39 - 00824224 ____H C:\Users\couperdecale\AppData\Local\IconCache.db
2016-12-31 18:31 - 2017-01-01 07:25 - 00000000 ____D C:\FRST
2016-12-31 18:30 - 2016-12-31 18:30 - 02420736 _____ (Farbar) C:\Users\couperdecale\Desktop\FRST64.exe
2016-12-31 18:19 - 2017-01-01 07:25 - 00000000 ____D C:\Windows\temp
2016-12-31 18:19 - 2016-12-31 18:19 - 00006151 _____ C:\ComboFix.txt
2016-12-31 18:19 - 2016-12-31 18:19 - 00000000 __SHD C:\$RECYCLE.BIN
2016-12-31 18:19 - 2016-12-31 18:19 - 00000000 ____D C:\Users\Public\AppData\Local\temp
2016-12-31 18:19 - 2016-12-31 18:19 - 00000000 ____D C:\Users\Public\AppData\Local
2016-12-31 18:19 - 2016-12-31 18:19 - 00000000 ____D C:\Users\Public\AppData
2016-12-31 18:19 - 2016-12-31 18:19 - 00000000 ____D C:\Users\Default\AppData\Local\temp
2016-12-31 18:19 - 2016-12-31 18:19 - 00000000 ____D C:\Users\Default User\AppData\Local\temp
2016-12-31 18:15 - 2016-12-31 18:19 - 00000000 ____D C:\ComboFix
2016-12-31 18:15 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2016-12-31 18:15 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2016-12-31 18:15 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-12-31 18:15 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-12-31 18:15 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-12-31 18:15 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2016-12-31 18:15 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2016-12-31 18:15 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2016-12-31 18:14 - 2016-12-31 18:19 - 00000000 ____D C:\Qoobox
2016-12-31 18:14 - 2016-12-31 18:18 - 00000000 ____D C:\Windows\erdnt
2016-12-31 17:51 - 2016-12-31 17:51 - 00000000 ____D C:\Users\couperdecale\AppData\Local\ESET
2016-12-31 17:49 - 2016-12-31 17:49 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\couperdecale\Desktop\rkill.exe
2016-12-31 17:48 - 2016-12-31 18:19 - 00091286 _____ C:\Windows\ntbtlog.txt
2016-12-31 17:43 - 2016-12-31 22:42 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2016-12-31 17:43 - 2016-12-31 18:41 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2016-12-31 17:43 - 2016-12-31 18:40 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-31 17:43 - 2016-12-31 18:40 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-31 17:43 - 2016-12-31 17:43 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2016-12-31 17:42 - 2016-12-31 17:42 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-31 17:42 - 2016-12-31 17:42 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Programs
2016-12-31 17:42 - 2016-12-31 17:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-31 17:42 - 2016-12-31 17:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-31 17:42 - 2016-12-31 17:42 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-31 17:42 - 2016-12-14 12:55 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2016-12-31 17:31 - 2016-12-31 17:31 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Diagnostics
2016-12-31 17:16 - 2016-12-31 17:16 - 00000000 _____ C:\Windows\RTKRunSetup.ini
2016-12-31 17:13 - 2016-12-31 17:26 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Google
2016-12-31 17:13 - 2016-12-31 17:19 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-12-31 17:13 - 2016-12-31 17:19 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-12-31 17:13 - 2016-12-31 17:13 - 00057560 _____ C:\Users\couperdecale\AppData\Local\GDIPFONTCACHEV1.DAT
2016-12-31 17:13 - 2016-12-31 17:13 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-31 17:13 - 2016-12-31 17:13 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Deployment
2016-12-31 17:13 - 2016-12-31 17:13 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Apps\2.0
2016-12-31 17:13 - 2016-12-31 17:13 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Apps
2016-12-31 17:13 - 2016-12-31 17:13 - 00000000 ____D C:\Program Files (x86)\Google
2016-12-31 17:12 - 2016-12-31 17:12 - 00000000 __SHD C:\Users\couperdecale\AppData\LocalLow\Microsoft
2016-12-31 17:10 - 2016-12-20 01:33 - 01037832 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
2016-12-31 17:10 - 2016-12-20 01:33 - 00116304 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
2016-12-31 17:10 - 2016-12-20 01:33 - 00082544 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp64.dll
2016-12-31 17:09 - 2016-12-31 17:24 - 00000000 __SHD C:\Windows\Installer
2016-12-31 17:09 - 2016-12-31 17:09 - 00000000 ____D C:\Program Files (x86)\Cisco
2016-12-31 17:08 - 2016-12-31 17:16 - 00000190 _____ C:\Windows\HPSetLog.txt
2016-12-31 17:08 - 2016-12-31 17:16 - 00000000 ____D C:\Program Files (x86)\Realtek
2016-12-31 17:08 - 2016-12-31 17:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-12-31 17:08 - 2016-12-31 17:08 - 00000000 ____D C:\SWSetup
2016-12-31 17:08 - 2014-04-11 13:52 - 03402968 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\rtwlane.sys
2016-12-31 17:08 - 2013-04-01 23:19 - 00574464 _____ (Realtek Semiconductor Corp. ) C:\Windows\system32\Rtlihvs.dll
2016-12-31 17:08 - 2010-12-01 09:31 - 00451072 _____ C:\Windows\SysWOW64\ISSRemoveSP.exe
2016-12-31 17:07 - 2016-12-31 17:07 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-12-31 17:05 - 2016-12-31 17:05 - 00001409 _____ C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-12-31 17:04 - 2017-01-01 07:25 - 00786432 ___SH C:\Users\couperdecale\NTUSER.DAT
2016-12-31 17:04 - 2017-01-01 07:25 - 00262144 ___SH C:\Users\couperdecale\ntuser.dat.LOG1
2016-12-31 17:04 - 2017-01-01 07:25 - 00000000 ___RD C:\Users\couperdecale\Desktop
2016-12-31 17:04 - 2017-01-01 07:25 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Temp
2016-12-31 17:04 - 2016-12-31 18:39 - 00000000 ____D C:\Users\couperdecale\AppData\Local
2016-12-31 17:04 - 2016-12-31 18:14 - 00000000 ___RD C:\Users\couperdecale\Documents
