Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost32 processes spawned by IE 11 on Windows 7


  • This topic is locked This topic is locked
10 replies to this topic

#1 pspada1

pspada1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 26 February 2017 - 07:18 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by Phil (administrator) on PHIL (26-02-2017 03:56:29)
Running from C:\Users\Phil\Desktop
Loaded Profiles: Phil (Available Profiles: Phil)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Sanford, L.P.) C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
(BUFFALO INC.) C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9080768 2017-01-02] (AVAST Software)
HKLM-x32\...\Run: [WDAppManager] => C:\Program Files (x86)\Western Digital\WD App Manager\AppManagerLauncher.exe [21384 2016-04-15] (Western Digital Technologies, Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Winlogon\Notify\PCANotify: C:\Windows\SysWOW64\PCANotify.dll [2012-04-02] (Symantec Corporation)
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-01-02] (AVAST Software)
Startup: C:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BUFFALO NAS Navigator2.lnk [2016-02-16]
ShortcutTarget: BUFFALO NAS Navigator2.lnk -> C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe (Buffalo Inc.)
Startup: C:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAS Scheduler.lnk [2016-02-16]
ShortcutTarget: NAS Scheduler.lnk -> C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe (BUFFALO INC.)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{448BF30A-C446-484B-B679-1F02F52EE83A}: [NameServer] 192.168.0.1,209.18.47.61

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> DefaultScope {A16BE2B7-CF00-49DE-9E39-11677AEBCE6E} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> {A16BE2B7-CF00-49DE-9E39-11677AEBCE6E} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
Toolbar: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com//activex/x64/ractrl.cab?lmi=1091
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

