Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SkypeHost.exe malware, crashed game and changed computer settings


  • This topic is locked This topic is locked
12 replies to this topic

#1 MalwareMAn

MalwareMAn

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 03 March 2017 - 05:54 PM

Hi,

 

I've been having probable recurring malware issues for the past 5 months (after using malwarebytes and 3-4 hard resets) which I beleive started on my windows phone. I accidently clicked on a malicous ad (the windows phone was connected to my home wifi at the time), which sent my phone in a redirect loop, my phone BSOD'd and I started getting scam windows repair calls at my landline, saying they had 'blocked my windows'!, I never re-installed windows on the phone because i was too scared that by connecting it to my pc it would transmit it over, eventually the cold calls stopped.

 

However that doesn't seem to have made a difference because today my pc was acting very odd, I'm pretty sure that SkypeHost.exe is the culprit, and I'm almost certain it's malware (due to the fact I seem to keep getting malware over the past 4 months, could it be my router or someting?), it seems to have caused my network and firewall settings to change and crashed a game I was playing. I looked into process explorer and I noticed that there were 3+ supicious processes (more were being added right infront of my eyes), so I tried a restore point that I made last week, and although it came up with an error, and SkypeHost.exe is still there (which is showing 3 unknown accounts in properties)... it doesn't seem to have worked and I expect the malware to return to its full effect soon...Please see attached logs... THANKS! (BTW since I've made this log more processes have returned)

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-03-2017
Ran by Jacob (administrator) on DESKTOP-2KMSFL0 (03-03-2017 22:02:04)
Running from C:\Users\Jacob\Downloads
Loaded Profiles: Jacob (Available Profiles: defaultuser0 & Jacob)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(DTS, Inc) C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft® Windows® Operating System) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-29] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8492800 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [8027016 2016-11-21] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-1169469798-42983302-1757595835-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2881824 2017-01-19] (Valve Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{3057be8b-2953-47d3-bc08-4a52351f477a}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{58c8b1b7-60a9-4163-89ff-924aa1d13578}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================