2016-12-31 17:04 - 2016-12-31 17:31 - 00000000 ____D C:\Users\couperdecale\AppData\Local\Microsoft
2016-12-31 17:04 - 2016-12-31 17:13 - 00000000 ___SD C:\Users\couperdecale\AppData\Roaming\Microsoft
2016-12-31 17:04 - 2016-12-31 17:12 - 00000000 ____D C:\Users\couperdecale\AppData\LocalLow
2016-12-31 17:04 - 2016-12-31 17:05 - 00524288 ___SH C:\Users\couperdecale\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
2016-12-31 17:04 - 2016-12-31 17:05 - 00524288 ___SH C:\Users\couperdecale\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
2016-12-31 17:04 - 2016-12-31 17:05 - 00065536 ___SH C:\Users\couperdecale\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
2016-12-31 17:04 - 2016-12-31 17:05 - 00001443 _____ C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-12-31 17:04 - 2016-12-31 17:05 - 00000476 ___SH C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
2016-12-31 17:04 - 2016-12-31 17:05 - 00000402 ___SH C:\Users\couperdecale\Documents\desktop.ini
2016-12-31 17:04 - 2016-12-31 17:05 - 00000282 ___SH C:\Users\couperdecale\Downloads\desktop.ini
2016-12-31 17:04 - 2016-12-31 17:05 - 00000282 ___SH C:\Users\couperdecale\Desktop\desktop.ini
2016-12-31 17:04 - 2016-12-31 17:05 - 00000174 ___SH C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Videos
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Searches
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Saved Games
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Pictures
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Music
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Links
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Favorites
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Downloads
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\Contacts
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2016-12-31 17:04 - 2016-12-31 17:05 - 00000000 ___RD C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
2016-12-31 17:04 - 2016-12-31 17:04 - 00000020 ___SH C:\Users\couperdecale\ntuser.ini
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Templates
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Start Menu
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\SendTo
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Recent
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\PrintHood
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\NetHood
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\My Documents
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Local Settings
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Documents\My Videos
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Documents\My Pictures
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Documents\My Music
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Cookies
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\Application Data
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\AppData\Local\Temporary Internet Files
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\AppData\Local\History
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 _SHDL C:\Users\couperdecale\AppData\Local\Application Data
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ___SH C:\Users\couperdecale\ntuser.dat.LOG2
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ___HD C:\Users\couperdecale\AppData
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ____D C:\Users\couperdecale\AppData\Roaming\Identities
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ____D C:\Users\couperdecale\AppData\Roaming
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ____D C:\Users\couperdecale\AppData\Local\VirtualStore
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ____D C:\Users\couperdecale
2016-12-31 17:04 - 2016-12-31 17:04 - 00000000 ____D C:\Recovery
2016-12-31 17:04 - 2010-11-21 02:16 - 00000000 ____D C:\Users\couperdecale\AppData\Roaming\Media Center Programs
2016-12-31 17:04 - 2009-07-13 23:54 - 00000000 ___RD C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2016-12-31 17:04 - 2009-07-13 23:49 - 00000000 ___RD C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-31 20:03 - 2009-07-13 23:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2016-12-31 20:03 - 2009-07-13 23:45 - 00000000 ____D C:\Windows\debug
2016-12-31 20:02 - 2009-07-14 00:01 - 00041450 _____ C:\Windows\SysWOW64\license.rtf
2016-12-31 20:02 - 2009-07-14 00:01 - 00041450 _____ C:\Windows\system32\license.rtf
2016-12-31 20:01 - 2009-07-14 00:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2016-12-31 20:01 - 2009-07-13 23:54 - 00001130 ___SH C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
2016-12-31 20:01 - 2009-07-13 23:46 - 00002790 _____ C:\Windows\DtcInstall.log
2016-12-31 20:01 - 2009-07-13 22:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2016-12-31 20:01 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\config\TxR
2016-12-31 19:57 - 2010-11-21 02:17 - 00000000 ____D C:\Windows\CSC
2016-12-31 19:56 - 2009-07-14 00:38 - 00025600 ___SH C:\Windows\system32\config\BCD-Template.LOG
2016-12-31 19:56 - 2009-07-14 00:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-12-31 19:56 - 2009-07-13 21:34 - 00262144 ___SH C:\Users\Default\NTUSER.DAT
2016-12-31 19:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\winsxs
2016-12-31 19:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\catroot
2016-12-31 19:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\System32
2016-12-31 19:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2016-12-31 19:25 - 2011-03-20 17:58 - 00000000 ____D C:\Windows\es-ES
2016-12-31 19:25 - 2010-11-21 02:17 - 00000000 ____D C:\Windows\ehome
2016-12-31 19:25 - 2010-11-21 02:17 - 00000000 ____D C:\Program Files\Windows Journal
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\winrm