FireFox:
========
FF ProfilePath: C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\ceyf816e.default [2017-02-26]
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\ceyf816e.default -> Google
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\ceyf816e.default -> Yahoo! (Avast)
FF Homepage: Mozilla\Firefox\Profiles\ceyf816e.default -> www.google.com/
FF Extension: (Adblock Plus) - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\ceyf816e.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-11-11] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-10-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-10-08] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll [No File]
FF Plugin-x32: @dymo.com/DymoLabelFramework -> C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll [2014-03-20] ( Sanford L.P.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-12-20] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-05-04] (Advanced Micro Devices, Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2017-01-02] (AVAST Software)
S4 awhost32; C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe [793480 2012-04-02] (Symantec Corporation)
R2 DymoPnpService; C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [33072 2014-03-20] (Sanford, L.P.)
S4 Killer Service V2; C:\Program Files\Killer Networking\Network Manager\KillerService.exe [386560 2015-02-05] (Rivet Networks) [File not signed]
S4 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-01-19] (Symantec Corporation)
R2 NasPmService; C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe [245760 2013-11-21] (BUFFALO INC.) [File not signed]
S4 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1494304 2013-12-09] (NVIDIA Corporation)
S4 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15129376 2013-12-09] (NVIDIA Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2011-11-13] (Advanced Micro Devices)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2017-01-02] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2017-01-02] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2017-01-02] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2017-01-02] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969184 2017-01-02] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513632 2017-01-02] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2017-01-02] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2017-01-02] (AVAST Software)
R1 awecho; C:\Windows\SysWow64\drivers\awechomd.sys [16432 2012-04-06] (Symantec Corporation)
R1 AW_HOST; C:\Windows\SysWow64\drivers\aw_host5.sys [23864 2012-04-01] (Symantec Corporation)
R1 BfLwf; C:\Windows\System32\DRIVERS\bflwfx64.sys [100400 2015-01-29] (Rivet Networks, LLC.)
R3 Ke2200; C:\Windows\System32\DRIVERS\e22w7x64.sys [129200 2014-03-27] (Qualcomm Atheros, Inc.)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-05] (NVIDIA Corporation)
S3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
S3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
R1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [131144 2016-12-20] (Oracle Corporation)
R1 VBoxNetLwf; C:\Windows\System32\DRIVERS\VBoxNetLwf.sys [205440 2016-12-20] (Oracle Corporation)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [137920 2016-12-20] (Oracle Corporation)
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [225792 2014-10-31] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [305664 2014-10-31] (VIA Technologies, Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-26 03:56 - 2017-02-26 03:56 - 00012675 _____ C:\Users\Phil\Desktop\FRST.txt
2017-02-26 03:55 - 2017-02-26 03:55 - 02423296 _____ (Farbar) C:\Users\Phil\Desktop\FRST64.exe
2017-02-26 03:48 - 2017-02-26 03:48 - 00000213 _____ C:\Users\Phil\Desktop\Bigo Live VietnamThailand - Nguyễn Ngọc Châu áo hồng muốn chồng - YouTube.url
2017-02-26 03:43 - 2017-02-26 03:43 - 00208060 _____ C:\TDSSKiller.3.1.0.12_26.02.2017_03.43.19_log.txt
2017-02-26 03:27 - 2017-02-26 03:27 - 00000213 _____ C:\Users\Phil\Desktop\Bigo live video 20170226 102624 5 - YouTube.url
2017-02-26 02:02 - 2017-02-26 02:02 - 00000323 _____ C:\Users\Phil\Desktop\Lorell Chair Mat - Carpeted Floor - 60 Length x 46 Width x 0.17 Thickness - Lip Size 12 Length x LLR69165  iBuyOfficeSupply.url
2017-02-26 01:56 - 2017-02-26 01:56 - 00000170 _____ C:\Users\Phil\Desktop\NSN1516518 - SKILCRAFT Vinyl Chairmat - Office Supply Hut.url
2017-02-26 01:43 - 2017-02-26 01:43 - 00000296 _____ C:\Users\Phil\Desktop\46x60 chair mat 1-8 thick - Google Search.url
2017-02-25 23:46 - 2017-02-25 23:46 - 00000213 _____ C:\Users\Phil\Desktop\Bigo live video 20170226 102413 5 - YouTube (2).url
2017-02-25 23:40 - 2017-02-25 23:40 - 00000213 _____ C:\Users\Phil\Desktop\Bigo live video 20170226 102642 1 - YouTube.url
2017-02-25 23:39 - 2017-02-25 23:39 - 00000213 _____ C:\Users\Phil\Desktop\Bigo live video 20170226 102413 5 - YouTube.url
2017-02-25 23:39 - 2017-02-25 23:39 - 00000213 _____ C:\Users\Phil\Desktop\Bigo live video 20170226 102413 1 - YouTube.url
2017-02-25 23:22 - 2017-02-25 23:23 - 00000000 ____D C:\Users\Phil\Desktop\tuggie
2017-02-25 22:47 - 2017-02-25 22:47 - 00000139 _____ C:\Users\Phil\Desktop\HS Parties - _MG_5612.url
2017-02-24 22:10 - 2017-02-24 22:10 - 00000577 _____ C:\Users\Phil\Desktop\PROZOR DAC Digital SPDIF Optical Coaxial Toslink to Analog Stereo RCA L-R 3.5mm Jack Audio Converter Adapter for PS3 XBox 360 HDTV Blu RAY DVD Sky HD Apple TV + Optical Cable - Walmart.com.url
2017-02-22 23:05 - 2017-02-22 23:05 - 00000200 _____ C:\Users\Phil\Desktop\Saturday Morning Breakfast Cereal - Citations Needed.url
2017-02-22 22:29 - 2017-02-22 22:29 - 00000213 _____ C:\Users\Phil\Desktop\5 ways to watch movies online for free - CNET.url
2017-02-22 17:54 - 2017-02-22 17:54 - 00000204 _____ C:\Users\Phil\Desktop\Happy New Year 2002!.url
2017-02-17 23:26 - 2017-02-17 23:26 - 00000367 _____ C:\Users\Phil\Desktop\Amazon.com Foremost 327506 Modular Door Cube Storage System, Black Home & Kitchen.url
2017-02-17 23:26 - 2017-02-17 23:26 - 00000366 _____ C:\Users\Phil\Desktop\Amazon.com Foremost 327301 Modular Shelf Cube Storage System, White Home & Kitchen.url
2017-02-16 23:29 - 2017-02-16 23:30 - 00000027 _____ C:\Users\Phil\Documents\ECMMS.txt