FireFox:
========
FF DefaultProfile: jtn6nq4m.default
FF ProfilePath: C:\Users\Jacob\AppData\Roaming\Mozilla\Firefox\Profiles\jtn6nq4m.default [2017-03-03]
FF Extension: (Ant Video Downloader) - C:\Users\Jacob\AppData\Roaming\Mozilla\Firefox\Profiles\jtn6nq4m.default\Extensions\anttoolbar@ant.com [2017-02-25]
FF Extension: (NoScript) - C:\Users\Jacob\AppData\Roaming\Mozilla\Firefox\Profiles\jtn6nq4m.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-01-20]
FF Extension: (Adblock Plus) - C:\Users\Jacob\AppData\Roaming\Mozilla\Firefox\Profiles\jtn6nq4m.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-01-20]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\Jacob\AppData\Roaming\Mozilla\Firefox\Profiles\jtn6nq4m.default\features\{56635879-af46-4327-a02b-223dfde9e1e3}\disableSHA1rollout@mozilla.org.xpi [2017-03-03]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [155016 2016-11-21] ()
R2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [249328 2015-06-24] (DTS, Inc)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\WINDOWS\System32\drivers\amdkmafd.sys [40720 2015-07-28] (Advanced Micro Devices, Inc.)
R3 amdkmdag; C:\WINDOWS\System32\DriverStore\FileRepository\c0309377.inf_amd64_7ab08912e1e1da0a\atikmdag.sys [26568848 2017-01-25] (Advanced Micro Devices, Inc.)
R3 amdkmdap; C:\WINDOWS\System32\DriverStore\FileRepository\c0309377.inf_amd64_7ab08912e1e1da0a\atikmpag.sys [536600 2017-01-25] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-09-18] (Advanced Micro Devices)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 RtlWlanu; C:\WINDOWS\System32\drivers\rtwlanu.sys [5195776 2016-07-16] (Realtek Semiconductor Corporation                           )
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-03 22:02 - 2017-03-03 22:02 - 00006487 _____ C:\Users\Jacob\Downloads\FRST.txt
2017-03-03 22:01 - 2017-03-03 22:02 - 00000000 ____D C:\FRST
2017-03-03 21:57 - 2017-03-03 22:01 - 02423808 _____ (Farbar) C:\Users\Jacob\Downloads\FRST64.exe
2017-03-03 20:31 - 2017-03-03 20:50 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2017-03-03 20:31 - 2017-03-03 20:50 - 00001908 _____ C:\WINDOWS\diagerr.xml
2017-03-03 20:22 - 2017-03-03 20:22 - 00000000 ____D C:\Users\Jacob\Downloads\New folder
2017-03-02 22:29 - 2017-03-02 22:29 - 00000000 ____D C:\Users\Jacob\Downloads\ProcessExplorer
2017-03-02 22:29 - 2017-03-02 22:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2017-03-02 22:29 - 2017-03-02 22:29 - 00000000 ____D C:\Program Files\7-Zip
2017-03-02 22:27 - 2017-03-02 22:27 - 01381582 _____ (Igor Pavlov) C:\Users\Jacob\Downloads\7z1604-x64(1).exe
2017-03-02 22:22 - 2017-03-02 22:22 - 01920725 _____ C:\Users\Jacob\Downloads\ProcessExplorer.zip
2017-03-01 21:34 - 2017-03-01 21:37 - 00000000 ____D C:\Users\Jacob\Desktop\FL studio recorded songs
2017-02-26 21:58 - 2017-02-26 21:58 - 00041790 _____ C:\Users\Jacob\Desktop\eticket-20170226195929-998-2333485d2c4d0f0455b96d44b9faa06ae642dc3.pdf
2017-02-26 04:51 - 2017-02-26 04:53 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-02-25 23:31 - 2017-02-25 23:31 - 00000000 ____H C:\Users\Jacob\Documents\Default.rdp
2017-02-25 21:29 - 2017-02-25 21:29 - 00380928 _____ C:\Users\Jacob\Downloads\555lu24i.exe
2017-02-25 19:21 - 2017-02-25 19:21 - 00007607 _____ C:\Users\Jacob\AppData\Local\Resmon.ResmonCfg
2017-02-24 07:31 - 2017-02-24 07:31 - 00000000 ____D C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq
2017-02-20 00:44 - 2016-11-30 12:29 - 01010908 _____ C:\Users\Jacob\Desktop\bookmarks-2016-11-30.json
2017-02-20 00:15 - 2017-03-01 21:35 - 00000000 ____D C:\Users\Jacob\Desktop\newnewnewnew
2017-02-19 22:23 - 2017-03-01 21:33 - 00000000 ____D C:\Users\Jacob\Desktop\Lists (test)
2017-02-19 22:13 - 2017-02-19 22:13 - 00000000 ____D C:\Users\Jacob\Desktop\bookmarks
2017-02-19 22:10 - 2017-03-01 21:41 - 00000000 ____D C:\Users\Jacob\Desktop\Funny stuff
2017-02-19 21:58 - 2017-02-20 02:07 - 00000000 ____D C:\Users\Jacob\Desktop\desktop wallpapers
2017-02-19 21:43 - 2017-03-01 21:38 - 00000000 ____D C:\Users\Jacob\Desktop\human aesthete
2017-02-19 21:41 - 2017-03-01 21:41 - 00000000 ____D C:\Users\Jacob\Desktop\other to do
2017-02-19 21:41 - 2017-03-01 21:38 - 00000000 ____D C:\Users\Jacob\Desktop\Clothing 2
2017-02-19 21:41 - 2017-03-01 21:32 - 00000000 ____D C:\Users\Jacob\Desktop\desktops and room
2017-02-19 21:41 - 2017-03-01 21:32 - 00000000 ____D C:\Users\Jacob\Desktop\clothing
2017-02-19 21:36 - 2017-02-20 02:07 - 00000000 ____D C:\Users\Jacob\Desktop\Vice Media
2017-02-17 11:30 - 2017-02-17 11:30 - 00000000 ____D C:\WINDOWS\system32\4e99cba9769a516cf0e77d..bin