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\WCN
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\sysprep
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\Drivers\UMDF
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\system32\winrm
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\system32\WCN
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\system32\slmgr
2016-12-31 19:25 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\system32\Printing_Admin_Scripts
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Media Player
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Defender
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Media Player
2016-12-31 19:25 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\wbem
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\migration
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\es-ES
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\DriverStore
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\drivers
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\com
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\wbem
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\sysprep
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Setup
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\oobe
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\MUI
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\migwiz
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\migration
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\es-ES
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\DriverStore
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Drivers\UMDF
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\drivers
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Dism
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\com
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Boot
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\servicing
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Windows Mail
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Internet Explorer
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\System
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files (x86)\Windows Mail
2016-12-31 19:25 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files (x86)\Internet Explorer
2016-12-31 19:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\pt-BR
2016-12-31 19:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\pt-BR
2016-12-31 19:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-12-31 19:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-12-31 19:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\IME
2016-12-31 19:23 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2016-12-31 19:22 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppPatch
2016-12-31 19:20 - 2011-03-20 18:10 - 00000000 ____D C:\Windows\fr-FR
2016-12-31 19:20 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\fr-FR
2016-12-31 19:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\fr-FR
2016-12-31 19:15 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Logs
2016-12-31 19:09 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\config\RegBack
2016-12-31 18:51 - 2009-07-13 21:34 - 00262144 _____ C:\Windows\system32\config\SECURITY
2016-12-31 18:51 - 2009-07-13 21:34 - 00021504 ____H C:\Windows\system32\config\SECURITY.LOG1
2016-12-31 18:47 - 2009-07-13 23:45 - 00016768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-31 18:47 - 2009-07-13 23:45 - 00016768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-31 18:44 - 2009-07-14 00:13 - 03118960 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-31 18:44 - 2009-07-13 21:36 - 00615360 _____ C:\Windows\system32\perfh009.dat
2016-12-31 18:44 - 2009-07-13 21:36 - 00103702 _____ C:\Windows\system32\perfc009.dat
2016-12-31 18:40 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-31 18:40 - 2009-07-13 23:51 - 00022822 _____ C:\Windows\setupact.log
2016-12-31 18:21 - 2010-11-20 22:47 - 00005732 _____ C:\Windows\PFRO.log
2016-12-31 18:19 - 2009-07-13 22:20 - 00000000 ___RD C:\Users\Public
2016-12-31 18:19 - 2009-07-13 22:20 - 00000000 ____D C:\Users\Default\AppData\Local
2016-12-31 18:19 - 2009-07-13 22:20 - 00000000 ____D C:\Users\Default User\AppData\Local
2016-12-31 18:18 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2016-12-31 18:17 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files (x86)\Common Files
2016-12-31 18:15 - 2009-07-13 21:34 - 00189440 ____H C:\Users\Default\NTUSER.DAT.LOG1
2016-12-31 18:14 - 2009-07-13 22:20 - 00000000 ____D C:\ProgramData
2016-12-31 17:42 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Desktop
2016-12-31 17:42 - 2009-07-13 22:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs
2016-12-31 17:42 - 2009-07-13 22:20 - 00000000 ___RD C:\Program Files
2016-12-31 17:31 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2016-12-31 17:26 - 2009-07-13 22:20 - 00000000 __RSD C:\Windows\assembly
2016-12-31 17:26 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Microsoft.NET
2016-12-31 17:19 - 2009-07-13 22:20 - 00000000 ___RD C:\Program Files (x86)
2016-12-31 17:16 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\CodeIntegrity
2016-12-31 17:13 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Tasks
2016-12-31 17:13 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Tasks
2016-12-31 17:12 - 2009-07-13 22:20 - 00000000 ___SD C:\ProgramData\Microsoft
2016-12-31 17:08 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\system32\restore
2016-12-31 17:04 - 2009-07-13 22:20 - 00000000 ___RD C:\Users
2016-12-31 17:04 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Recovery
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-31 19:09
 