2017-02-13 19:05 - 2017-02-13 19:05 - 00125512 _____ (Totusoft) C:\Users\Phil\Desktop\LAN_SpeedTest.exe
2017-02-13 18:57 - 2017-02-13 18:57 - 00000264 _____ C:\Users\Phil\Desktop\Vortex Plus Accessories Kit - Cooler Master Store.url
2017-02-12 23:13 - 2017-02-12 23:13 - 00000285 _____ C:\Users\Phil\Desktop\Can’t remove additional Exchange mailboxes - MSOutlook.info.url
2017-02-10 13:00 - 2017-02-10 13:11 - 00000012 _____ C:\Users\Phil\Documents\NadinePublicDefender].txt
2017-02-09 00:39 - 2017-02-25 23:23 - 00000000 ____D C:\Users\Phil\Desktop\tinkle
2017-02-08 10:49 - 2017-02-22 11:16 - 00000054 _____ C:\Users\Phil\Documents\GailGoldman.txt
2017-02-07 10:13 - 2017-02-07 10:13 - 00000198 _____ C:\Users\Phil\Desktop\Cross-platform Mac OS X Server Issues.url
2017-02-05 06:30 - 2017-02-05 06:30 - 00025121 _____ C:\ComboFix.txt
2017-02-05 06:19 - 2017-02-05 06:30 - 00000000 ____D C:\Qoobox
2017-02-05 06:19 - 2017-02-05 06:28 - 00000000 ____D C:\Windows\erdnt
2017-02-05 06:19 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2017-02-05 06:19 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2017-02-05 06:19 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2017-02-05 06:19 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2017-02-05 06:19 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2017-02-05 06:19 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2017-02-05 06:19 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2017-02-05 06:19 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2017-02-04 22:03 - 2017-02-04 22:05 - 00000000 ____D C:\AdwCleaner
2017-02-04 21:34 - 2017-02-15 12:38 - 00000000 ____D C:\Users\Phil\AppData\Local\CrashDumps
2017-02-04 12:04 - 2017-02-17 16:31 - 00002256 ____H C:\Users\Phil\Documents\Default.rdp
2017-02-04 01:35 - 2017-02-04 01:35 - 00000000 ____D C:\Program Files (x86)\ESET
2017-02-04 01:27 - 2017-02-04 01:27 - 00209266 _____ C:\TDSSKiller.3.1.0.12_04.02.2017_01.27.30_log.txt
2017-02-04 01:15 - 2017-02-04 01:15 - 00000000 ____D C:\Users\Phil\Desktop\ProcessExplorer
2017-02-04 00:40 - 2017-02-04 22:12 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-02-04 00:40 - 2017-02-04 01:00 - 00000000 ____D C:\ProgramData\RogueKiller
2017-02-03 23:54 - 2017-02-03 23:54 - 00000219 _____ C:\Users\Phil\Desktop\How to choose a Linux distro for your old PC - CNET.url
2017-02-02 20:30 - 2017-02-02 20:30 - 00000259 _____ C:\Users\Phil\Desktop\Windows Update on Windows 7 is fast again  Computerworld.url
2017-01-29 11:33 - 2017-02-04 11:14 - 00000000 ____D C:\Users\Phil\Desktop\florp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-26 03:56 - 2016-12-27 02:47 - 00000000 ____D C:\FRST
2017-02-26 03:05 - 2016-12-28 15:09 - 00000000 ____D C:\ProgramData\Zoom Player
2017-02-25 23:13 - 2014-04-27 02:15 - 00000000 ____D C:\Program Files (x86)\Steam
2017-02-25 23:08 - 2017-01-02 13:51 - 00182272 _____ C:\Users\Phil\Documents\2017 PMSC Taxes.xls
2017-02-25 23:04 - 2014-04-27 23:13 - 00000000 ____D C:\Users\Phil\Documents\2014 - Invoices
2017-02-25 23:03 - 2016-01-05 16:25 - 00000000 ____D C:\Users\Phil\Documents\2016 - Invoices
2017-02-25 19:16 - 2014-04-27 23:13 - 00000000 ____D C:\Users\Phil\Documents\2013 - Invoices
2017-02-25 19:15 - 2015-01-06 17:01 - 00000000 ____D C:\Users\Phil\Documents\2015 - Invoices
2017-02-25 16:44 - 2017-01-02 13:51 - 00182272 _____ C:\Users\Phil\Documents\Backup of 2017 PMSC Taxes.xlk
2017-02-25 13:55 - 2014-04-28 12:17 - 00000000 ____D C:\Users\Phil\AppData\Roaming\vlc
2017-02-25 13:32 - 2009-07-13 20:45 - 00013792 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-25 13:32 - 2009-07-13 20:45 - 00013792 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-25 13:23 - 2009-07-13 21:13 - 00006218 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-25 13:19 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-23 13:57 - 2017-01-02 14:00 - 01553408 _____ C:\Users\Phil\Documents\2017 Payables.xls
2017-02-23 13:43 - 2014-04-29 11:03 - 00000000 ____D C:\Users\Phil\Documents\Microsoft Money
2017-02-23 02:18 - 2014-12-04 13:44 - 00000000 ____D C:\Users\Phil\AppData\Roaming\BitTorrent
2017-02-21 23:15 - 2015-01-15 01:42 - 00000000 ____D C:\Users\Phil\AppData\Local\LogMeInIgnition
2017-02-21 23:15 - 2014-05-05 23:36 - 00000000 ____D C:\ProgramData\LogMeIn
2017-02-21 14:36 - 2016-12-12 20:56 - 00000000 ____D C:\Users\Phil\Desktop\URLs
2017-02-21 03:09 - 2017-01-08 21:32 - 00000000 ____D C:\Users\Phil\.VirtualBox
2017-02-20 16:36 - 2015-03-24 00:24 - 00000000 ____D C:\Users\Phil\Desktop\house pics
2017-02-20 16:32 - 2017-01-23 08:12 - 00000000 ____D C:\Users\Phil\Desktop\dirk
2017-02-20 10:56 - 2014-04-27 01:24 - 00000000 ____D C:\Users\Phil
2017-02-16 17:28 - 2017-01-09 04:51 - 00001185 _____ C:\Users\Phil\Desktop\Windows10.lnk
2017-02-14 16:18 - 2017-01-18 16:14 - 00000000 ____D C:\Users\Phil\Documents\2017 - Invoices
2017-02-13 10:44 - 2014-04-27 21:20 - 00001194 _____ C:\Users\Phil\Documents\AbsoluteDiagnostics.txt
2017-02-10 16:29 - 2017-01-08 21:32 - 00000000 ____D C:\Users\Phil\VirtualBox VMs
2017-02-10 14:33 - 2015-02-11 19:27 - 00002754 _____ C:\Users\Phil\Documents\DrKorsh.txt
2017-02-10 10:47 - 2017-01-02 14:02 - 00047616 _____ C:\Users\Phil\Documents\2017 Paid.xls
2017-02-09 02:04 - 2016-11-01 22:08 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-07 10:11 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-02-07 10:10 - 2014-05-08 15:14 - 00000000 ____D C:\Users\Phil\AppData\Local\CutePDF Writer
2017-02-05 21:11 - 2015-06-26 09:09 - 00000000 ____D C:\Users\Phil\Desktop\Cracked
2017-02-05 11:10 - 2014-04-27 02:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-05 10:19 - 2015-06-09 10:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2017-02-05 06:30 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2017-02-05 06:28 - 2009-07-13 18:34 - 00000215 _____ C:\Windows\system.ini
2017-02-03 22:20 - 2014-04-27 21:16 - 00000000 ____D C:\Users\Phil\Documents\Product Keys
2017-01-30 18:37 - 2014-04-28 00:04 - 00000000 ____D C:\Users\Phil\Desktop\Rebates & RMAs
2017-01-30 00:57 - 2014-05-05 23:24 - 00000000 ____D C:\Users\Phil\AppData\Local\LogMeIn Client
2017-01-29 20:47 - 2015-01-24 01:53 - 00000223 _____ C:\Users\Phil\Desktop\The 50 Greatest Songs - Bob Marley  Songs, Reviews, Credits, Awards  AllMusic.url