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-03 21:17 - 2017-01-19 23:56 - 00967182 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-03 21:15 - 2017-01-20 00:13 - 00000000 ____D C:\Program Files (x86)\Steam
2017-03-03 21:15 - 2016-12-01 04:42 - 00000000 ____D C:\Users\Jacob\AppData\LocalLow\Mozilla
2017-03-03 21:13 - 2017-01-19 23:46 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-03 21:08 - 2017-01-27 17:39 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-03 21:08 - 2017-01-20 07:38 - 00524288 _____ C:\WINDOWS\system32\config\BBI
2017-03-03 21:07 - 2017-01-19 23:47 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-03-03 21:06 - 2017-01-19 23:48 - 00000000 ____D C:\Users\Jacob
2017-03-03 20:38 - 2017-01-19 23:46 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-03 20:16 - 2017-01-27 17:42 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-03 19:39 - 2017-01-20 07:42 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-02 21:17 - 2017-01-20 07:42 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-03-02 19:23 - 2017-01-20 07:42 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-01 20:09 - 2017-01-19 23:56 - 00003290 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-03-01 20:09 - 2017-01-19 23:55 - 00002363 _____ C:\Users\Jacob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-01 20:09 - 2016-12-01 01:57 - 00000000 ___RD C:\Users\Jacob\OneDrive
2017-02-28 08:41 - 2017-01-20 02:07 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-02-27 22:01 - 2017-01-20 07:42 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2017-02-25 20:53 - 2017-01-20 00:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-02-25 20:53 - 2017-01-20 00:05 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-24 21:52 - 2017-01-27 17:35 - 00000000 ____D C:\Users\Jacob\Desktop\useful topic knowledge
2017-02-23 20:18 - 2017-01-20 02:06 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-23 20:18 - 2017-01-20 02:06 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-22 07:13 - 2017-01-20 07:38 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-06 19:48 - 2017-01-20 07:43 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-02-06 19:48 - 2017-01-20 07:43 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-02-05 23:24 - 2017-01-21 18:57 - 00000000 ____D C:\Users\Jacob\AppData\Roaming\Mount&Blade Warband
2017-02-05 14:17 - 2016-12-02 23:09 - 00000000 ____D C:\Users\Jacob\Downloads\Ant Videos

==================== Files in the root of some directories =======

2017-02-25 19:21 - 2017-02-25 19:21 - 0007607 _____ () C:\Users\Jacob\AppData\Local\Resmon.ResmonCfg
2017-01-19 23:47 - 2017-01-19 23:47 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-01 06:31

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 05 March 2017 - 02:09 PM

Greetings MalwareMAn and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

There should be an Addition.txt document in your Downloads folder. Could you copy and paste the contents in your reply?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 MalwareMAn

MalwareMAn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 06 March 2017 - 03:16 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-03-2017
Ran by Jacob (03-03-2017 22:02:23)
Running from C:\Users\Jacob\Downloads
Windows 10 Pro Version 1607 (X64) (2017-01-19 23:53:47)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1169469798-42983302-1757595835-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1169469798-42983302-1757595835-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-1169469798-42983302-1757595835-1000 - Limited - Enabled) => C:\Users\defaultuser0
Guest (S-1-5-21-1169469798-42983302-1757595835-501 - Limited - Disabled)
Jacob (S-1-5-21-1169469798-42983302-1757595835-1001 - Administrator - Enabled) => C:\Users\Jacob