==================== End of FRST.txt ============================
 
 
 
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by couperdecale (01-01-2017 07:25:53)
Running from C:\Users\couperdecale\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-12-31 22:04:29)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3260005810-1226773330-521797367-500 - Administrator - Disabled)
couperdecale (S-1-5-21-3260005810-1226773330-521797367-1000 - Administrator - Enabled) => C:\Users\couperdecale
Guest (S-1-5-21-3260005810-1226773330-521797367-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 55.0.2883.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Malwarebytes version 3.0.5.1299 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.5.1299 - Malwarebytes)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.103.1007.2016 - Realtek)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.00.13.1216 - REALTEK Semiconductor Corp.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0B73582C-923B-45BA-8BC0-51F804D20AE9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-12-31] (Google Inc.)
Task: {17CDA868-A9D3-430A-ADFD-4422B41211B6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-12-31] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-12-31 17:42 - 2016-12-14 12:55 - 02259232 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-12-31 17:42 - 2016-12-14 12:55 - 02813904 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\arwlib.dll
2016-12-31 17:42 - 2016-12-14 12:55 - 02247632 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3260005810-1226773330-521797367-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\couperdecale\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{A06164DA-27F6-4C84-88AC-3291A149BAC7}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
31-12-2016 17:08:13 Installed REALTEK PCIE Wireless LAN Driver
31-12-2016 17:09:54 Installed Realtek Ethernet Controller Driver
31-12-2016 17:16:16 Installed REALTEK PCIE Wireless LAN Driver
31-12-2016 19:16:01 Language Pack Removal
 
==================== Faulty Device Manager Devices =============
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: PCI Data Acquisition and Signal Processing Controller
Description: PCI Data Acquisition and Signal Processing Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Universal Serial Bus (USB) Controller
Description: Universal Serial Bus (USB) Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: PCI Device
Description: PCI Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/31/2016 06:42:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/31/2016 06:23:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/31/2016 06:15:26 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).
 