==================== Files in the root of some directories =======

2014-05-08 15:34 - 2014-05-08 16:00 - 0052535 __RSH () C:\Program Files (x86)\DLS8Uninstall.log
2016-10-31 23:12 - 2016-11-26 14:58 - 0000882 _____ () C:\Users\Phil\AppData\Roaming\syncplay.ini
2015-09-30 19:41 - 2015-11-13 13:47 - 0000600 _____ () C:\Users\Phil\AppData\Roaming\winscp.rnd

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-24 19:44

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Phil (26-02-2017 03:56:49)
Running from C:\Users\Phil\Desktop
Windows 7 Professional Service Pack 1 (X64) (2014-04-27 09:24:18)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-783976531-2470912185-2914285112-500 - Administrator - Disabled)
Guest (S-1-5-21-783976531-2470912185-2914285112-501 - Limited - Disabled)
Phil (S-1-5-21-783976531-2470912185-2914285112-1000 - Administrator - Enabled) => C:\Users\Phil

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.38 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0938-000001000000}) (Version: 9.38.00.0 - Igor Pavlov)
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{0F347A49-E36C-4639-8D2E-003AD408B8B2}) (Version: 1.5 - Eyeo GmbH)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 12.3.2280 - AVAST Software)
Bass Audio Decoder (remove only) (HKLM-x32\...\Bass Audio Decoder) (Version:  - )
BitTorrent (HKU\S-1-5-21-783976531-2470912185-2914285112-1000\...\BitTorrent) (Version: 7.9.9.42974 - BitTorrent Inc.)
BUFFALO NAS Navigator2 (HKLM-x32\...\UN060501) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.12 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version:  - )
DCoder Image Source (remove only) (HKLM-x32\...\DCoder Image Source) (Version:  - )
DirectVobSub (remove only) (HKLM-x32\...\DirectVobSub) (Version:  - )
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ffdshow v1.3.4530 [2014-02-09] (HKLM-x32\...\ffdshow_is1) (Version: 1.3.4530.0 - )
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Killer Bandwidth Control Filter Driver (Version: 1.1.50.1073 - Rivet Networks) Hidden
Killer E220x Drivers (Version: 1.1.50.1073 - Rivet Networks) Hidden
Killer Network Manager (Version: 1.1.50.1073 - Rivet Networks) Hidden
Killer Performance Suite (HKLM-x32\...\{E70DB50B-10B4-46BC-9DE2-AB8B49E061EE}) (Version: 1.1.50.1073 - Rivet Networks)
LAV Filters 0.67 (HKLM-x32\...\lavfilters_is1) (Version: 0.67 - Hendrik Leppkes)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.101 - Symantec Corporation)
Logitech SetPoint 6.67 (HKLM\...\sp6) (Version: 6.67.83 - Logitech)
Logitech Unifying Software 2.50 (HKLM\...\Logitech Unifying) (Version: 2.50.25 - Logitech)
LSI PCI-SV92PP Soft Modem (HKLM\...\LSI Soft Modem) (Version: 2.2.98 - LSI Corporation)
MadVR (remove only) (HKLM-x32\...\MadVR) (Version:  - )
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132}) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Money Plus (HKLM-x32\...\Money2008b) (Version: 17 - Microsoft)
Microsoft Office Standard Edition 2003 (HKLM-x32\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 43.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.1 (x86 en-US)) (Version: 43.0.1 - Mozilla)
Mozilla Thunderbird 45.6.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.6.0 (x86 en-US)) (Version: 45.6.0 - Mozilla)
NVIDIA 3D Vision Driver 332.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 332.21 - NVIDIA Corporation)
NVIDIA Graphics Driver 332.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 332.21 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
Oracle VM VirtualBox 5.1.12 (HKLM\...\{C212962C-71C4-4D9F-B8E0-D2CD00C8B8FE}) (Version: 5.1.12 - Oracle Corporation)
Path of Exile (HKLM\...\Steam App 238960) (Version:  - Grinding Gear Games)
PAYDAY: The Heist (HKLM-x32\...\Steam App 24240) (Version:  - OVERKILL Software)
Peggle Deluxe (HKLM-x32\...\Peggle Deluxe) (Version:  - PopCap Games)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7469 - Realtek Semiconductor Corp.)
Roxio Creator DE 10.3 (HKLM-x32\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
SafeZone Stable 1.48.2066.98 (x32 Version: 1.48.2066.98 - Avast Software) Hidden
Symantec pcAnywhere (HKLM-x32\...\{8D94B4B5-A3E3-4BD5-851E-E14872BFC79B}) (Version: 12.5.5 - Symantec Corporation)
Syncplay (HKLM-x32\...\Syncplay) (Version: 1.3.4 - Syncplay)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WD Access (HKLM-x32\...\{046643f7-6206-46bb-8968-92c37fee39e0}) (Version: 1.4.5949.29996 - Western Digital Technologies, Inc.)
WD Access (x32 Version: 1.4.5949.29996 - Western Digital Technologies, Inc) Hidden
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
WinSCP 5.7.5 (HKLM-x32\...\winscp3_is1) (Version: 5.7.5 - Martin Prikryl)
Wolfenstein: The New Order (HKLM-x32\...\Steam App 201810) (Version:  - Machine Games)
XQDC X-Setup Pro 9.2.100 (HKLM-x32\...\xqdcXSP_is1) (Version: 9.2.100 - XQDC Ltd.)
Zoom Player (remove only) (HKLM-x32\...\ZoomPlayer) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {3E50C6A0-F9BC-4868-BB98-AFB97DE3AC78} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-11-16] (Piriform Ltd)
Task: {ABB09A39-937F-4F90-8C8C-2765201A4B85} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2017-01-02] (AVAST Software)
Task: {D2A94E78-CD84-4933-A7DA-A413C5ABF45F} - System32\Tasks\SafeZone scheduled Autoupdate 1458721273 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe
Task: {E1A7CC53-AC29-4957-8AF1-30E3878045EF} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-01-27] (AVAST Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2014-04-28 00:36 - 2013-10-23 13:24 - 00087600 _____ () C:\Windows\System32\cpwmon64.dll
2008-08-05 10:01 - 2008-08-05 10:01 - 00092160 _____ () C:\Program Files (x86)\Zoom Player\zpshlext64.dll
2017-01-02 13:42 - 2017-01-02 13:42 - 00169064 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-02-25 13:19 - 2017-02-25 13:19 - 05990096 _____ () C:\Program Files\AVAST Software\Avast\defs\17022501\algo.dll