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Age of Empires II: HD Edition (HKLM\...\Steam App 221380) (Version:  - Skybox Labs)
AMD Settings (HKLM\...\WUCCCApp) (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.)
Catalyst Control Center Next Localization BR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization BR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0916.1515.27418 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.1121.1657.30480 - Advanced Micro Devices, Inc.) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-1169469798-42983302-1757595835-1001\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24210 (HKLM-x32\...\{f144e08f-9cbe-4f09-9a8c-f2b858b7ee7f}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM-x32\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Mount & Blade: Warband (HKLM\...\Steam App 48700) (Version:  - TaleWorlds Entertainment)
Mozilla Firefox 51.0.1 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-GB)) (Version: 51.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 51.0.1.6234 - Mozilla)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 11:42 - 2016-07-16 11:42 - 00231424 ____N () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-12-13 23:39 - 2016-12-09 10:29 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-12-13 23:39 - 2016-12-09 10:29 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-29 15:20 - 2016-09-29 15:20 - 00134656 ____N () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-01-11 18:54 - 2016-12-21 07:09 - 00474112 ____N () C:\Windows\ShellExperiences\QuickActions.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick.2\qtquick2plugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00739840 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Controls\qtquickcontrolsplugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Window.2\windowplugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00071168 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Layouts\qquicklayoutsplugin.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 00011776 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.dll
2016-06-30 19:12 - 2016-06-30 19:12 - 02013696 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2016-11-21 17:19 - 2016-11-21 17:19 - 00155016 _____ () C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe
2017-02-22 18:51 - 2017-02-22 18:51 - 00073728 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-02-22 18:51 - 2017-02-22 18:51 - 00179712 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-02-22 18:51 - 2017-02-22 18:51 - 42895360 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-02-06 19:32 - 2017-02-06 19:32 - 02215424 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.110.0_x64__kzf8qxf38zg5c\roottools.dll
2017-01-11 18:53 - 2016-12-21 06:54 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-01-11 18:53 - 2016-12-21 06:48 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-01-11 18:53 - 2016-12-21 06:48 - 00757248 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-01-11 18:53 - 2016-12-21 06:48 - 01033216 ____N () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-01-11 18:53 - 2016-12-21 06:48 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-01-11 18:53 - 2016-12-21 06:53 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-01-20 07:42 - 2017-01-20 07:41 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1169469798-42983302-1757595835-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jacob\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{C8D495CF-78CB-47E4-914A-B77290050B5B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{82DD8672-022C-4134-BE50-72FB87B67BB3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2EAF9324-C69F-46AA-B6E8-498CD8BC2885}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{23F25AF0-F8F2-4652-82E3-8613C3F790ED}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{EDE7A951-DE33-4771-A202-07AD71CB2853}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{DD88B4D9-BF13-44AE-96AB-A9F2ED2E768F}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{46F0335B-F9A4-4EAC-A528-E93FC6DBAFA1}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{727BF39F-A35C-4791-BFC7-29A01F544712}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{BEE60F89-3A56-45CD-8B2F-69EF91135484}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Age2HD\Launcher.exe
FirewallRules: [{6C405A10-3448-4A9B-AE38-9C698A4DC4CA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Age2HD\Launcher.exe

==================== Restore Points =========================

11-02-2017 02:26:52 Scheduled Checkpoint
19-02-2017 12:00:00 Scheduled Checkpoint
23-02-2017 20:17:52 Windows Update
27-02-2017 19:47:03 1st attempt pre any malware symptoms

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/03/2017 09:13:51 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (1st attempt pre any malware symptoms). Additional information: 0x80070091.