Error: (12/31/2016 06:15:26 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.
 
 
Operation:
   Instantiating VSS server
 
Error: (12/31/2016 06:15:26 PM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]
 
 
Operation:
   Instantiating VSS server
 
Error: (12/31/2016 05:50:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/31/2016 05:43:10 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (12/31/2016 05:43:10 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (12/31/2016 05:35:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (12/31/2016 05:19:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
System errors:
=============
Error: (12/31/2016 06:18:14 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (12/31/2016 06:17:05 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (12/31/2016 06:15:26 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server:
{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
 
Error: (12/31/2016 05:49:00 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (12/31/2016 05:49:00 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
Error: (12/31/2016 05:48:57 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (12/31/2016 05:48:52 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (12/31/2016 05:48:41 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.
 
Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 21
 
Error: (12/31/2016 05:48:26 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
discache
ESProtectionDriver
spldr
Wanarpv6
 
Error: (12/31/2016 05:07:17 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
 
CodeIntegrity:
===================================
  Date: 2016-12-31 18:11:07.379
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\SpybotPortable\App\Spybot\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-12-31 18:11:07.328
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\SpybotPortable\App\Spybot\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4510U CPU @ 2.00GHz
Percentage of memory in use: 23%
Total physical RAM: 8064.11 MB
Available physical RAM: 6177.54 MB
Total Virtual: 16126.42 MB
Available Virtual: 14197.77 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:916.28 GB) (Free:890.97 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:12.22 GB) (Free:1.34 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.97 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 20A63BC4)
Partition 1: (Active) - (Size=1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=916.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=12.2 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=0B)
 
==================== End of Addition.txt ============================
 


BC AdBot (Login to Remove)

 


#2 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 01 January 2017 - 12:04 PM

Hre is a screenshot of my Malwarebytes folder after fresh install. it looks much different than it should.AkxkyIm.jpg



#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,635 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:04 PM

Posted 05 January 2017 - 09:47 AM

trauts14:

 

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil and  I would like to address you by your first name, if that is alright with you since we will be working together.
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,635 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:04 PM

Posted 05 January 2017 - 10:53 AM

trauts14:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.


:step1: The FRST logs show that policy restrictions have been set for Internet Explorer. Did you set those? I know Chrome is your default browser, but that would not cause policy restrictions to be set for IE8.

.

:step2: The logs show that Combofix was run on your computer. That is a very powerful program and should only be run by qualified individuals. More information about Combofix can be found at this link. Please let me know if you want me to uninstall Combofix for you, safely.

.

:step3: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It is important that both files, FRST/FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:

CMD: type C:\ComboFix.txt
File: C:\Windows\PEV.exe
File: C:\Windows\MBR.exe
  • Right click FRST/FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.

.

Your MBAM folder looks like mine. I have the same version of Malwarebytes that you have: 3.0.5.

I am not seeing any active malware on your computer, based on your FRST logs. There are some minor issues, but we will deal with them in a subsequent post.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 11:12 AM

i did not set up policy restrictions for IE...i dont think. i am not sure exactly what a policy restriction is. sure we can uninstall combofix if you suggest that. i ran it when i gave up all hope. thank you for assisting me



#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,635 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:04 PM

Posted 05 January 2017 - 12:05 PM

trauts14:

 

Thank you for your post.  In a subsequent post, I will remove the IE policy restrictions and safely uninstall ComboFix for you.