2017-01-02 13:42 - 2017-01-02 13:42 - 00482928 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-01-02 13:42 - 2017-01-02 13:42 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-04-27 02:16 - 2016-12-23 10:28 - 00657184 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2015-01-19 12:40 - 2016-08-31 17:02 - 04969248 _____ () C:\Program Files (x86)\Steam\v8.dll
2015-01-19 12:40 - 2016-08-31 17:02 - 01563936 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2015-01-19 12:40 - 2016-08-31 17:02 - 01195296 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2014-05-21 11:10 - 2017-01-18 17:30 - 02327840 _____ () C:\Program Files (x86)\Steam\video.dll
2014-08-28 12:49 - 2016-01-26 23:49 - 02549760 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2014-08-28 12:49 - 2016-01-26 23:49 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2014-08-28 12:49 - 2016-01-26 23:49 - 00491008 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2014-08-28 12:49 - 2016-01-26 23:49 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2014-08-28 12:49 - 2016-01-26 23:49 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2014-04-27 02:16 - 2017-01-18 17:30 - 00838432 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2016-03-08 19:26 - 2016-07-04 14:17 - 00266560 _____ () C:\Program Files (x86)\Steam\openvr_api.dll
2016-12-12 17:01 - 2017-01-04 19:12 - 68813088 _____ () C:\Program Files (x86)\Steam\bin\cef\cef.win7\libcef.dll
2014-04-27 02:16 - 2017-01-18 17:30 - 00383776 _____ () C:\Program Files (x86)\Steam\steam.dll
2015-01-19 12:40 - 2015-09-24 15:52 - 00119208 _____ () C:\Program Files (x86)\Steam\winh264.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-783976531-2470912185-2914285112-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Phil\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1 - 209.18.47.61
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AgereModemAudio => 2
MSCONFIG\Services: AMD FUEL Service => 2
MSCONFIG\Services: awhost32 => 3
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: Killer Service V2 => 2
MSCONFIG\Services: LiveUpdate => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: NvNetworkService => 2
MSCONFIG\Services: NvStreamSvc => 2
MSCONFIG\Services: nvsvc => 2
MSCONFIG\Services: Stereo Service => 2
MSCONFIG\Services: stllssvr => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Killer Network Manager.lnk => C:\Windows\pss\Killer Network Manager.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: NvBackend => "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: RUSB3MON => "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe"
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{945464D5-6B4C-4A67-87D8-4A2D2409FECD}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{2C9959DD-8508-4924-ACA4-452A3A7676C2}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{CCF29A0E-693D-4EAE-93D1-2E0C27B7A10F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{E461FB77-E305-4D03-9A26-D7DEDC5A7761}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{89322A68-9AB7-43B7-9908-32BA1157E7F7}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{9AAB7217-CDF4-4641-BAF9-438D0DF57CF8}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{A7ABD965-B4D7-45CD-BDCB-1E33AB66190A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{0367F79E-515E-4F41-8453-515EF0CAFD52}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{E6577CB6-88AD-4C69-B64E-E589080B560F}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Team Fortress 2\hl2.exe
FirewallRules: [{8D5E02C6-A031-45ED-AB28-959B9C23EF8F}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Team Fortress 2\hl2.exe
FirewallRules: [{CF9C3F1A-8CE5-48C4-8C6F-6264A54B2A48}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Titan Quest\Titan Quest.exe
FirewallRules: [{0AE8716F-C320-4989-BF04-07CDB33A5B9F}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Titan Quest\Titan Quest.exe
FirewallRules: [{E4442C33-500E-42DC-9AD7-613D94CC2DBE}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Titan Quest Immortal Throne\Tqit.exe
FirewallRules: [{8C1F2342-AADE-494F-953E-D9C3CB47CF52}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Titan Quest Immortal Throne\Tqit.exe
FirewallRules: [{52E69446-48AC-4181-9730-B14F32F7304C}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AVA\NWZLauncher.exe
FirewallRules: [{1E24C4D4-72D9-4253-A91E-5B1802259969}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AVA\NWZLauncher.exe
FirewallRules: [{791A822F-AE8D-4DCD-88FF-55A163BA41C7}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Loadout\Loadout.exe
FirewallRules: [{D81657A3-3FA1-4541-8B44-30A6C6952674}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Loadout\Loadout.exe
FirewallRules: [{85E6BA52-5A70-424F-9551-47D46FDBD363}] => (Allow) C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [{3E659BF9-3931-4C91-9E47-D07B84589876}] => (Allow) C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [{4BA2B6DB-EB38-42A7-96C3-B5BE19A2D7F5}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{7756D255-4E65-44D1-A50F-D7682B3B9541}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{5B8BBCD2-CA33-4A85-981E-98B04DE4ACE2}C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe] => (Allow) C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe
FirewallRules: [UDP Query User{D2931108-9E44-4364-A6AD-5DB936DA3489}C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe] => (Allow) C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe
FirewallRules: [TCP Query User{495A1845-4496-405A-A7CC-12FF581577D7}C:\users\phil\appdata\local\logmein client\logmein client.exe] => (Allow) C:\users\phil\appdata\local\logmein client\logmein client.exe
FirewallRules: [UDP Query User{8CCA4391-15E9-4AE2-9C62-AB905E722A24}C:\users\phil\appdata\local\logmein client\logmein client.exe] => (Allow) C:\users\phil\appdata\local\logmein client\logmein client.exe
FirewallRules: [{3CCE84B6-4BD7-4691-A0C6-27F3C65C2644}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Just Cause 2 - Multiplayer Mod\JcmpLauncher.exe
FirewallRules: [{ECA2CEBF-1BC1-4D5E-84D8-EF1E44EA72A6}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Just Cause 2 - Multiplayer Mod\JcmpLauncher.exe