Error: (03/03/2017 09:08:02 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-2KMSFL0)
Description: Activation of app Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/03/2017 08:00:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mb_warband.exe, version: 1.0.0.0, time stamp: 0x58580a82
Faulting module name: mb_warband.exe, version: 1.0.0.0, time stamp: 0x58580a82
Exception code: 0xc0000005
Fault offset: 0x000fcc96
Faulting process id: 0x21c0
Faulting application start time: 0x01d294574926d5d4
Faulting application path: C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
Faulting module path: C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
Report Id: 97f60785-3a76-43d8-a51a-cf28137ce72d
Faulting package full name:
Faulting package-relative application ID:

Error: (02/28/2017 11:15:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: firefox.exe, version: 51.0.1.6234, time stamp: 0x5888f28c
Faulting module name: mozglue.dll, version: 51.0.1.6234, time stamp: 0x5888f27e
Exception code: 0x80000003
Fault offset: 0x0000ec83
Faulting process id: 0x83c
Faulting application start time: 0x01d28fb62b648ec5
Faulting application path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Faulting module path: C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
Report Id: 3a42fcb0-3ee8-4cd9-895f-16339fcf2da6
Faulting package full name:
Faulting package-relative application ID:

Error: (02/28/2017 11:15:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 51.0.1.6234 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 374

Start Time: 01d28fb629ab2b4e

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: bc75f0b5-fe0b-11e6-bec2-60a44cae5346

Faulting package full name:

Faulting package-relative application ID:

Error: (02/27/2017 07:47:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (02/25/2017 10:15:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_RasMan, version: 10.0.14393.0, time stamp: 0x57899b1c
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x000000000002f7db
Faulting process id: 0xf54
Faulting application start time: 0x01d28fb4b2bad1b8
Faulting application path: C:\WINDOWS\System32\svchost.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: b3abe3e4-a6c2-461e-a778-5fd46ac5ee04
Faulting package full name:
Faulting package-relative application ID:

Error: (02/25/2017 10:15:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_RasMan, version: 10.0.14393.0, time stamp: 0x57899b1c
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x000000000002f7db
Faulting process id: 0x260
Faulting application start time: 0x01d28fa93dd1401b
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 395f36c0-f76d-4fb0-8074-3caace00333d
Faulting package full name:
Faulting package-relative application ID:

Error: (02/25/2017 02:27:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Microsoft.Photos.exe version 1.0.1611.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 1214

Start Time: 01d28f5bd76a893e

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe

Report Id: 87997b5b-fb66-11e6-bec0-60a44cae5346

Faulting package full name: Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe

Faulting package-relative application ID: App

Error: (02/25/2017 02:27:27 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2486) (User: DESKTOP-2KMSFL0)
Description: App Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe+App did not launch within its allotted time.


System errors:
=============
Error: (03/03/2017 09:25:45 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/03/2017 09:15:34 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/03/2017 09:13:49 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/03/2017 09:08:34 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-2KMSFL0)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/03/2017 09:08:34 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (03/03/2017 09:08:32 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-2KMSFL0)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (03/03/2017 09:08:29 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-2KMSFL0)
Description: DCOM got error "1084" attempting to start the service BITS with arguments "Unavailable" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (03/03/2017 09:08:29 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-2KMSFL0)
Description: DCOM got error "1084" attempting to start the service BITS with arguments "Unavailable" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (03/03/2017 09:08:29 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-2KMSFL0)
Description: DCOM got error "1084" attempting to start the service BITS with arguments "Unavailable" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (03/03/2017 09:08:29 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-2KMSFL0)
Description: DCOM got error "1084" attempting to start the service BITS with arguments "Unavailable" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}


==================== Memory info ===========================

Processor: Intel® Core™ i5-3570K CPU @ 3.40GHz
Percentage of memory in use: 28%
Total physical RAM: 8132.68 MB
Available physical RAM: 5810.91 MB
Total Virtual: 9412.68 MB
Available Virtual: 6862.71 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:238.03 GB) (Free:115.44 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:1862.92 GB) (Free:1811.18 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 20BBDFF7)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1862.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 238.5 GB) (Disk ID: 20BBDFF3)
Partition 1: (Not Active) - (Size=238 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=450 MB) - (Type=27)

==================== End of Addition.txt ============================



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 06 March 2017 - 03:35 PM

Greetings and thank you for the information.

Do you recognize this?