 

Would you please copy and paste the fixlog.txt file from Step :step3: above, into your next reply, after you have run the FRST "fix"?  I would like to review that file before proceeding further.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#7 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 12:18 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by couperdecale (05-01-2017 12:16:59) Run:1
Running from C:\Users\couperdecale\Desktop
Loaded Profiles: couperdecale (Available Profiles: couperdecale)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: type C:\ComboFix.txt
File: C:\Windows\PEV.exe
File: C:\Windows\MBR.exe
*****************
 
 
========= type C:\ComboFix.txt =========
 
ComboFix 16-12-15.01 - couperdecale 12/31/2016  18:16:08.1.4 - x64 NETWORK
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8064.6108 [GMT -5:00]
Running from: c:\users\couperdecale\Desktop\ComboFix.exe
AV: Malwarebytes *Enabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B}
SP: Malwarebytes *Enabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2016-11-28 to 2016-12-31  )))))))))))))))))))))))))))))))
.
.
2017-01-01 00:56 . 2016-12-31 22:04 -------- d-----w- c:\windows\Panther
2017-01-01 00:56 . 2017-01-01 00:56 -------- d-----w- c:\windows\system32\OEM
2016-12-31 23:18 . 2016-12-31 23:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-12-31 22:43 . 2016-12-31 22:43 176064 ----a-w- c:\windows\system32\drivers\MBAMChameleon.sys
2016-12-31 22:43 . 2016-12-31 22:48 102856 ----a-w- c:\windows\system32\drivers\farflt.sys
2016-12-31 22:43 . 2016-12-31 22:48 81696 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-12-31 22:43 . 2016-12-31 22:48 43968 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-12-31 22:43 . 2016-12-31 22:48 250816 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-12-31 22:42 . 2016-12-14 17:55 77416 ----a-w- c:\windows\system32\drivers\mbae64.sys
2016-12-31 22:42 . 2016-12-31 22:42 -------- d-----w- c:\programdata\Malwarebytes
2016-12-31 22:42 . 2016-12-31 22:42 -------- d-----w- c:\program files\Malwarebytes
2016-12-31 22:13 . 2016-12-31 22:13 -------- d-----w- c:\program files (x86)\Google
2016-12-31 22:10 . 2016-12-20 06:33 82544 ----a-w- c:\windows\system32\RtNicProp64.dll
2016-12-31 22:10 . 2016-12-20 06:33 116304 ----a-w- c:\windows\system32\RTNUninst64.dll
2016-12-31 22:10 . 2016-12-20 06:33 1037832 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2016-12-31 22:09 . 2016-12-31 22:09 -------- d-----w- c:\program files (x86)\Cisco
2016-12-31 22:09 . 2016-12-31 22:24 -------- d-sh--w- c:\windows\Installer
2016-12-31 22:08 . 2014-04-11 18:52 3402968 ----a-w- c:\windows\system32\drivers\rtwlane.sys
2016-12-31 22:08 . 2013-04-02 04:19 574464 ----a-w- c:\windows\system32\Rtlihvs.dll
2016-12-31 22:08 . 2016-12-31 22:16 -------- d-----w- c:\program files (x86)\Realtek
2016-12-31 22:08 . 2016-12-31 22:10 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2016-12-31 22:08 . 2010-12-01 14:31 451072 ----a-w- c:\windows\SysWow64\ISSRemoveSP.exe
2016-12-31 22:08 . 2016-12-31 22:08 -------- d-----w- C:\SWSetup
2016-12-31 22:04 . 2016-12-31 22:04 -------- d-----w- c:\users\couperdecale
2016-12-31 22:04 . 2016-12-31 22:04 -------- d-----w- C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
R2 MBAMChameleon;MBAMChameleon;c:\windows\system32\drivers\MBAMChameleon.sys;c:\windows\SYSNATIVE\drivers\MBAMChameleon.sys [x]
R3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\drivers\amdhub30.sys;c:\windows\SYSNATIVE\drivers\amdhub30.sys [x]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\drivers\amdxhc.sys;c:\windows\SYSNATIVE\drivers\amdxhc.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MBAMProtection;MBAMProtection;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
S2 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 RTWlanE;Realtek Wireless LAN 802.11n PCI-E Network Adapter;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys;c:\windows\SYSNATIVE\drivers\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes TrayApp"="c:\program files\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe" [2016-12-14 2776528]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MBAMSwissArmy
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-12-31  18:19:23
ComboFix-quarantined-files.txt  2016-12-31 23:19
.
Pre-Run: 957,628,858,368 bytes free
Post-Run: 957,573,472,256 bytes free
.
- - End Of File - - 86BCA8F5524916C26B073183814F0373
A36C5E4F47E84449FF07ED3517B43A31
 