FirewallRules: [{0148D8C9-34E6-4767-AEA9-3D0C007B70C0}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{30E9E43A-9FCE-45C4-BE95-EA4EAE7E32B7}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{5E4A112B-DBD5-4456-8921-7A3C41BF3ABD}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\PAYDAY The Heist\payday_win32_release.exe
FirewallRules: [{8D435DF0-A430-4098-B39F-236F1C5CDE99}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\PAYDAY The Heist\payday_win32_release.exe
FirewallRules: [{F1464D61-70CE-430B-A7BE-8C563CC10E71}] => (Allow) C:\Users\Phil\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{B5913A1E-B639-410B-9BB3-5FB38B100A11}] => (Allow) C:\Users\Phil\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [TCP Query User{B607C1ED-91EA-40EB-8488-5D77BC51A1ED}C:\windows\system32\wfs.exe] => (Allow) C:\windows\system32\wfs.exe
FirewallRules: [UDP Query User{6673475C-8D99-4A05-AF1D-D6C4144774B7}C:\windows\system32\wfs.exe] => (Allow) C:\windows\system32\wfs.exe
FirewallRules: [TCP Query User{76E3D015-19C9-4CDF-84F4-1A06F7D8D51A}C:\users\phil\appdata\local\logmein client\lmiignition.exe] => (Allow) C:\users\phil\appdata\local\logmein client\lmiignition.exe
FirewallRules: [UDP Query User{88AF648A-67E6-4112-AC7A-AB2FB2FEC7D4}C:\users\phil\appdata\local\logmein client\lmiignition.exe] => (Allow) C:\users\phil\appdata\local\logmein client\lmiignition.exe
FirewallRules: [{69AD10A2-5061-4CD7-A1F2-B231A98AD177}] => (Allow) C:\Program Files\Vuze\Azureus.exe
FirewallRules: [{6F0B8D70-E261-45EF-822B-B89D468EF4A2}] => (Allow) C:\Program Files\Vuze\Azureus.exe
FirewallRules: [{8FDDBE9A-A96C-4587-9D08-5538E6A8CF6E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{89D7C5C8-AFA6-483B-9711-30559EE9535C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{6D4D68BC-D6A6-44FF-94B3-2F14216D38B7}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{8DFD47F2-286C-4BD1-AA80-A62B3BD114D8}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{D6ACC52E-F887-475E-BA41-77EBF4E24155}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Wolfenstein.The.New.Order\WolfNewOrder_x64.exe
FirewallRules: [{DCC08A59-3AC0-4643-91AD-63A18ABFA757}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Wolfenstein.The.New.Order\WolfNewOrder_x64.exe
FirewallRules: [{8B12C050-38E1-44A6-AB0E-CD29B8E29795}] => (Allow) C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe
FirewallRules: [{D32444EB-92C9-4FF6-9958-3F5879B88CB2}] => (Allow) C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe
FirewallRules: [{768E35A6-BB26-4020-A2B0-0CFF8D45690E}] => (Allow) C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe
FirewallRules: [TCP Query User{F7632B9A-E2D9-46C0-A198-E5F6C6A5D97A}C:\program files (x86)\western digital\wd app manager\wdappmanager.exe] => (Allow) C:\program files (x86)\western digital\wd app manager\wdappmanager.exe
FirewallRules: [UDP Query User{10AD28A8-D53D-4DA9-B879-F22387A03D60}C:\program files (x86)\western digital\wd app manager\wdappmanager.exe] => (Allow) C:\program files (x86)\western digital\wd app manager\wdappmanager.exe
FirewallRules: [TCP Query User{FDAF27DF-58E3-4BD9-B7A8-CB14EE5DA866}C:\program files (x86)\western digital\wd app manager\wdappmanager.exe] => (Block) C:\program files (x86)\western digital\wd app manager\wdappmanager.exe
FirewallRules: [UDP Query User{B38CE965-EBCD-456F-A7FB-155E2D24C39B}C:\program files (x86)\western digital\wd app manager\wdappmanager.exe] => (Block) C:\program files (x86)\western digital\wd app manager\wdappmanager.exe
FirewallRules: [{F2DE535B-01DE-4A4E-A79B-16F957785F14}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Path of Exile\PathOfExileSteam.exe
FirewallRules: [{88E971D4-A319-4BF3-AB3B-12FA1B5DA4A1}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Path of Exile\PathOfExileSteam.exe
FirewallRules: [{3EB4DD12-B85F-4A3C-9075-78AA1D2C4DF3}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AVA\host.exe
FirewallRules: [{EBD66FEF-AF91-42FB-A12D-0F22A396BEA4}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AVA\host.exe
FirewallRules: [{690AEA9F-DE55-4344-9989-7FA75D1A20CC}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AVA\launcher.exe
FirewallRules: [{DDD14F52-1B80-421F-85C7-48D05505CB27}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AVA\launcher.exe
FirewallRules: [{7B46D647-86B9-435E-A9F8-0A9CE24BC2EE}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Path of Exile\PathOfExile_x64Steam.exe
FirewallRules: [{8472BF8C-5849-4453-BB2E-CC32A4571B7D}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Path of Exile\PathOfExile_x64Steam.exe
FirewallRules: [TCP Query User{9465B57D-ABB3-4E5C-A4C0-D0DB6841DE3F}C:\program files (x86)\tp-link\tp-link plc utility\tpplc.exe] => (Allow) C:\program files (x86)\tp-link\tp-link plc utility\tpplc.exe
FirewallRules: [UDP Query User{1CC07C49-FE74-4E46-93F4-D2684B0BE6C2}C:\program files (x86)\tp-link\tp-link plc utility\tpplc.exe] => (Allow) C:\program files (x86)\tp-link\tp-link plc utility\tpplc.exe
FirewallRules: [TCP Query User{B51C128D-17BA-4549-8E44-FFA16B9D0900}C:\users\phil\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe] => (Allow) C:\users\phil\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe
FirewallRules: [UDP Query User{0EB95C81-0335-4523-A49D-B775FCCC2B44}C:\users\phil\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe] => (Allow) C:\users\phil\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe
FirewallRules: [TCP Query User{C4F6A422-BE0C-45D3-9156-AA460D0448E4}C:\users\phil\desktop\powerline scan.exe] => (Allow) C:\users\phil\desktop\powerline scan.exe
FirewallRules: [UDP Query User{7CB389B3-09DC-4FDB-8B78-4A79CCFAF609}C:\users\phil\desktop\powerline scan.exe] => (Allow) C:\users\phil\desktop\powerline scan.exe
FirewallRules: [{FC44EC71-F866-4964-A0D0-79209C9E648A}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{99E76C6C-E474-45BC-BD7D-00ABD725B3C4}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [VirtualPC-In-UDP-1] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [VirtualPC-In-UDP-2] => (Allow) %SystemRoot%\System32\vpc.exe
FirewallRules: [VirtualPC-In-TCP-1] => (Allow) %SystemRoot%\System32\vpc.exe