GroupPolicyScripts: Restriction

Skype appears to be legitimate, however I would like to look at the contents of 2 folders.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
Folder: C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq
Folder: C:\WINDOWS\system32\4e99cba9769a516cf0e77d..bin
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 MalwareMAn

MalwareMAn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 07 March 2017 - 03:02 PM

Hi again,

 

Thankyou very much for your help!

 

My computer appears to be running smoothly at the moment, and I've never seen GroupPolicyScripts: Restriction before, no idea what that is.

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by Jacob (07-03-2017 19:46:42) Run:1
Running from C:\Users\Jacob\Downloads
Loaded Profiles: Jacob (Available Profiles: defaultuser0 & Jacob)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
Folder: C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq
Folder: C:\WINDOWS\system32\4e99cba9769a516cf0e77d..bin
*****************

Restore point was successfully created.

========================= Folder: C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq ========================

2017-02-24 07:31 - 2017-02-24 07:31 - 0000000 ____D () C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq\AMD
2017-02-24 07:31 - 2017-02-24 07:31 - 0000000 ____D () C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq\AMD\DxCache
2017-02-24 07:31 - 2017-02-24 07:31 - 0065536 _____ () C:\WINDOWS\system32\ÿÿÿÿÿÿÿÿq\AMD\DxCache\d656b4e07048d6149fc29b8f2f4e99cba9769a516cf0e77d..bin

====== End of Folder: ======


========================= Folder: C:\WINDOWS\system32\4e99cba9769a516cf0e77d..bin ========================

2017-02-17 11:30 - 2017-02-17 11:30 - 0000000 ____D () C:\WINDOWS\system32\4e99cba9769a516cf0e77d..bin\AMD
2017-02-17 11:30 - 2017-02-17 11:30 - 0000000 ____D () C:\WINDOWS\system32\4e99cba9769a516cf0e77d..bin\AMD\DxCache

====== End of Folder: ======


==== End of Fixlog 19:46:50 ====



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 07 March 2017 - 03:18 PM

Very good.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
GroupPolicyScripts: Restriction <======= ATTENTION
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 MalwareMAn

MalwareMAn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 07 March 2017 - 04:07 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by Jacob (07-03-2017 20:27:12) Run:2
Running from C:\Users\Jacob\Downloads
Loaded Profiles: Jacob (Available Profiles: defaultuser0 & Jacob)
Boot Mode: Normal
==============================================

fixlist content:
*****************
GroupPolicyScripts: Restriction <======= ATTENTION
emptytemp:
*****************

C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 420446589 B
Java, Flash, Steam htmlcache => 234850974 B
Windows/system/drivers => 7732611 B
Edge => 13455367 B
Chrome => 0 B
Firefox => 384692565 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 2394 B
defaultuser0 => 0 B
Jacob => 224097574 B

RecycleBin => 3248254 B
EmptyTemp: => 1.2 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 20:27:48 ====

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Mozilla Firefox (52.0)
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe
 Windows Defender MSASCuiL.exe   
 Windows Defender MpCmdRun.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````



#8 MalwareMAn

MalwareMAn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 07 March 2017 - 04:10 PM

ESET scanner didn't detect any infected files and my pc is running smoothly.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 07 March 2017 - 04:14 PM

Excellent, looks like we are all set. Any remaining questions before I post some closing instructions and information?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 07 March 2017 - 05:11 PM

Very good.

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and we will now remove the tools used and logs created during our steps. Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmarks in:

Remove disinfection tools
Create registry backup
Purge system restore

  • Click Run
===================================================

You may delete any additional programs or logs on your computer which were not automatically removed by Delfix. Simply delete the log files or desktop icons. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#11 MalwareMAn

MalwareMAn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 07 March 2017 - 06:40 PM

Thanks again so much, I really appreciate you taking the time to help me out like this!



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 07 March 2017 - 07:21 PM

It is always our pleasure. You are welcome to come back any time you need assistance.

Gary
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,415 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:47 PM

Posted 08 March 2017 - 07:26 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users