========= End of CMD: =========
 
 
========================= File: C:\Windows\PEV.exe ========================
 
File not signed
MD5: F042EE4C8D66248D9B86DCF52ABAE416
Creation and modification date: 2016-12-31 18:15 - 2011-06-26 01:45
Size: 0256000
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
========================= File: C:\Windows\MBR.exe ========================
 
File not signed
MD5: 0277C027A26428DB64EF4F64F52BB4FD
Creation and modification date: 2016-12-31 18:15 - 2010-11-07 12:20
Size: 0208896
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
==== End of Fixlog 12:17:00 ====


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,635 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:04 PM

Posted 05 January 2017 - 01:23 PM

trauts14:

Thank you for the fixlog.txt file. So you ran Combofix on New Year's Eve! Well, I suppose that is ONE way to celebrate the incoming New Year! :)

I hope that you read the link about Combofix that I provided. It really is a dangerous tool and the consequences can be quite nasty. It is seldom ever necessary to use that tool and it has not been updated to be compatible with Windows 8.1 and 10, so for many people it is not an option at all, which I think personally, is a good thing. There will be fewer and fewer reports in this Forum of Combofix having "nuked" their computer.

.

:step1: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It is important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3260005810-1226773330-521797367-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CMD: ComboFix /Uninstall
C:\Windows\PEV.exe
C:\Windows\MBR.exe
  • Right click FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.

.

:step2: Your Internet Explorer is out-of-date. You are running Version 8. The current version is Version 11. Do you have all of your Windows updates downloaded and installed?

If not, please go the Control Panel and "Search for Updates" and install them, until there are no more Important or Critical Updates available for download.

Windows updates are essential to maintaining the security of your computer. Windows Update should have updated Internet Explorer 8 to Internet 11, if updates were being downloaded and installed.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#9 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 03:32 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by couperdecale (05-01-2017 15:32:06) Run:2
Running from C:\Users\couperdecale\Desktop
Loaded Profiles: couperdecale (Available Profiles: couperdecale)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3260005810-1226773330-521797367-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CMD: ComboFix /Uninstall
C:\Windows\PEV.exe
C:\Windows\MBR.exe
*****************
 
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-3260005810-1226773330-521797367-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
 
========= ComboFix /Uninstall =========
 
'ComboFix' is not recognized as an internal or external command,
operable program or batch file.
 
========= End of CMD: =========
 
C:\Windows\PEV.exe => moved successfully
C:\Windows\MBR.exe => moved successfully
 
==== End of Fixlog 15:32:07 ====


#10 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 03:33 PM

I will check windows updates as you mentioned. Historically I am up to date I feel, but I have not been prompted for any updates after reinstalling the OS that came with this HP laptop.



#11 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 03:35 PM

auto updates was red and disabled. I enabled the updates and the computer is updating.



#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,635 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:03:04 PM

Posted 05 January 2017 - 04:13 PM

trauts14:

 

Thanks for the update about Windows not updating.  That is what I suspected.  Things might look a lot better once Windows has completed all of its updates.

 

I failed to uninstall Combofix with the FRST "fix" script that I wrote.  My fault.  My attention was lagging.  It has been a long day.  Sorry about that! :(

 

Would you please, after Windows Updates are done, please run a FRST "Fix" again, and in the code box, copy and paste the following:

CreateRestorePoint:
CloseProcesses:

CMD: c:\users\couperdecale\Desktop\ComboFix.exe /Uninstall

Please copy and paste the contents of the fixlog.txt file into your next reply.

 

Thank you and have a great day.  I should be back online late tomorrow morning.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#13 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 04:29 PM

I will follow your instructions in reference to the script. by the way, windows has been checking for updates for approx 20 minutes and it is still checking. no prompts for download yet.



#14 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 January 2017 - 05:43 PM

For what it is worth my computer is still attempting to find windows updates. no progress, just a status bar that keeps searching. i am hardwired to a gig connection.


Edited by trauts14, 05 January 2017 - 06:13 PM.


#15 trauts14

trauts14
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 06 January 2017 - 06:53 AM

Windows checked all night and will not update.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users