==================== Restore Points =========================

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (02/25/2017 01:23:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (02/25/2017 01:23:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (02/24/2017 10:08:01 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (02/24/2017 10:08:01 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (02/24/2017 12:04:24 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (02/24/2017 12:04:24 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (02/23/2017 11:52:11 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (02/23/2017 11:52:11 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (02/23/2017 11:50:04 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "F:\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (02/23/2017 11:11:05 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

System errors:
=============
Error: (02/25/2017 12:19:36 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/25/2017 12:16:33 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/24/2017 10:05:20 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/24/2017 08:41:10 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/24/2017 06:54:25 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/23/2017 10:49:05 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.

Error: (02/23/2017 10:49:04 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.

Error: (02/23/2017 10:49:04 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.

Error: (02/20/2017 04:59:33 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (02/20/2017 01:50:44 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

CodeIntegrity:
===================================
  Date: 2017-02-05 06:27:33.914
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-02-05 06:27:33.784
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-13 19:51:01.441
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-02 00:33:25.144
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-02 00:17:45.835
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-02 00:03:55.787
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-01 23:17:36.156
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-01 23:15:33.306
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-01 22:51:42.560
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2016-11-01 22:42:26.981
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: AMD FX-8370 Eight-Core Processor
Percentage of memory in use: 23%
Total physical RAM: 16331.02 MB
Available physical RAM: 12466.23 MB
Total Virtual: 32660.23 MB
Available Virtual: 28179.1 MB

==================== Drives ================================

Drive c: (Harddrive-C) (Fixed) (Total:465.66 GB) (Free:78.48 GB) NTFS
Drive d: (Data) (Fixed) (Total:931.51 GB) (Free:110.54 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 159679CC)
Partition 1: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 394E0276)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 26 February 2017 - 01:54 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Please post the logs and let me know what problem you are having with this computer.

#3 pspada1

pspada1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 26 February 2017 - 02:52 PM

Thanks, I'll be back at the machine this afternoon, and will run all the requested steps!



#4 pspada1

pspada1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 26 February 2017 - 09:59 PM

Internet Explorer 11 leaves open IE processes after being closed, and seems to be spawning quite a few dllhost and dllhost32 processes.  this continues after running the fix and Adwcleaner.  Malwarebytes found nothing.  Here are the logs:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-02-2017
Ran by Phil (26-02-2017 17:45:17) Run:1
Running from C:\Users\Phil\Desktop
Loaded Profiles: Phil (Available Profiles: Phil)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-783976531-2470912185-2914285112-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [No File]
S4 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S4 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKU\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9 => key removed successfully
HKLM\System\CurrentControlSet\Services\gupdate => key removed successfully
gupdate => service removed successfully
HKLM\System\CurrentControlSet\Services\gupdatem => key removed successfully
gupdatem => service removed successfully
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully
catchme => service removed successfully
HKLM\System\CurrentControlSet\Services\MSICDSetup => key removed successfully
MSICDSetup => service removed successfully
HKLM\System\CurrentControlSet\Services\NTIOLib_1_0_C => key removed successfully
NTIOLib_1_0_C => service removed successfully
HKLM\System\CurrentControlSet\Services\xhunter1 => key removed successfully
xhunter1 => service removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 366209454 B
Java, Flash, Steam htmlcache => 58208351 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 0 B
Firefox => 393533292 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33125 B
Public => 0 B
ProgramData => 0 B
systemprofile => 190572519 B
systemprofile32 => 66228 B
LocalService => 0 B
NetworkService => 38628 B
Phil => 57682348457 B

RecycleBin => 14102941 B
EmptyTemp: => 54.7 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 17:47:15 ====

 

# AdwCleaner v6.043 - Logfile created 26/02/2017 at 18:11:58
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-24.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : Phil - PHIL
# Running from : C:\Users\Phil\Desktop\adwcleaner_6.043.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

 

***** [ Folders ] *****

[!] Folder not deleted: C:\Users\Phil\Documents\PlantsVsZombies

***** [ Files ] *****

 

***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

 

***** [ Registry ] *****

[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com

***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1462 Bytes] - [04/02/2017 22:05:57]
C:\AdwCleaner\AdwCleaner[C2].txt - [1349 Bytes] - [26/02/2017 18:11:58]
C:\AdwCleaner\AdwCleaner[S0].txt - [1637 Bytes] - [04/02/2017 22:05:16]
C:\AdwCleaner\AdwCleaner[S1].txt - [1706 Bytes] - [26/02/2017 18:09:32]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1568 Bytes] ##########

 

thanks!



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 27 February 2017 - 07:55 AM


Unless you have problems running IE there should be nothing to worry about.
The Operating system will run these processes when need.

Read about it.
http://www.liutilities.com/products/wintaskspro/processlibrary/dllhost/

If you do have problems with IE then run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Let me know what the problems are.

#6 pspada1

pspada1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 27 February 2017 - 04:24 PM

I'll give Roguekiller another shot - was not sure about the dllhost stuff, so I'll read the link you sent.  But is it normal for IE to leave an iexplore.exe process running after exiting all IE windows?

 

and thanks again for all your help!



#7 pspada1

pspada1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 28 February 2017 - 01:55 AM

Here's the RogueKiller log, I removed all 8 items it found:

 

RogueKiller V12.9.9.0 (x64) [Feb 27 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Phil [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/27/2017 17:58:03 (Duration : 00:12:35)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{5B8BBCD2-CA33-4A85-981E-98B04DE4ACE2}C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe|Name=logmein client.exe|Desc=logmein client.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{D2931108-9E44-4364-A6AD-5DB936DA3489}C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe|Name=logmein client.exe|Desc=logmein client.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{5B8BBCD2-CA33-4A85-981E-98B04DE4ACE2}C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe|Name=logmein client.exe|Desc=logmein client.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{D2931108-9E44-4364-A6AD-5DB936DA3489}C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\phil\appdata\local\temp\lmi4926.tmp\logmein client.exe|Name=logmein client.exe|Desc=logmein client.exe|Defer=User| [x] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-783976531-2470912185-2914285112-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB ATA Device +++++
--- User ---
[MBR] 40f63ebeb540aee3988f4941a3145d13
[BSP] 77eace569656de73f98481f8cd0c731e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 101 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 208845 | Size: 476835 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD1003FZEX-00MK2A0 ATA Device +++++
--- User ---
[MBR] 20806aeec7cf56646a678cac5dc8696e
[BSP] 3954b2d07bcaa356833435a65aeb30f7 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 28 February 2017 - 09:19 AM


Please restart the computer normally.

Do no Open the Internet Explorer right away.

Open your Task Manager and let me know if the the Internet Explorer is running.

If it is then stop the process. Do you get an error message?

#9 pspada1

pspada1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 01 March 2017 - 01:21 AM

No, there is no IE process until I open IE, but once I close it there is one that remains open for a minute or so, and then closes.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 01 March 2017 - 11:26 AM

That is normal.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#11 pspada1

pspada1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 02 March 2017 - 03:55 PM

Thanks for all your help!  I'm back to normal, so you can close this ticket.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users